Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Spam Shot of "Storm Trojan"

Posted by kdawson on from the storm-warning dept.

jcatcw writes "Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through email. 'Expect this to grow much larger,' a Postini spokesman said; 'It should top out at 60 million messages within the next 24 hours.' It's the largest attack in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. The spam carries a ZIP file attachment posing as a patch with subjects such as Worm Alert!, Worm Detected, Spyware Detected!, or Virus Activity Detected."

12 of 260 comments (clear)

  1. Re:Another day in the world of near-monoculture. by MightyYar · · Score: 5, Insightful

    Oh, come on. I am FAAAR from a MS apologist, but this trojan is not really something that they can (or should) prevent! This worm is not exploiting any flaw in MS's programs that I am aware of, it is simply social engineering. Unless you make Windows prevent a user from running arbitrary code, I don't know how you'd fix this.

    If anyone should be sued, it should be the ISPs who allow zombies to sit there on their network. I don't like lawsuits, and would prefer to see some government incentive used to compel ISPs to remove the zombies.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  2. Re:Another day in the world of near-monoculture. by mcpkaaos · · Score: 2, Insightful

    By that logic, should Slashdot be sued by sites that suffer the Slashdot Effect? It is a form of DoS, after all, and Slashdot are obviously aware when it occurs yet do little (mirrors after the fact) or nothing (no mirror at all) to prevent it.

    --
    It goes from God, to Jerry, to me.
  3. waaaait just one second... by ScentCone · · Score: 4, Insightful

    All the more reason to get grandma off windows and onto at least a Mac, if not Linux.

    Out of curiosity... since this is a completely social hack, and is just a means to trick somebody into opening up a compressed file and running the included executable... why would a Mac or Linux user be immune? Cannot Mac and Linux users also run executable programs from their desktops? You're confusing the ability to run a program of your choice with the means by which someone is fooling you into thinking you should choose to run it, right?

    --
    Don't disappoint your bird dog. Go to the range.
  4. Re:New "Sledgehammer" virus by svendsen · · Score: 2, Insightful

    Agreed. You can not make a system to prevent users from shooting themselves in the fool. I mean I can drive my car into a tree, how dare it let me do that!

  5. Re:I saw one of these yesterday by cdrguru · · Score: 4, Insightful

    Wrong - Linux and Mac are completely vulnerable to this type of attack. You go to install something that you were told to do so and it prompts for the root password. The user then types it in and the machine is wide open.

    Don't think that would happen? You must be dealing with a better class of users than exist in the wild. Of course it would happen, and happen at such a frequency that it would be just another massive exploit.

    Windows is targeted because of market penetration. Why bother with less than 5% when you can get 95% in a single effort?

  6. Too much privilege! by spaceyhackerlady · · Score: 3, Insightful

    Oh, come on. I am FAAAR from a MS apologist, but this trojan is not really something that they can (or should) prevent! This worm is not exploiting any flaw in MS's programs that I am aware of, it is simply social engineering. Unless you make Windows prevent a user from running arbitrary code, I don't know how you'd fix this.

    Actually, there is a technical flaw, not just a human engineering one. The system allows users to install software, with global system implications, with no confirmation. My Mac confirms such things with me, and seems to get it right. My Linux box won't let me touch the global system configuration at all unless I su to root.

    This has always been the problem. I recognize that there is incompetent Windows software out there that won't run without Administrator privileges, but that's another issue. If you really need privilege to do something (like change your password), others systems have ways of temporarily elevating privilege. Like suid on Unix.

    ...laura

    1. Re:Too much privilege! by alphamugwump · · Score: 3, Insightful

      All right. You did it. I finally snapped. Here goes my karma.

      Why the fuck do people keep bashing the UAC? What the fuck is wrong with finally having a real "sudo" in windows? Instead of having to run as administrator all the time, you can now escalate when you want to. Microsoft finally adds better security, and all the whiners come out of the woodwork.

      This sort of shit reminds me of my uncle, who thinks he's a computer person:

      "I really miss windows 98. It was a simple, no-frills operating system."
      "It didn't have a firewall."
      "You can download a free one."
      "It didn't have any kind of access controls."
      "???"

      That kind of thing. The hell of it is, the people who are moaning about the UAC must be running as administrator. This poses two questions. First, why are they running as administrator? Second, if it bugs them so much, why don't they turn it off?

      I'm not a windows fanboy by any means, nor do I like Vista, but this hypocritical bullshit just drives me totally crazy. You wanted security, you got it. Go ahead. Surf the web as root, and get owned. But don't come back and whine about how windows is insecure. You don't know the meaning of the word.

      If you want a reason to complain about Vista, complain about DRM. You can't turn that off in control panel, and its hooks reach deep into the display system. It's a deliberate attempt to lock you out of your own computer. They'd probably love it if PCs were like xboxes, with everything signed out to wazoo. Hell, it's happenning already with hd-dvd.

      But no, you take the time to bitch about window's advantages.

    2. Re:Too much privilege! by Sancho · · Score: 2, Insightful

      Asking the user for permission to perform administrative actions is good. Asking them 2-3 times per perceived action is bad.

      One of the problems I had with early revisions of UAC (I haven't had the pleasure of trying out Vista's final version much) is that it couldn't figure out what the user was trying to do and anticipate it. When creating a new file, I first was asked if I was sure I wanted to create it, then I was asked if I was sure that I wanted to rename it. Hey Vista! It's a NEW FILE! I probably don't want your stupid default name! This sort of problem was all over the place in RC1, and not much better in RC2. I've heard that UAC didn't change much from RC2 to RTM.

      Turn it off? Sure, but your average user won't know how to do that, and so they'll just be further trained to click Ok to do whatever it is they're trying to do.

  7. Re:Another day in the world of near-monoculture. by pestario · · Score: 2, Insightful

    s/g//

    --
    :n
  8. Re:waaaait just one second... by adolf · · Score: 5, Insightful

    And you could presumably trick users w/o regard to the OS they use. But it's far more likely that the windows user is logged in with full Admin privileges.

    But it doesn't matter.

    The trojan/worm need not be an administrator to trash a user's computer, even with Linux. Let's use Ubuntu as an example. It can still send mail and propagate just fine as a regular user. It can also trash that user's documents and files (which are likely to be the only important data on the machine). It can use a crontab entry to start a daemon on a high-numbered port, which will run without user interaction, or without them even being logged in. That daemon won't be root, but it will still be capable of being a very proficient zombie.

    After that, for good measure, it can just run gksudo and simply ask the user for root permission. Ubuntu users are absolutely content to enter their own password into gksudo whenever prompted, especially when performing updates and patches (as this claims to be). So, the trojan will readily then gain root and be free to run completely amock. Trashing or rooting the OS is the obvious next step, but it's probably not even needed after all of the damage and infiltration already accomplished as a regular user.

    Seriously - just because it's not Windows does not mean that it's secure. As long as people are able to run arbitrary programs on their own computers, these types of things will continue to be a problem...no matter what kind of computer it is, and no matter if it has root/administrator priveledges or not.

    --
    Kid-proof tablet..
  9. High risk file types by iago-vL · · Score: 2, Insightful
    Are you sure you got all the high-risk file types? Here's one or two you should avoid:

    .ade .adp .app .asp .bas .bat .cer .chm .cmd .com .cpl .crt .csh .exe .fxp .hlp .hta .inf .ins .isp .its .js .jse .ksh .lnk .mad .maf .mag .mam .maq .mar .mas .mat .mau .mav .maw .mda .mdb .mde .mdt .mdw .mdz .msc .msi .msp .mst .ops .pcd .pif .prf .prg .pst .reg .scf .scr .sct .shb .shs .tmp .url .vb .vbe .vbs .vsmacros .vss .vst .vsw .ws .wsc .wsf .wsh

    Source: http://support.microsoft.com/kb/925330/en-us

    --
    http://www.skullsecurity.org/blog/
  10. Re:Nope by winkydink · · Score: 2, Insightful

    Rumor has it that Postini is close to filing their S1 (i.e., getting ready to go public). Coincidence? Hmmm....

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey