Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Analysis Leads To Russian Data Hoard

Posted by kdawson on from the Gozi-dissected dept.

Stolen Identity writes "An attack by a single Trojan variant compromises thousands, circumvents SSL, and uploads the results to a Russian dropzone server. A unique blow-by-blow analysis reveals evidence of cooperation between groups of malware specialists acting as service providers and points to the future of malware's growing underground economy."

103 comments

  1. that made me laugh by Anonymous Coward · · Score: 1, Interesting

    how's that for having your tables turned on you ?

    In soviet Russia you invade the trojans :)

    Pixie Rank ? WTF ??

    1. Re:that made me laugh by BlueTrin · · Score: 1

      A unique blow-by-blow analysis reveals evidence of cooperation between groups of malware specialists acting as service providers and points to the future of malware's growing underground economy
      I am the only one to notice that the only difference is that the word malware could be replaced with corrupted and underground by modern ?

      --
      Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
    2. Re:that made me laugh by Anonymous Coward · · Score: 0

      A unique blow-by-blow analysis reveals evidence of cooperation between groups of malware specialists acting as service providers and points to the future of malware's growing underground economy
      I am the only one to notice that the only difference is that the word malware could be replaced with corrupted and underground by modern ?
      A unique blow-by-blow analysis reveals evidence of cooperation between groups of corrupted specialists acting as service providers and points to the future of corrupted's growing modern economy?

      You can do that, but it doesn't make much sense to me. Who is this 'corrupted' & why do they have a growing modern economy?
    3. Re:that made me laugh by Anonymous Coward · · Score: 0

      especially since if the 'discoverers' would have been blackhat as well they would have had all the data without any of the associated risk !

      It's the digital equivalent of robbing the bank robbers after the heist.

    4. Re:that made me laugh by CmdrGravy · · Score: 1

      The correct term for someone who does this is Standover Man. See "Chopper" Reid for more information on this subject.

    5. Re:that made me laugh by Dr.+Cody · · Score: 1

      When you analize your Trojan, be sure to use plenty of lube.

  2. What About Firefox Users? by eldavojohn · · Score: 5, Interesting
    From the article,
    • Steals SSL data using advanced Winsock2 functionality
    • State-of-the-art, modularized trojan code
    • Spread through IE browser exploits
    • etc ...
    When I read the Slashdot summary, I was initially concerned that I may be at risk. But then I noticed the above three lines and realized there was no risk since I don't use IE.

    But, in the end, if this is an exploit utilizing the very basic network DLL that windows provides for socket connections (Winsock2--which is what I assume all network applications eventually link against in Windows) then why aren't other browsers at risk?

    I know Firefox is awesome & more secure & all that jazz but I haven't done enough network programming to know the nitty gritty details of it. Does anyone know why, if this trojan is exploiting the basic socket connection library that the Windows API provides, all browsers aren't potential victims?

    I mean, it makes sense to introduce some sort of security that never ever lets anything but the browser's code access the interfaces to these libraries ... is IE really that flawed?
    --
    My work here is dung.
    1. Re:What About Firefox Users? by BlueTrin · · Score: 5, Funny

      is IE really that flawed?

      +2 funny

      --
      Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
    2. Re:What About Firefox Users? by Anonymous Coward · · Score: 0

      Based on past behavior, I wouldn't be surprised if Microsoft were using a different socket connection for their own apps.

    3. Re:What About Firefox Users? by Samdroid · · Score: 1

      The page included in this last IFRAME contained JavaScript code using XMLHTTP and ADODB (ActiveX Data Objects) functions to download and run an EXE file which was hosted on the same server. I assume it's because it uses activex to download and run the EXE.
    4. Re:What About Firefox Users? by Aladrin · · Score: 4, Informative

      You stopped reading too early. Later in TFA, it shows a screencap of the website that has badly translated text that basically says 'Snatch 2 - will work on firefox'. In other works, you're not affected... yet.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    5. Re:What About Firefox Users? by Billosaur · · Score: 2, Informative

      Well, it uses an IE browser exploit to get in, so if you don't uses IE, you're at low risk. But far be it from anyone to think that these crooks won't find a way to deliver the Trojan in another manner if their IE route dries up. Everyone will have to remain vigilant, because if it gets on your system, it can theoretically corrupt any browser.

      --
      GetOuttaMySpace - The Anti-Social Network
    6. Re:What About Firefox Users? by Cyberax · · Score: 4, Informative

      No, IE uses a layer called WinInet to access the Internet (http://msdn2.microsoft.com/en-us/library/aa385483 .aspx). It automatically provides SSL/TLS connectivity to IE.

      FireFox uses basic sockets and encrypts data using standalone SSL library.

    7. Re:What About Firefox Users? by Some+Kind+Of+Record · · Score: 0
      A fascinating read. Reminded me a real life version of a few stories covered in "How to Steal The Netowork" series.

      I'm kind of sad, though. Reading this makes me feel like a complete idiot and noob.

      --
      Are you geeky enough to attend your local BarCamp??
    8. Re:What About Firefox Users? by ShrapnelFace · · Score: 1

      So does this mean the Easter Bunny wont be coming to my house this year for the egg hunt?

    9. Re:What About Firefox Users? by Anonymous Coward · · Score: 0

      If you would have read the entire article, which was very long but interesting, you would have gleaned that while this particular exploit was for IE only, that the Russian 76service team had exploits for Firefox as well....

    10. Re:What About Firefox Users? by TheNicestGuy · · Score: 3, Interesting

      Monster of an article, so I don't blame anyone for not catching the details on this. What it boils down to is that IE exploits are the main propagation vector of Gozi, but its actual performance of nastiness does not necessarily rely on IE. Once it's installed and running, it will intercept and leak to its "mothership" any and all HTTP POSTs that go through WinSock2, no matter what browser they come from, because it manages to register itself as a "Layered Service Provider" sitting between the browser and the socket. Unfortunately, I do not know which browsers make use of WinSock2 and its LSP functionality, and which don't. It would have been nice to mention that in the article as an aside.

      Another way IE is specifically involved is that Gozi does some extra sniffing inside IE's JavaScript engine to get data that's being sent AJAX-style rather than through normal POSTs.

    11. Re:What About Firefox Users? by HomelessInLaJolla · · Score: 1

      The page included in this last IFRAME contained JavaScript code using XMLHTTP and ADODB (ActiveX Data Objects) functions to download and run an EXE file which was hosted on the same server. Any browser with similar JS, XMLHTTP, and ADODB capability is susceptible as an infection vector. The system put in place by the EXE relies on common OS infrastructure.

       

      The code reveals that calls to functions in ws2_32.dll are used to establish itself as an LSP (layered service provider) using the Winsock2 SPI (Service Provider Interface). It "goes in between" Internet Explorer and the socket used to send the data. Do other browsers qualify for this? I see no objection.

       

      This technique captures the data sent by Internet Explorer only. Many new authentication systems use AJAX, where JavaScript objects are used to create another HTTP session, send requests, and receive responses. This is implemented in code elsewhere, where the SSL sniffer component cannot see it. To capture this valuable data, Gozi includes a "grabs" module that hooks into the JavaScript engine...That page uses XMLHTTP to send form field data via an SSL-protected connection to the bank's authentication without having to refresh the page. The IE sniffer cannot see that, but the JavaScript sniffer can. Okay, there's the exception. If you use IE then your data is nabbed. If your bank uses AJAX then your data is nabbed.

       

      Note that because this trojan includes the capability to download and execute arbitrary code from untrusted sources, a complete rebuild of the infected PC is the only absolute way to ensure 100% confidence and trust in data and system integrity. Unless it hides itself in auxiliary BIOSs as well.
      --
      the NPG electrode was replaced with carbon blac
    12. Re:What About Firefox Users? by Ilgaz · · Score: 2, Insightful

      I think non technical Firefox users may have same risk as OS X users by thinking they are already secure by default and not caring about some simple security methods.

      So the sense of security is the security risk there.

    13. Re:What About Firefox Users? by CDarklock · · Score: 1

      "An examination of his home PC revealed a previously unclassified malware executable. It appeared to have been installed surreptitiously via a remote exploit on December 13, 2006."

      Go ahead. Call me a shill. But this is a massive handwave - what evidence is there that this executable was installed by a remote exploit? Is that evidence in any way bigger or more reliable than the usual "I don't know where that came from! I didn't download it!" from the machine's owner?

      "Hey, Bob. All of your problems seem to have come from this executable here. Did you download random shit from the internet and run it on your computer, in such blatant violation of company policy and good security practices that it essentially makes you one of the world's biggest retards?"

      Please choose your response wisely.

      A) "I thought it was pictures of Britney Spears naked." (the truth)
      B) "I thought Bob sent it to me." (also the truth)
      C) "No." (keeps your retarded ass out of trouble)

      Your selection? ___

      > it makes sense to introduce some sort of
      > security that never ever lets anything but
      > the browser's code access the interfaces to
      > these libraries

      Okay, let me see if I understand you.

      You want us to put code on your computer that you are not allowed to run unless you use IE to do it.

      Is that an accurate statement of your security enhancement? Forbid the user to use the program of his choice to access the useful libraries that Microsoft is using to provide access to internet services?

      Isn't that... I don't know, anticompetitive, or something?

      No. Silver. Bullet.

      --
      Microsoft cheerleader, blue flag waving, you got a problem with that?
    14. Re:What About Firefox Users? by CalVan · · Score: 1

      I always amazes me when users of non-MS$ users imediately jump up to imply how superior the whatever they are using is. Firefox may be better secured or it may not. The bottom line is that the MS$ stuff is by far the bigger target and much more likely to be used by the unaware.

    15. Re:What About Firefox Users? by evought · · Score: 2, Interesting

      You are about to have your butt shoved up your nose, Cancel or Allow?

      Seriously, though, several things struck me. One was that a screenshot of the (malware) author's webpage showed that Firefox "support" was expected in a new release. Of course, I browse with NoScript enabled on a Macintosh which has been significantly tightened down. I regularly complain to sites that require users to have javascript enabled to do business with them and generally get favorable responses, especially when referring them to recent articles. I often find that even if functionality is degraded, most sites I visit function.

      Another interesting thing is that the trojan itself presumably only needed normal user permissions to do its main job, nullifying account protection and one of the things which makes Mac/Windows/Vista better than XP. It needs privilege escalation to hide and make sure it can survive removal attempts, but the encryption and other things also make detection harder without rooting the box.

      IE 7/Vista's browser sandbox, in theory, should make this kind of attack less successful, since it makes it harder to convince the browser/system to modify the environment without user intervention even when account permissions would normally allow it. Newer memory protections in both Vista and gcc 4.1+ systems should also make its job significantly harder, but one of the best things is just to limit what a web page is allowed to do and that is one of the things that is much easier to customize in Firefox (with your choice of extensions).

      The fact that this is yet another case where otherwise trustworthy systems are the source of an attack is disturbing. Site-rating systems like WOT and certificate rating are rapidly becoming worthless. Also, this means that, since the e-commerce sites are obviously not secure, the attackers can obviously get access to your data from them, regardless of what precautions you take. Systems like Paypal where your account information is not provided to the vendor become more valuable, assuming Paypal itself is not compromised. One-time credit-cards are also very useful.

      As for two-factor authentication, something akin to a scramble-pad may work. use multiple choice for a challenge (with randomized positions) or provide randomized buttons to enter a pin. Similar systems are sometimes used for physical security to good effect.

    16. Re:What About Firefox Users? by A_Non_Moose · · Score: 1

      Well, it uses an IE browser exploit to get in, so if you don't uses IE, you're at low risk. But far be it from anyone to think that these crooks won't find a way to deliver the Trojan in another manner if their IE route dries up.


      Perhaps if they open sourced their code, or made a firefox plugin?

      All these exploits we're missing because of alternative browsers...I feel so left out! (/sniffle).
      --
      Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
    17. Re:What About Firefox Users? by Anonymous Coward · · Score: 0

      Unless it hides itself in auxiliary BIOSs as well.

      As this ever been seen in the wild? Room for code in the BIOS is usually very small...

      Of course on real-machine, like good old Sun boxes, you don't put code in the BIOS without first physically moving a jumper...

    18. Re:What About Firefox Users? by Anonymous Coward · · Score: 0

      > Any browser with similar JS, XMLHTTP, and ADODB capability is susceptible as an infection vector. The system put in place by the EXE relies on common OS infrastructure.

      Perhaps, but I use noscript, safe history & safe cache, so they're fighting a rather uphill battle, especially since I have adblock+ as well, so I'd have to request their site directly to even see it.

      That said, one time I did go to a site that was supposed to have useful technical information. Their navigation was entirely in javascript, so I had to temporarily allow it with noscript (I almost never permanently allow sites).

      It hit me with a popup almost immediately, so I knew something was wrong, examined page source & shut down the window to the site. The I examined the computer with Spybot Search & Destroy, etc. to determine what it was up to.

      As I recall, it tried (and failed) to download something that looked like a trojan. So I guess that Firefox isn't invulnerable, but in good hands, it gives you the tools you need to protect yourself.

    19. Re:What About Firefox Users? by Phukko · · Score: 1

      hmmm.
      this malware steals identity related data and reposts it to a Russian Server
      it was undetected for weeks by any of the "Big" anti-virus companies
      Even after detection it was misclassified for at least another 2 months
      Just keeping your anti-virus software up to date is simply not enough - maybe its time to set up a secure computing Boot CD to do any online financial transactions.

      Seriously, I think that I'm going to set up as light of a boot image as I can on non-re-writeable media

      To boot LINUX and support firefox, SSL, SSH, and little else.

      I thought about using a bootable USB key, but that media is re-writeable.

      Does this seem sufficiently paranoid, or are there further steps to take?

      Any suggestions?

    20. Re:What About Firefox Users? by Aladrin · · Score: 1

      I'm far from expert in security, but a (k|x)ubuntu boot CD would be a good option indeed. I'm not sure that you even need to take it that far, though. You could simply use VMWare to boot the CD image while you are still in Windows and do it that way.

      Still, paranoid may be the right word. Viruses this powerful and effective don't often manage to stay undetected for this long. The exploits used for it will be cleaned up, the virus databases updated, and it'll be harder for them to create another to do the same thing.

      'Snatch 2' will supposedly work on Firefox, but they haven't managed so far. There's only a few options for why:

      He's not smart enough (not likely, as Snatch is pretty clever)
      He's waiting for the right exploit to show in Firefox (if he isn't the one to find it, it'll be fixed in short order)
      It's not possible. (And there's nothing to worry about.)

      I've (hopefully) implemented the rules in the article at the bottom that supposedly detect Snatch activity on your network, and I've alerted my Windows-using friends. I'll be checking a few of their computers myself soon to be sure, but I'm not too worried as I've already convinced most of them to use Firefox whenever possible, and they aren't the type to surf randomly on the web. (Well, my Dad is, but not on purpose... And he doesn't have a net connection right now.)

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    21. Re:What About Firefox Users? by oblonski · · Score: 1

      Here in South Africa my internet banking site had a random virtual keypad on the login page that got discontinued due to not being used by the rest of their users and i thought that was pretty dumb cause you cant have too much security yeah?

      Now i receive notices from them about phishing sites and not to give your login details to anyone!
      (snicker!)

      anyways now they have a thing called one time password where they send you a unique number with a time limit to your mobile or e mail that you must enter before your account allows you to do anything after login...

      that kind of make one sleep a little better but paranoid old me put zone alarm security suite in such a configuration that every single thing that comes into or goes out of every port must be ok'ed by me

      it also hides ur computer IP so ur basically "invisible"

      also try and do things on ur mobile with opera mini, web pages go through proxy first and you are able to see things which some people (ISP block certain range of IPs) cannot i.e peacefire.org
        and the data cost savings is unbelievable and you can do most of everything from your mobile in opera mini including gmail where you can view pdf and other office type formats on their server from on ur phone

      for close on one year now that is how my system remained clean and continues to do so

      i also use firefox 2 and opera9 on pc and dont do business with banking or e commerce sites that require IE or javascript functionality

      with those kind of measures ur largely bypassing many of the things Gozi exploits but it wont be long before someone comes up with the next clever piece of crap that makes all these precautions useless

      anyways just my two cents...

      --
      Move along now, nothing to see here! Go on!
  3. IP traceback by jshriverWVU · · Score: 2, Insightful

    Can't you just do a traceroute on the IP that this info is being sent to? Seems this would be a nice way of figuring out where the info is going. Then blacklist it or possibly a range router side.

    1. Re:IP traceback by Klaus_1250 · · Score: 4, Informative

      I doubt they will use a single IP for long, in fact, I would say that if they are pro's, they'll only use it for several hours. There are quite a few organizations tracing and logging such IP's and some of the better security software blocks them. The longer you use a single IP, the less effective they'll be and the higher the risks.

      --
      It only takes one man to change the Wisdom of the Crowd to Tyranny of the Masses.
    2. Re:IP traceback by d!rtyboy · · Score: 1

      I would guess that the server would be protected by international law as well.. and not easily shut down.

      --
      ~ So sayeth the wise Alaundo
    3. Re:IP traceback by Anonymous Coward · · Score: 1, Funny

      They must have a physical location they work from in Russia. A few ex-KGB guys for hire would be more than happy to "solve" this problem for the right amount.

    4. Re:IP traceback by Anonymous Coward · · Score: 0

      Who needs international law??? We have Bush. He can just order a cruise missile sent to the Internet Coordinates and -voila- no more server!!!! And if that don't work, we can invade the hosting country and take their oil to teach them a lessons.

    5. Re:IP traceback by Anonymous Coward · · Score: 0

      HA!

      I know of a malicious trojan / botnet that's been running since October of 2006 that logs it's data to a single IP in Germany. A redirection site in Korea is also still running (single IP).

      Keep them ideas comming....

  4. Possible solution... by Dogtanian · · Score: 2, Funny

    ...to the problem of AV companies not picking them up; offer a large-ish reward for information, and have someone involved tell the AV companies about the trojan as soon as possible. It only needs one relatively unimportant person (coder peon?) to blab and give the game away, so long as they're assured of having their identity kept secret.

    I'm sure there are a million flaws in this idea, but it's a start.

    --
    "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
    1. Re:Possible solution... by BlueTrin · · Score: 4, Insightful

      I guess the major flaw would be that I could write code and report it ?

      --
      Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
    2. Re:Possible solution... by Dogtanian · · Score: 2, Interesting

      I guess the major flaw would be that I could write code and report it ? That had occurred to me; the reward, however, would likely not be enough to warrant writing a piece of genuinely new code.

      If the case was genuine and one guy had written all the code, he would be getting paid for writing the code (by Mr. Big, presumably) *and* for blowing the lid on the whole thing (by the AV company). If someone writes the code for use by themselves, they either have to report it before it becomes prominent (and hence they don't make much money from the use of the code), or if they wait too long the AV companies figure out the info for themselves first, and they don't get paid.

      Basically, though, this idea operates under the premise that there is more than one person involved (preferably many), and that this individual stands to gain by giving the game away.
      --
      "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
    3. Re:Possible solution... by BlueTrin · · Score: 1

      I thought about it before to hit the reply button ... The problem in this model is that the AV company doesn't get a percentage or save a percentage of the damage which is occuring.
      i.e. police/army could pay a huge amount of money to save lifes/avoid a terrorist plot, since the risk/reward is biased, they have much more to lose if people die.

      Writing software has a cost but depending of the country where you live and your career expectations, it can cost very few. i.e. if I was living in a quite poor country and had alot of time to spare, it could be profitable for me to write code to get paid in this way. (you gave a good argument about this: if the code is not yet widespread and/or not dangerous the price to pay for the counter will be quite cheap)

      AV companies on the opposite would benefit from the terror of a major outbreak, especially if they get reported to the masses in the newspapers. The only thing that they would worry about is to have the counter to a security breach at least at the same time than their competitors to not look bad to their customers. If they could reclaim money from the damage which could have occured it would make the model viable. The only benefit for them is to avoid hiring people writing filters to counter this attack.

      --
      Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
  5. Speads!=Affects by Anonymous Coward · · Score: 3, Informative

    You need IE to install the trojan, once it is running it will compromise all SSL traffic.

    1. Re:Speads!=Affects by meshko · · Score: 1

      +5 informative my ass. RTFA. It only intercepts IE traffic and JavaScript traffic originating from IE. According to the article it seems that there is a newer version with Firefox support, but the one dissected in the article only affects IE.

      --
      I passed the Turing test.
  6. Russia? by mastershake_phd · · Score: 1

    I thought the US was responsible for this? Which is it people.

    http://it.slashdot.org/article.pl?sid=07/03/20/012 7215

    --
    Libertarian Leaning Political Discussion Forum.
    1. Re:Russia? by Chmcginn · · Score: 1
      They're not mutually exclusive.

      A.)The is one case, not the majority.

      B.)Nothing stops a malware writer in Richmond,VA from distrubuting via a computer in Portland, OR & getting the info stashed on a computer in St. Petersburg, Russia. Gotta love that global economy.

      --
      Have you been touched by his noodly appendage?
  7. headline strike again! by Arielholic · · Score: 5, Funny

    Trojan Analysis Leads To Russian Data Hoard

    So the analysis led the the hoarding? Everybody stop analyzing NOW!

    1. Re:headline strike again! by Hoi+Polloi · · Score: 2, Funny

      They meant "Horde". It is obviously being run by a WoW guild.

      --
      It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
    2. Re:headline strike again! by Anonymous Coward · · Score: 0

      What? Hurd? It's done?

  8. Hmm.. smth does not compute by wumpus188 · · Score: 2, Interesting

    TFA mentions 81.15.146.42, which apparently is a42.skierniewice.mediaclub.pl, which is Poland.
    Where Russia came from?

    1. Re:Hmm.. smth does not compute by Talavis · · Score: 1

      Under the picture showing that adress this can be found: (this IP address has been changed from one actually used by the trojan)

    2. Re:Hmm.. smth does not compute by coolnicks · · Score: 2, Informative

      The actual IP is 81.95.146.98, and is indeed in Russia, although this IP is no longer responding on port 80.

    3. Re:Hmm.. smth does not compute by Anonymous Coward · · Score: 1, Informative

      http://web.archive.org/web/*/81.95.146.98/* is slightly useful in seeing how exactly someone could get infected, but win.exe is truncated at 4096 bytes, so there's nothing to play with there ;)

    4. Re:Hmm.. smth does not compute by Anonymous Coward · · Score: 0

      The East?

    5. Re:Hmm.. smth does not compute by Ilgaz · · Score: 1

      It could be a IP in some weird Island, it is basically another layer of compromised machine network, they aren't that stupid to use their own machines for anything at all.

      I remember evil BBS guys were using hacked phone lines other side of Earth to do dirty jobs.

      If I was an American black hat, I would learn Russian language or hire a Russian and act like Russia based which will provide another layer of security. I guess we have right to go paranoid in such issue :)

  9. Linux by Anonymous Coward · · Score: 0

    But is this software supported on Linux?

  10. i'm in awe by circletimessquare · · Score: 3, Insightful

    reading that article is like looking at the blueprint for a neutron bomb: beautiful, magnificent, and pure evil

    the mind boggles at what these men (or women) of such high craft could achieve were they to devote their genius to good efforts rather than bad. as it is, in the business they are in, they will probably very rapidly come under the thumb of the russian mafia, if they aren't already. then their life will be on a short leash, that, if they attempt to tug, will land them with a swift reprimand from guys you don't want to know what a swift reprimand from is like

    sad. these are no script kiddies here. these are smart blokes. and they are also doomed to a life under the thumb of men a thousand times more evil than their devilish and brillaint exploits ever could be

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:i'm in awe by Dogtanian · · Score: 1

      sad. these are no script kiddies here. these are smart blokes. and they are also doomed to a life under the thumb of men a thousand times more evil than their devilish and brillaint exploits ever could be Can't say I have too much sympathy. They may be genius programmers, but it doesn't take more than a shred of common sense for anyone to figure out what you said for themselves. Or maybe they were blinded by their greed.... whatever, fuck 'em.
      --
      "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
    2. Re:i'm in awe by krunk7 · · Score: 2, Interesting
      Ok, let's go with this evil genius take on things. Now, you take one look at their situation and within the time frame it took you to click "reply" and start typing you came up with this angle.

      Now I'm supposed to accept that these evil geniuses suddenly got retarded when it came to the common sense risks with their new business? They've developed a real cracker jack exploit of commercial quality able to mass infect systems, avoid tracing, the whole nine yards. They then market this to organized crime syndicates around the world and in particular to the Russian mob.

      But along the way they never thought about doing all this anonymously. Or maybe, gasp, they aren't even in Russia? Maybe they're in china, india, or the U.S. and chose to vendor to Russian mafia specifically because of the difficulty of extending their reach across continents?

      Personally, if I were an evil russian programmer out to make nefarious riches I'd vendor to china, india, or the U.S. Everyone knows the best illegal business is illegal business not done in your own backyard.

    3. Re:i'm in awe by mgblst · · Score: 1

      Yes, because that is the way the world works. You know, if the people behind Microsoft Office had put there skills to good, no doubt we would have a base on the moon. And the people behine Oracle database had diverted their efforts to Space Travel, we would have FTL speed. And if all those Linux geeks had just studies up on some Medicine, we would have a cure for AIDS and the common cold.

      Let me guess, you REALLY like cartoons?

    4. Re:i'm in awe by arivanov · · Score: 2, Interesting

      Or maybe having kids to feed.

      With a relatively small local software market as well as relatively small outsourcing market Russia (and to lesser extent Bulgaria and Romania) are ripe for the picking by the mafia. Most of the qualified software engineers who do this kind of work will very happily work on an outsourcing contract instead. Further to this, they are likely to deliver considerably better quality code than most Indian outsourcing shops (I have seen code and projects from both so this statement is based on actual experience and reading the actual code produced).

      But for a variety of reasons starting they do not get any work like that and as a result they work for the mafia.

      C'est la vie.

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
    5. Re:i'm in awe by Phukko · · Score: 1

      And we would have gotten away with it too, if it hadn't been for those meddling kids and their dog!

    6. Re:i'm in awe by zoftie · · Score: 2, Informative

      This comes from my experience:

      Most Russian coders [in russia] are assholes and lazy, I am russian and grew up in Canada. I went to russia to work for a while, to see how it is. After all wages in moscow are 2000$+ so it I wasn't just surviving.
      I was little dismayed at the experience being in russia, finding that while there are alot of brilliant coders, many are lazy and have too few team skills to be usable in a company. Another thing, russians are daring, so this sort of stuff comes up all the time. They won't do work, but throw them a challenge and they'd go at it.

      To put it in other way, those who can do and care to work, left a long time ago. Those who stay, ones who aren't willing to change, thinking that old russian ways are fine. In addition, real estate prices in moscow are soaring. Many sysadmins made their way to buy apartment, by reselling hardware to their own company with 5x - 100x markup. Yes these things happen :)

      What can I say its a mess, really.

      This virus isn't a surprise, there are alot more covert virii, I'd tell you. Ones that do embed themselves in the kernel, not as a process or a program.
      Cheers.

    7. Re:i'm in awe by ConceptJunkie · · Score: 1

      We had a base on the moon, but it blew up on the third day. We had FTL travel, but it cost $9 billion per mile to use. And we had cures for AIDS and common cold, but to use it you had to compile the retrovirus against your DNA yourself, which takes about 100 years, assuming you have all the libraries installed.

      --
      You are in a maze of twisty little passages, all alike.
    8. Re:i'm in awe by Dogtanian · · Score: 1

      Or maybe having kids to feed. Building a future for your family by forever being under the thumb of the Russian mafia? Please.
      --
      "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
    9. Re:i'm in awe by not_hylas(+) · · Score: 1

      Me too.
      Speaking of Evil Genius(TM):

      Researchers: Rootkits headed for BIOS

      http://www.securityfocus.com/comments/articles/113 72/33500/threaded#33500

      Arhiveus Ransomware Trojan Analysis

      http://www.secureworks.com/research/threats/arhive us/

      It almost appears that we'd run in to the the "loving" arms of DRM (etc.) to escape future, more powerful variants.
      These "guys" (in general) are PhDs/Engineers and are not competing anymore, they're leading the "innovators", (look at AV Companies and the all struggling) OpenSource has been the only real response. ... tap, tap, tap, ... what to do, what to do.

      --
      ~hylas
    10. Re:i'm in awe by sarathmenon · · Score: 1

      Or maybe having kids to feed.
      Building a future for your family by forever being under the thumb of the Russian mafia? Please.


      Let's see. For the point of this discussion, let's assume that you are in russia and that you have kids to feed. What would you do - would you have them starve, or pick up the _only_ good paying job available to you?

      Ethics and ideals are fine and good. When it comes to subsistence, a lot of people make stupid choices. I tell this because while things have improved a lot in India, there used to be a time decades ago when people literally did not have food for the entire family - where mothers used to go starving so that the children did not have to be hungry. I've heard about it firsthand, and I've seen pain in their eyes when they recollect it. They also add in that if there was anything to steal, people would simply have grabbed them. That's what the need for basic survival does - to you, me and everyone else.

      I do not sympathise with the Russian reverse engineers, but I can certainly understand the economic conditions that could have driven them to it.
      --
      Microsoft: "You've got questions. We've got dancing paperclips."
    11. Re:i'm in awe by Dogtanian · · Score: 1

      What would you do - would you have them starve, or pick up the _only_ good paying job available to you? Are we talking about starvation here?

      Ethics and ideals are fine and good. Regardless of ethics and ideals, basic self-preservation would dissuade me from having anything to do with the Russian mafia.
      --
      "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
    12. Re:i'm in awe by sarathmenon · · Score: 1

      We're talking from an isolated view here. I do not know the actual scene in Moscow, but if the only job available to me as a skilled professional was malware coding, I may not see anything unethical in it. In fact, if things are as bad as they are shown to be, I don't think many people in Russia would be averse to accepting a job like that. It would be, like piracy, a way of life.

      Also, keep in mind that in both our cases, there is no omnipresent mafia. But assuming there was one, and that it's hands were stronger than the govt's, just how much do you think you can escape from it?

      --
      Microsoft: "You've got questions. We've got dancing paperclips."
    13. Re:i'm in awe by shutdown+-p+now · · Score: 1

      With a relatively small local software market as well as relatively small outsourcing market Russia (and to lesser extent Bulgaria and Romania)
      A good programmer can find a job which pays $2000+/month without much trouble in Moscow - this I know from personal experience. If people are not living in Moscow, it's not a big deal to move there, again, from personal experience. It's mostly outsourcing jobs of course, though there are also quite a few local shops who merely sell the products abroad - they still pay well. But to say that there are no well-paid jobs for good or even mediocre programmers in Russia these days would be a lie.
    14. Re:i'm in awe by shutdown+-p+now · · Score: 1

      To put it in other way, those who can do and care to work, left a long time ago.
      This is wrong at least for two reasons. First of all, obviously, every year new capable people come to the field. Second, why would they want to leave, if that $2000 salary is quite enough for a very good living in Moscow by local standards?

      It's not all that easy to leave as well, even for those who want it. I've contemplated leaving for Europe or maybe even US... the problem is, I haven't got a degree. It seems that all countries require at least bachelor's degree to apply for immigration with any reasonable chance of success. For US, there's also H1B, be a slave for a few years for a chance of getting permanent residency - doesn't look all that good either.

    15. Re:i'm in awe by arivanov · · Score: 1

      I am not saying "no". You misread my post. I am saying "not enough compared to the availability". There are considerably more qualified coders then jobs. Same elsewhere in the ex-Eastern block.

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
    16. Re:i'm in awe by shutdown+-p+now · · Score: 1

      I guess it depends on one's defintion of qualified. The companies I, my wife, and all my friends/aquaintances work at all need more skilled people.

  11. In.... by UberHoser · · Score: 0

    In soviet russia, the Horde owns YOU !

    or is that

    In World of Warcraft, the Horde owns YOU !

    I am so confused....

    --
    Guns are for wimps... Use a crossbow.. this way you can pin them to their chair when you go postal.
  12. Who's the target customer? by BobMcD · · Score: 4, Insightful

    What frustrates me a bit about TFA is where they stopped. They identified what the malware is, does, where it comes from, etc. They seem to have left out the 'why' part of the equation. Who would buy the data, and for what purpose? Dig a little deeper here. What we are defending against becomes a lot clearer when the motives of the attacker are known. This exploit is sophisticated and mature. It appears to be a viable business. This is not the action of an individual bent on personal gain, rather a true-world example of organized crime. This is much more serious than we're being led to believe. This is what gives me pause: What kind of customer would pay for access to such a broad set of data?

    1. Re:Who's the target customer? by guruevi · · Score: 1

      Simple, I pay $10 to this programmer that will install it to 100 zombies for me. I can then get all information that passes through the zombies.

      Eg. you are using a zombie computer, trying to check your balances. I get the data from the 100 zombies and I have your login data for your bank but about 50 other persons' data, I check your account see that 'you Americans' makes 20x as much as I do in a month.

      I transfer 50x your paycheck to my 'business' account, I get all the money off the same day, close the 'business' account and disappear for a little bit. Before you even notice you've been robbed (whenever you check your balances), I have repeated this maybe 10, if not 100 times, I become a rich crime lord in my town and bribe the local cops and surround myself with some 'bouncers'.

      Plenty of ideas, I personally, would also disappear from my apartment, retrofit my car with some weaponry and roam the country, using people's or hotel's wireless internet to refill my bank accounts. If you don't want to go into crime, I can also sell all e-mail addresses that ever pass over your network for about 10cents/address.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Who's the target customer? by TheNicestGuy · · Score: 2, Interesting

      What kind of customer would pay for access to such a broad set of data? That's one of the points the article is trying to make, as a sea change in this sort of malware: Because the data is so broad and voluminous, the providers could have a quite varied customer base. It's been commoditized. Data mined from this store could be of use to unscrupulous folks ranging from simple carders, to account drainers, to mob bosses, to terrorists. Notice that the data was not just credentials for banking and shopping sites, but included access to law enforcement and other government applications. Wanna steal a car and un-report it as stolen the next day? This might not be a bad place to start.
    3. Re:Who's the target customer? by HomelessInLaJolla · · Score: 1

      Who would buy the data People who want to collect this information but can't do so legally. I'm thinking along the same lines as FBI illegal domestic HP wiretap Enron scandal something what.

      and for what purpose? That varies by subject.
      --
      the NPG electrode was replaced with carbon blac
  13. Very Interesting article by crabpeople · · Score: 1

    "This filename was written into the registry so it would be run again on startup:"
    And thats the ticket. Everything has to load from somewhere, and a safemode scan with something like hijack this would show this up no problem. The only issue I can see is that unless there was significant system lag, you would have no idea to even scan your system.

    Very pro deconstruction though. I usually just whipe the little buggers.

    --
    I'll just use my special getting high powers one more time...
    1. Re:Very Interesting article by Anonymous Coward · · Score: 0

      I know how to start an arbitrary process automatically from safe mode. Do you?

    2. Re:Very Interesting article by TheNicestGuy · · Score: 1

      The only issue I can see is that unless there was significant system lag, you would have no idea to even scan your system.

      Which would be unlikely if the thing is well-engineered. All it's doing is skimming each POST and generating a new one of its own. Presumably it's happening asynchronously, so there probably wouldn't be any noticeable performance difference. Like they said in the article, it could send up red flags if you had a very smart and paranoid network traffic analysis system, but that's not happening in a home network scenario.

      Notice that the reason SecureWorks caught wind of this thing in the first place was because someone saw their online accounts get hijacked and put their PC under the microscope. It wasn't until about a month later that any of the major antivirus vendors started recognizing it specifically.

  14. Was it... by Anonymous Coward · · Score: 0

    slashdotted?

    here is an effective way to make a Trojan useless: just post it on slashdot

  15. M$ is just trouble. by twitter · · Score: 1

    The further away you get from M$, the better off you are. IE is the pits but other browsers on the platform will use M$'s flawed underlying code at times for compatibility. There are lots of IE specific bones on this one but once the machine is compromised anything is possible. You keep IE around for that one page that needs it, right? All it takes is a rotten banner ad to blow you out that one time you use it. M$'s internet services are starting to mirror their PC performance when it comes handing out malware. The more you use M$, the worse off you are.

    The next time you end up wiping and reloading because of problems like this, why not save time and install something that just works?

    --

    Friends don't help friends install M$ junk.

    1. Re:M$ is just trouble. by jb.hl.com · · Score: 1

      IE is the pits but other browsers on the platform will use M$'s flawed underlying code at times for compatibility.

      Would you like to cite an example of this, or are you just talking shite as usual? If you don't reply then it'll be fairly clear that it's the latter.

      --
      By summer it was all gone...now shesmovedon. --
  16. zzz by circletimessquare · · Score: 2, Interesting

    you seem to have some problems understanding how the world works. the programmers who do these things are not untouchable, nor do they go to the great lengths you describe to make themselves untouchable. why? because no one can do business and also be a puff of smoke at the same time. it's a balance you have to strike between being hard to find by the authorities and easy to find by your business interests. it easy to be hard to find by the authorities. even when they see you, their hands are tied

    however, it is those very business interests i describe above whom you have to worry about more than the authorities

    you cannot do business with the underworld, and not also be made part of the underworld in the process. you fail to understand the dynamics of the situation these programmers are in. you fail to understand the mafia. if you deal with the mafia, and you yourself are doing something shady, the mafia simply moves into your turf. they will simply come to own you, one way or another, and there is absolutely nothing you can do about it

    get someone to protect you from them? who? the authorities? you're already illegal yourself. another mafia group? ok, fine: you're not dealing with the original evil a**holes who were threatening to coopt your life, but now you are dealing with another group of evil a**holes who have the same methodologies and goals, so you have the same problem. protect yourself? ok, now you have become the evil a**hole yourself. you have the stomach to threaten loved ones, put innocents in harms way, deal in murder? it's a big step up from internet crime my friend. it's one thing to pilfer a moron's bank account. it's another thing to kill the 9 year old daughter of the mafia tycoon who won't leave your business alone

    in other words, deal with the devil, and the devil owns you, no matter what. you are not untouchable when you deal with the mafia and you also make money shady like they do and you do business with them. you have no relatives who can be threatened? you love no one in this world who can't be hurt or found?

    in short, you're rather naive about the subject matter you are commenting on. you really haven't the faintest clue about how vile these people are, the mafias of the world

    and, therefore, in a way, you are lucky, in your naivete, to be so blissfully unawares of these monsters in your midst. pray you stay that way, naive and clueless about how these type of organizations really operate. it's the best way to live your life. you really don't want to know about these guys, nor boadly boast about how untouchable you would make yourself from them via a few proxies. right, yeah. if you are doing shady work, and you are in business with them, and you are making a nice amount of cash, consider yourself pwned

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:zzz by mav[LAG] · · Score: 1

      Excellent post. I'm reminded of this famous monologue:

      Henry Hill: [narrating] Now the guy's got Paulie as a partner. Any problems, he goes to Paulie. Trouble with the bill? He can go to Paulie. Trouble with the cops, deliveries, Tommy, he can call Paulie. But now the guy's gotta come up with Paulie's money every week no matter what. Business bad? Fuck you, pay me. Oh, you had a fire? Fuck you, pay me. Place got hit by lightning huh? Fuck you, pay me."

      --
      --- Hot Shot City is particularly good.
  17. that is sad by circletimessquare · · Score: 1

    tell me something, as you appear to be russian: is it merely a hollywood stereotype that the russian mafia exerts so much influence in russia? i mean even putin seems to be playing the authoritarian game of "do as i say or you're going down". is it a stereotype? or is it true that the underworld seems to have an especially strong grasp on russia? why? hangover from the collapse of the soviet union? filling some sort of power void?

    i ask in complete innocence, but sitting here in new york city, where we are no stranger to organized crime, but russia seems to me to be caught in the especially strong underworld net as compared to other locales. fact or fiction? if so, why?

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  18. Point by HomelessInLaJolla · · Score: 1

    While infected, the xx_id value remains the same. Upon "cleaning" and re-infections, it changes; therefore it doesn't appear to be tied to globally unique identifiers (GUIDs). What they've written suggests that it was tied to GUIDs of the most meticulous kind--a data set constructed to be as resilient as possible against swamping the data pool with false grouping. This is indicative of a specific desire to track people individually even if it means assigning them a new number.
    --
    the NPG electrode was replaced with carbon blac
  19. very nice article, one correction by meshko · · Score: 1

    One lists the price as a Russian "scumbag" slang word that loosely translates to "super-duper!"

    # create object associated with price list
    $price = 'pesdato!'; The correct translation of 'pesdato!' would be 'fukken-A!'.
    --
    I passed the Turing test.
  20. Also in awe by HomelessInLaJolla · · Score: 1

    reading that article is like looking at the blueprint for a neutron bomb: beautiful, magnificent, and pure evil Indeed. Whoever wrote that (both the trojan and the article) knew quite a bit about the internal structures of Windows.

    Check this out:

    The malware opened the named pipe "\\.\PIPE\lsarpc" and the "C:\autoexec.bat" file, but the tools did not log any writes. The tools were "a Windows XP VMware virtual machine with tools designed for behavioral analysis". A little further down:

    Upack stub code is executed from the memory allocated for the executable's PE header. However, as it executes, that code changes, making normal breakpoints -- those set for certain code at certain addresses -- ineffective. Whoever wrote that binary also knew quite a bit about the way the overall architecture of the x86 series running the Windows kernel can be used to hide between the cracks.

    SecureWorks Senior Security Researcher Joe Stewart wrote OllyBonE (Break on Execute), a plug-in for OllyDbg that would be very useful. To use it, the malware executable would have to be moved out of the virtual machine and debugged on native hardware. A 750 MHz Pentium III and 512 MB RAM was loaded with a default install of Windows XP Professional SP2 in an isolated environment. OllyDbg, Joe's OllyBone plug-in, and the malware executable were copied to the system. Now we're getting to the point:

    After dismissing the error, execution is paused in ntdll.dll code. Upack must go back to the PE header for the working EXE file at some point, so bringing up the memory map (ALT+M) and right-clicking on that memory range brings up a context menu, where "Set breakpoint on execute" can be selected. Single stepping.

    There's an entire internet full of zero-day trojans which run this deep. I wouldn't be surprised if the same people who know enough to write this rogue code also uses their expertise as a legitimate taxable employee someplace (security writing, security monitoring, detection, forensics, maybe on the LinuxSE team with the government). It's the same knowledgebase.
    --
    the NPG electrode was replaced with carbon blac
    1. Re:Also in awe by Ilgaz · · Score: 1

      I always wondered what would happen if the author of Hybris wanted to harm the systems. I also believe that Virus was so advanced that it got own "uninstall yourself" command from its master/creator.

      http://news.com.com/2009-1017-250870.html
      http://www.f-secure.com/v-descs/hybris.shtml

      When you look at detail, it is much more advanced than this trojan which does amazing things such as finding out the e-mail addresses via watching the communications just like Ethereal.

      The genius of old time DOS viruses is IMHO GoldBug, it did an amazing job as hiding itself to video memory.

      http://www.f-secure.com/v-descs/goldbug.shtml (Mikko Hypponens original analysis)

      Now imagine if these guys decided to make money via trojans.

  21. One point by Anonymous Coward · · Score: 0

    If you are using Windows, you must use a highly heuristics capable antivirus/security product. No name needed but if you rely on signature based antivirus, you are busted.

    Firefox? They would use some Firefox exploit if it was majority.

    If viruses appear for Mac, it will be same deal too. There should be a tool watching the behaviour instead of sitting and waiting for pre-defined signatures. Pre defined signatures were given up by serious vendors the first day poly/semi polymorphic DOS virus appeared.

  22. thank you, and fgood quote by circletimessquare · · Score: 1

    might i ask where it is from? ;-)

    the problem with this world is the naive and clueless, yet full of bravado, happily waltzing into a world of crime, extremely confident in their ability to take care of themselves and to handle any bad news guys they encounter

    they have no fucking clue

    they simply wind up trapped and under the thumb of a guy who has no problem killing their wife or children or girlfriend or parents. and, trapped under that thumb, they sit their silently rueing their younger dumber selves, a younger dumber self who could have just stayed clean, and made a little less money, a little harder, and yet remained free men, not slaves

    because that is what you become when you get involved with organized crime: a slave

    or dead

    take your pick, budding young confident script kiddies

    you can't beat the devil

    and the devil is not a person, it's a force: evil action begetting more evil action, and severing you from a happy life forever

    be warned, mr. young dumb and confident. hopefully you are reading this

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:thank you, and fgood quote by mav[LAG] · · Score: 1

      might i ask where it is from? ;-)

      Sure. It's from Goodfellas, probably the best mafia film ever made. The commentary track on the DVD features the real Henry Hill talking about his life as dramatised by Scorcese in the film. He comes to the same conclusion you do for the same reasons - it's no kind of life for anyone.

      --
      --- Hot Shot City is particularly good.
  23. I don't think so.. by madsheep · · Score: 1

    I don't think so.. this is using the Internet 101:


    inetnum: 81.95.144.0 - 81.95.147.255
    role: RBusiness Network Registry
    address: RBusiness Network
    address: The Century Tower Building
    address: Ricardo J. Alfari Avenue
    address: Panama City
    address: Republic of Panama
    phone: +1 401 369 8152
    e-mail: noc@rbnnetwork.com
    admin-c: JK4668-RIPE
    tech-c: JI424-RIPE
    nic-hdl: RNR4-RIPE
    mnt-by: RBN-MNT

  24. Undernet, is that you? by HomelessInLaJolla · · Score: 2, Interesting

    At one point the 76service development/trial server was located at an ISP in Atlanta, Georgia, USA, the same city where SecureWorks is headquartered. A few days later, they moved to a server that appears to be located in the American Midwest (Texas, Oklahoma, or Kansas), but the server's IP address is in a block assigned to a company in Tampa, Florida, USA. They will likely move again soon. A google search on 76service shows this page.

     

    route 65.254.48.0/20 Proxy registered route object GNAXNET NET 65 254 32 0 1 GNAXNET NET 65 254 48 0 1 Global Net Access, LLC 55 Marietta St, NW Suite 1720 Atlanta, GA 30303 and

    as3595 AS GNAXNET AS Global Net Access, LLC 1100 White Street Atlanta, GA 30310 Who ran the Undernet's atlanta.ga.us.undernet.org server? Who worked for GNAX?
    --
    the NPG electrode was replaced with carbon blac
    1. Re:Undernet, is that you? by yawble · · Score: 1

      thats just a colo company here in atlanta. cyberwurx. shitty colo w/ bad routes.

  25. Examples where Mozilla uses M$. by twitter · · Score: 1, Informative

    The one I'm most familiar with is to get mail from Outlook to Thunderbird. M$'s own interface is terrible and forces the user to save each message as text one at a time with poor control of output location. Mozilla automates the use of the program called, but still uses the program.

    You might also look at Mozilla's ActiveX. While I'm sure it's much saner than the controls which were exploited in this threads topic, it's still a use of M$'s unsafe machinery.

    Finally, even good code is more dangerous on Windoze then elsewhere. M$ has not yet properly implemented users, permissions and other safety features found in the Unix world. This is one of the reasons it's always been so much easier to break a Windoze box than anything else. The other reason is that most M$ code is poor quality. They bought it and hacked it together and have always shipped with known bugs.

    --

    Friends don't help friends install M$ junk.

    1. Re:Examples where Mozilla uses M$. by jb.hl.com · · Score: 1

      The one I'm most familiar with is to get mail from Outlook to Thunderbird. M$'s own interface is terrible and forces the user to save each message as text one at a time with poor control of output location. Mozilla automates the use of the program called, but still uses the program.

      Wait, so you're complaining about Mozilla Thunderbird (which isn't a browser, like you were talking about) using a Microsoft function to get mail out of a Microsoft program? I'm sorry, but how is that a valid complaint in any way shape or form? And like I say, how does it relate to web browsers?

      You might also look at Mozilla's ActiveX. While I'm sure it's much saner than the controls which were exploited in this threads topic, it's still a use of M$'s unsafe machinery.

      Mozilla ActiveX isn't a part of the default setup of Mozilla, and is probably not in very wide use anyway. It's an extension, for fucks sake, you have to follow a few steps to get it installed. (And it didn't work anyway, last time I tried it.)

      M$ has not yet properly implemented users, permissions and other safety features found in the Unix world.

      Windows 2000 and above have a permissions model easily on a par with or better than that found on Linux, and facilities for usergroups, users and other such things which are just as good. (If you're talking about Microsoft making the default user admin, that's a totally different kettle of fish.)

      Conclusion: you're talking shite. Sorry. You lose.

      --
      By summer it was all gone...now shesmovedon. --
  26. Obligatory joke by dkleinsc · · Score: 1

    In Soviet Russia, data hoard leads to you!

    Sorry, we'd just gotten well into commenting without a decent Russian reversal yet.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  27. mah dollah signs by Anonymous Coward · · Score: 0
    Here, you left out a few dollar signs:

    The one I'm mo$t familiar with i$ to get mail from Outlook to Thunderbird. MS'$ own interface i$ terrible and force$ the u$er to $ave each me$$age a$ text one at a time with poor control of output location. Mozilla automate$ the u$e of the program called, but $till u$e$ the program.

    You might al$o look at Mozilla'$ ActiveX. While I'm $ure it'$ much $aner than the control$ which were exploited in thi$ thread$ topic, it'$ $till a u$e of MS'$ un$afe machinery.

    Finally, even good code i$ more dangerou$ on Windows then el$ewhere. MS ha$ not yet properly implemented u$er$, permi$$ion$ and other $afety feature$ found in the Unix world. Thi$ i$ one of the rea$on$ it'$ alway$ been $o much ea$ier to break a Windows box than anything el$e. The other rea$on i$ that mo$t MS code i$ poor quality. They bought it and hacked it together and have alway$ $hipped with known bug$.

    Your post was unreadable anyway, but now it has comedic value!

  28. Ignorant by Anonymous Coward · · Score: 0
    > [Microsoft] has not yet properly implemented users, permissions and other safety features found in the Unix world.

    Wow, you really are ignorant. Why do you think SELinux is so hot? Because it copies Microsoft's ACL security model. Why don't you just shut up if you're going to spout worthless ignorant crap like this?

  29. Mod Parent Up by Romwell · · Score: 1

    Please, mod parent up for lingustic correctness =) Pesdato (syn. Ohuenno) indeed is better translated like "fckin' awsome" and such =)