Massive Spam Shot of "Storm Trojan"

jcatcw writes "Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through email. 'Expect this to grow much larger,' a Postini spokesman said; 'It should top out at 60 million messages within the next 24 hours.' It's the largest attack in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. The spam carries a ZIP file attachment posing as a patch with subjects such as Worm Alert!, Worm Detected, Spyware Detected!, or Virus Activity Detected."

Another day in the world of near-monoculture.

[jcr]

After all these years of malware on Windows systems, I think it's high time someone took Microsoft to court and at least charged them with contributory negligence. After the Mellissa virus, they can't claim that they don't know the hazard.

The person to bring this suit would need to be someone who's not a licensee of any MS products, but has suffered losses from their network getting DOS'd by Windows zombies trying to trade copies of the malware of the hour.

-jcr

Re:Another day in the world of near-monoculture.

[grub]

Microsoft is to computers what Philip Morris is to lungs.
Woo, a new quote! :))

Re:Another day in the world of near-monoculture.

[grub]

s/what/as/g

Re:Another day in the world of near-monoculture.

[baryon351]

After all these years of malware on Windows systems, I think it's high time someone took Microsoft to court and at least charged them with contributory negligence. After the Mellissa virus, they can't claim that they don't know the hazard.

Who said it's Windows malware?

(yeah, OK, I was trying to be funny...)

Re:Another day in the world of near-monoculture.

[MightyYar]

Oh, come on. I am FAAAR from a MS apologist, but this trojan is not really something that they can (or should) prevent! This worm is not exploiting any flaw in MS's programs that I am aware of, it is simply social engineering. Unless you make Windows prevent a user from running arbitrary code, I don't know how you'd fix this.

If anyone should be sued, it should be the ISPs who allow zombies to sit there on their network. I don't like lawsuits, and would prefer to see some government incentive used to compel ISPs to remove the zombies.

Re:Another day in the world of near-monoculture.

[baryon351]

I hadn't read the computerworld article before posting the above comment. Sadly, now I have, I notice it doesn't mention which OS the trojan runs on.

If I weren't so tired atm I'd have something deep and witty to say about that, but all I can do is shake my head.

Re:Another day in the world of near-monoculture.

[jimstapleton]

Very true...

The biggest security risk is shared by all operating systems and hardware setups because it's not part of the computer.

It's the lump of carbon, water, and other trace elements/compounds between the keyboard and the chair.

Re:Another day in the world of near-monoculture.

[mcpkaaos]

By that logic, should Slashdot be sued by sites that suffer the Slashdot Effect? It is a form of DoS, after all, and Slashdot are obviously aware when it occurs yet do little (mirrors after the fact) or nothing (no mirror at all) to prevent it.

Re:Another day in the world of near-monoculture.

[SomeoneGotMyNick]

I notice it doesn't mention which OS the trojan runs on. **** COMMODORE 64 BASIC V2.0 ****

Re:Another day in the world of near-monoculture.

[Hoi+Polloi]

Microsoft is to viruses/trojans as Europe was to the Black Plague

Re:Another day in the world of near-monoculture.

[pestario]

s/g//

Re:Another day in the world of near-monoculture.

[MightyYar]

I could see where that would help if the fact that it were an executable was obscured, but in this case the user is PURPOSELY running an executable. They'd take one glance at the message, say, "No shit," and click "Allow".

Besides, Outlook DOES warn you when you try to launch an executable! I just tried to launch VNC, and it says, "WARNING! This file may contain a virus that can be harmful to your computer. You must save this file to disk before it can be opened. It is important to be VERY certain that this file is safe before you open it." It then does not let you launch the executable, but instead prompts you for a save location.

Re:Another day in the world of near-monoculture.

[gvc]

Who said it's Windows malware?

Um, the payload is a .exe file.

I thought I'd be a smart-ass and show you that it didn't run on Linux. But, damn! I have Wine installed.

./News.exe Could not stat /mnt/cdrom (No such file or directory), ignoring drive D:
err:win32:PE_fixup_imports No implementation for lz32.dll.2(LZCloseFile) imported from F:\News.exe, setting to 0xdeadbeef
wine: Unhandled exception, starting debugger...

Wow, good thing

[Grashnak]

Good thing I installed that anti virus program that unexpectedly emails me attachments to protect me. Otherwise I'd be in trouble!

I got one, I got one!!!

[sobolwolf]

This was an image file so I typed it out to so maybe a nice person with mod points will redeem my terrible Karma... -- Dear Customer, Our Robot has detected an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of worm which does not have offical patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. We had archived the patch becouse the worm can modify unpacked exe files. you should open the archive file, enter the password and run the patch immediately. Password: ugh11 Customer Support Center Robot __________ NOD32 2120 (20070316) Information __________ This message was checked by NOD32 antivirus system. patch-95150.zip - is OK patch-95150.zip > ZIP > patch-95150.exe - error - password-protected file http://www.eset.com/

Re:I got one, I got one!!!

[0100010001010011]

At least my spammers are well read. The text that accompanied one of my image spams is as follows:

'Aye, you do indeed,' said Gimli, looking them up and down over the top of his cup. 'Why, your hair is twice as thick and curly as when we parted; and I would swear that you have both grown somewhat, if that is possible for hobbits of your age. This Treebeard at any rate has not starved you.'

I saw one of these yesterday

[jsewell]

The msg body was a GIF containing text telling me there had been virus activity from my IP and I should run this "patch" to fix it. The "patch" was a zip file they said they had to send as a zip so my "comprimised virus scanner" wouldn't reject it. If I didn't run the patch, my internet access woudld be cut off. All I had to do was unzip and run the patch and all my problems would be solved. HA!

We all had a chuckle at how stupid someone would be to actually do that - then we realized grandma probably would, not knowning any better. All the more reason to get grandma off windows and onto at least a Mac, if not Linux.

Re:I saw one of these yesterday

[cdrguru]

Wrong - Linux and Mac are completely vulnerable to this type of attack. You go to install something that you were told to do so and it prompts for the root password. The user then types it in and the machine is wide open.

Don't think that would happen? You must be dealing with a better class of users than exist in the wild. Of course it would happen, and happen at such a frequency that it would be just another massive exploit.

Windows is targeted because of market penetration. Why bother with less than 5% when you can get 95% in a single effort?

Re:I saw one of these yesterday

Since she started using a Mac.

waaaait just one second...

[ScentCone]

All the more reason to get grandma off windows and onto at least a Mac, if not Linux.

Out of curiosity... since this is a completely social hack, and is just a means to trick somebody into opening up a compressed file and running the included executable... why would a Mac or Linux user be immune? Cannot Mac and Linux users also run executable programs from their desktops? You're confusing the ability to run a program of your choice with the means by which someone is fooling you into thinking you should choose to run it, right?

Re:New "Sledgehammer" virus

[svendsen]

Agreed. You can not make a system to prevent users from shooting themselves in the fool. I mean I can drive my car into a tree, how dare it let me do that!

Simple problem

[cdrguru]

If the any computer is not properly administered, it will be compromised by users that don't know any better. They can't possibly be aware of the differences between Microsoft automatically applying updates and other such "software updates" that might be required.

One sort of computer doesn't need to be administered any more than your toaster or TV needs to be administered. If the programming cannot be changed by the user in any way and all it does is read email and browse the web. Period. Maybe play some music sometimes. Ideally, such a device has its programming in ROM (not flash) and cannot be changed in any way. No instructions are ever put on R/W memory, ever. Completely and utterly secure the way your toaster is. How many people have found exploits for a toaster?

Windows is perfectly secure when it is properly set up and administered. The problem is that you can't install software on such a computer and you can run all sorts of fun applications. Gee, isn't that too bad. One solution is to require every user to either (a) switch to a appliance that cannot be compromised, (b) pay the ISP to administer their computer or (c) pass a test to be qualified to have a general-purpose computer connected to the Internet. And yes, the test should be similar to the FCC license for HAM radio: long, incredibly detailed and most people can't pass it without lots of work.

The operating system cannot be made secure from users adding software if they are supposed to add software. But users aren't qualified to add software to their computers and if they are allowed to do so, they will add things that will eventually destroy the ability to use the Internet.

maybe the problem...

[darkvizier]

...is that malware has better installation instructions than any of our other software. When people see documentation, it's like a dream come true!

Ah... disillusionment. :-)

Mail server filters

[TheBracket]

We have a set of filters in place that scan every incoming message (for viruses, spam, etc.). It looks like in the last 24 hours or so we've blocked a few thousand of these. They seem to be coming from all over the place, with a variety of subject lines. We block any IP that sends us malicious messages more than twice in an hour (the block stays up for 24 hours, I think), so the 2-3,000 we've blocked could be a drop in the ocean - or may not be. That's still a lot more than we get for most incidents like this.

Too much privilege!

[spaceyhackerlady]

Oh, come on. I am FAAAR from a MS apologist, but this trojan is not really something that they can (or should) prevent! This worm is not exploiting any flaw in MS's programs that I am aware of, it is simply social engineering. Unless you make Windows prevent a user from running arbitrary code, I don't know how you'd fix this.

Actually, there is a technical flaw, not just a human engineering one. The system allows users to install software, with global system implications, with no confirmation. My Mac confirms such things with me, and seems to get it right. My Linux box won't let me touch the global system configuration at all unless I su to root.

This has always been the problem. I recognize that there is incompetent Windows software out there that won't run without Administrator privileges, but that's another issue. If you really need privilege to do something (like change your password), others systems have ways of temporarily elevating privilege. Like suid on Unix.

...laura

Re:Too much privilege!

[Feanturi]

My Mac confirms such things with me,

That's great, so when you're doing something that you feel really needs to be done, such as protecting your computer from the nasty botnet it is reportedly a part of, or your email will be cut off, you'll click through those prompts to get that patch in. Well maybe not you personally, but you and I are not the common masses.

Vista has the "Cancel or Allow" thingy going now. Do they need to extend it, would that really help?

"Hmm I need to run this patch like the email says, well here goes:"

[Attention, you might be about to bork your computer with this action, Cancel or Allow?]

"Umm... Well the email seems pretty insistant, I better still do it.. ALLOW"

[Are you sure about that?]

"YES"

[Are you REALLY sure??]

"YES"

[Honest and for true?]

"YES"

Where should it stop?

Re:Too much privilege!

[MindStalker]

You could make the argument that as viruses have been around for a long time MS had a reason from the start to build it right.

Lets say there was no laws governing seat belts. And theoretically after seat belts where already in wide use among the new.. flying cars that a few people drove. Fly Systems finally invents the flying cars for the average Joe. It really takes off and now almost everyone has a Fly System car, but Fly Systems REFUSES to sell cars with seat belts, despite a market demand. Sure you can buy add-in seat belts but they never work just right.. Would Fly Systems be partially liable?? I don't know but its an interesting legal question.

Re:Too much privilege!

[alphamugwump]

All right. You did it. I finally snapped. Here goes my karma.

Why the fuck do people keep bashing the UAC? What the fuck is wrong with finally having a real "sudo" in windows? Instead of having to run as administrator all the time, you can now escalate when you want to. Microsoft finally adds better security, and all the whiners come out of the woodwork.

This sort of shit reminds me of my uncle, who thinks he's a computer person:

"I really miss windows 98. It was a simple, no-frills operating system."
"It didn't have a firewall."
"You can download a free one."
"It didn't have any kind of access controls."
"???"

That kind of thing. The hell of it is, the people who are moaning about the UAC must be running as administrator. This poses two questions. First, why are they running as administrator? Second, if it bugs them so much, why don't they turn it off?

I'm not a windows fanboy by any means, nor do I like Vista, but this hypocritical bullshit just drives me totally crazy. You wanted security, you got it. Go ahead. Surf the web as root, and get owned. But don't come back and whine about how windows is insecure. You don't know the meaning of the word.

If you want a reason to complain about Vista, complain about DRM. You can't turn that off in control panel, and its hooks reach deep into the display system. It's a deliberate attempt to lock you out of your own computer. They'd probably love it if PCs were like xboxes, with everything signed out to wazoo. Hell, it's happenning already with hd-dvd.

But no, you take the time to bitch about window's advantages.

Re:Too much privilege!

[Sancho]

Asking the user for permission to perform administrative actions is good. Asking them 2-3 times per perceived action is bad.

One of the problems I had with early revisions of UAC (I haven't had the pleasure of trying out Vista's final version much) is that it couldn't figure out what the user was trying to do and anticipate it. When creating a new file, I first was asked if I was sure I wanted to create it, then I was asked if I was sure that I wanted to rename it. Hey Vista! It's a NEW FILE! I probably don't want your stupid default name! This sort of problem was all over the place in RC1, and not much better in RC2. I've heard that UAC didn't change much from RC2 to RTM.

Turn it off? Sure, but your average user won't know how to do that, and so they'll just be further trained to click Ok to do whatever it is they're trying to do.

Re:waaaait just one second...

[adolf]

And you could presumably trick users w/o regard to the OS they use. But it's far more likely that the windows user is logged in with full Admin privileges.

But it doesn't matter.

The trojan/worm need not be an administrator to trash a user's computer, even with Linux. Let's use Ubuntu as an example. It can still send mail and propagate just fine as a regular user. It can also trash that user's documents and files (which are likely to be the only important data on the machine). It can use a crontab entry to start a daemon on a high-numbered port, which will run without user interaction, or without them even being logged in. That daemon won't be root, but it will still be capable of being a very proficient zombie.

After that, for good measure, it can just run gksudo and simply ask the user for root permission. Ubuntu users are absolutely content to enter their own password into gksudo whenever prompted, especially when performing updates and patches (as this claims to be). So, the trojan will readily then gain root and be free to run completely amock. Trashing or rooting the OS is the obvious next step, but it's probably not even needed after all of the damage and infiltration already accomplished as a regular user.

Seriously - just because it's not Windows does not mean that it's secure. As long as people are able to run arbitrary programs on their own computers, these types of things will continue to be a problem...no matter what kind of computer it is, and no matter if it has root/administrator priveledges or not.

Inoculation

[dremel]

A good campaign of email virus inoculation should do the trick. Start a series of spam which looks exactly like a virus, but just puts up a "If this were a virus, you'd have just infected yourself!" message, thus training users to just don't open it!

Possibly add a link or button (perhaps labeled "Click Me!") which puts up a follow-up message for the especially thick user: "For heaven's sake, you're just making it worse. Quit clicking these things!"

Re:waaaait just one second...

[_xeno_]

Executables are frequently distributed inside compressed archives (eg, ZIP files) in order to prevent email filters from automatically removing them as "dangerous file types." There are ZIP extensions and TAR natively includes UNIX privileges, so there'd be no need to chmod +x malware, as the decompression utility would do it automatically.

To the best of my knowledge, none of these formats will set the setuid bit, though, so from there you'd either need to get the user to run it as root (sudo malware) or, much more likely, use a local root exploit.

I don't know how the GNOME/KDE "sudo" interactive applications are used, but it's probably possible malware could simply use that to ask for root privileges. Home users would almost certainly have sudo access if only to be able to run software updates as well as install new software.

In short, Linux won't make users any smarter. They could still be tricked into running malicious software - although it would likely involve more steps, which may help prevent problems.

High risk file types

[iago-vL]

Are you sure you got all the high-risk file types? Here's one or two you should avoid:

.ade .adp .app .asp .bas .bat .cer .chm .cmd .com .cpl .crt .csh .exe .fxp .hlp .hta .inf .ins .isp .its .js .jse .ksh .lnk .mad .maf .mag .mam .maq .mar .mas .mat .mau .mav .maw .mda .mdb .mde .mdt .mdw .mdz .msc .msi .msp .mst .ops .pcd .pif .prf .prg .pst .reg .scf .scr .sct .shb .shs .tmp .url .vb .vbe .vbs .vsmacros .vss .vst .vsw .ws .wsc .wsf .wsh

Source: http://support.microsoft.com/kb/925330/en-us

Nope

[winkydink]

I'm not seeing any statistically significant increase in either what's being blocked or what's being accepted by any of the MTA's I manage. Also, Trend Micro's spam stats don't show any major jump in activity either.

I have seen a couple of copies of the spam itself, but nothing major.

Re:Nope

[TFGeditor]

"I'm not seeing any statistically significant increase in either what's being blocked or what's being accepted by any of the MTA's I manage. Also, Trend Micro's spam stats don't show any major jump in activity either."

I hope you are right, because I have had an epiphany and am now one of those who decry the "clueless users/lusers" responsible for letting their machines become infected and recruited into botnets.

I used to have sympathy for them, but as botnets proliferate and my mail servers get pounded even harder by spam et al, that sentiment is becoming harder to conjure up.

I am on the verge of joining the "computer users should be licensed" ranks.

[sigh]

Re:Nope

[winkydink]

Rumor has it that Postini is close to filing their S1 (i.e., getting ready to go public). Coincidence? Hmmm....

Re:Nope

[Ilgaz]

I choose to report my spam instead of ignoring so believe or not, I saw a single Canadian IP spamming (sending that worm) to 3 different mailboxes which has nothing to do with eachother. I even added to spamcop.net report comment "Please take care of this IP" and added the kaspersky virus ID. Guess what happened in return? A kind "thank you we took care of it" from Canadian ISP? No, 2 more spams from same IP! :)

I have checked the senderbase.org entry and it says like 3500% volume increase over 1 day from that IP!

Still, as old timer I feel uncomfortable posting the IP on web whether it is spammer/worm infected or not. I mean that worm really took off, perhaps the owner of botnet finally accepted the price offered by mob,mafia whatever using it. Yet again, no worries, Clam detects even without opening that password protected zipped junk.

computer IQ test?

[Bill,+Shooter+of+Bul]

That is absolutely true. I guess the only real solution I can think of is require some sort of computer IQ test, instead of cancel or allow.

Are you sure you want to do this?

"YES"

OK what is the end result of this computation 15 XOR 24 ?

" UM 17?"

No, please call your son to ask permission to perform this operation.

Re:computer IQ test?

[parkrrrr]

31.

You didn't specify a base.

A day in the life of a spam filter

[gvc]

If the CEAS Live Challenge had occurred over the last 24 hours, participants would've had to deal with several copies of this virus. Note how it morphed from news headlines to greeting card lines over the course of the day.

USA Missle Strike: Iran War just have started attach="News.exe"
Israel Just Have Started World War III attach="Video.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Click Here.exe"
USA Missle Strike: Iran War just have started attach="News.exe"
USA Just Have Started World War III attach="Read More.exe"
Iran Just Have Started World War III attach="Movie.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Click Me.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Video.exe"
USA Just Have Started World War III attach="News.exe"
I Love You Because attach="flash postcard.exe"
You're In My Thoughts attach="postcard.exe"
You're In My Thoughts attach="flash postcard.exe"
Love Remains attach="Love Card.exe"
Inside My Heart attach="greeting card.exe"
A Kiss So Gentle attach="Postcard.exe"

Re:It scares me to death!

[Mister+Whirly]

"Once someone smart had said : There's no patch for stupidity"

Sure there is

Trojan is so US centric

[TechyImmigrant]

It may be a Storm Trojan in the USA, however in the UK it would be called a Storm Durex. Either are good for penetration.