Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Spam Shot of "Storm Trojan"

Posted by kdawson on from the storm-warning dept.

jcatcw writes "Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through email. 'Expect this to grow much larger,' a Postini spokesman said; 'It should top out at 60 million messages within the next 24 hours.' It's the largest attack in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. The spam carries a ZIP file attachment posing as a patch with subjects such as Worm Alert!, Worm Detected, Spyware Detected!, or Virus Activity Detected."

14 of 260 comments (clear)

  1. Another day in the world of near-monoculture. by jcr · · Score: 5, Interesting

    After all these years of malware on Windows systems, I think it's high time someone took Microsoft to court and at least charged them with contributory negligence. After the Mellissa virus, they can't claim that they don't know the hazard.

    The person to bring this suit would need to be someone who's not a licensee of any MS products, but has suffered losses from their network getting DOS'd by Windows zombies trying to trade copies of the malware of the hour.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
    1. Re:Another day in the world of near-monoculture. by grub · · Score: 5, Funny


      Microsoft is to computers what Philip Morris is to lungs.
      Woo, a new quote! :))

      --
      Trolling is a art,
    2. Re:Another day in the world of near-monoculture. by baryon351 · · Score: 4, Funny

      After all these years of malware on Windows systems, I think it's high time someone took Microsoft to court and at least charged them with contributory negligence. After the Mellissa virus, they can't claim that they don't know the hazard.

      Who said it's Windows malware?

      (yeah, OK, I was trying to be funny...)

    3. Re:Another day in the world of near-monoculture. by MightyYar · · Score: 5, Insightful

      Oh, come on. I am FAAAR from a MS apologist, but this trojan is not really something that they can (or should) prevent! This worm is not exploiting any flaw in MS's programs that I am aware of, it is simply social engineering. Unless you make Windows prevent a user from running arbitrary code, I don't know how you'd fix this.

      If anyone should be sued, it should be the ISPs who allow zombies to sit there on their network. I don't like lawsuits, and would prefer to see some government incentive used to compel ISPs to remove the zombies.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    4. Re:Another day in the world of near-monoculture. by SomeoneGotMyNick · · Score: 5, Funny

      I notice it doesn't mention which OS the trojan runs on. **** COMMODORE 64 BASIC V2.0 ****

  2. Wow, good thing by Grashnak · · Score: 5, Funny

    Good thing I installed that anti virus program that unexpectedly emails me attachments to protect me. Otherwise I'd be in trouble!

    --
    Life needs more saving throws.
  3. I got one, I got one!!! by sobolwolf · · Score: 5, Informative

    This was an image file so I typed it out to so maybe a nice person with mod points will redeem my terrible Karma... -- Dear Customer, Our Robot has detected an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of worm which does not have offical patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. We had archived the patch becouse the worm can modify unpacked exe files. you should open the archive file, enter the password and run the patch immediately. Password: ugh11 Customer Support Center Robot __________ NOD32 2120 (20070316) Information __________ This message was checked by NOD32 antivirus system. patch-95150.zip - is OK patch-95150.zip > ZIP > patch-95150.exe - error - password-protected file http://www.eset.com/

  4. I saw one of these yesterday by jsewell · · Score: 4, Informative

    The msg body was a GIF containing text telling me there had been virus activity from my IP and I should run this "patch" to fix it. The "patch" was a zip file they said they had to send as a zip so my "comprimised virus scanner" wouldn't reject it. If I didn't run the patch, my internet access woudld be cut off. All I had to do was unzip and run the patch and all my problems would be solved. HA!

    We all had a chuckle at how stupid someone would be to actually do that - then we realized grandma probably would, not knowning any better. All the more reason to get grandma off windows and onto at least a Mac, if not Linux.

    1. Re:I saw one of these yesterday by cdrguru · · Score: 4, Insightful

      Wrong - Linux and Mac are completely vulnerable to this type of attack. You go to install something that you were told to do so and it prompts for the root password. The user then types it in and the machine is wide open.

      Don't think that would happen? You must be dealing with a better class of users than exist in the wild. Of course it would happen, and happen at such a frequency that it would be just another massive exploit.

      Windows is targeted because of market penetration. Why bother with less than 5% when you can get 95% in a single effort?

  5. waaaait just one second... by ScentCone · · Score: 4, Insightful

    All the more reason to get grandma off windows and onto at least a Mac, if not Linux.

    Out of curiosity... since this is a completely social hack, and is just a means to trick somebody into opening up a compressed file and running the included executable... why would a Mac or Linux user be immune? Cannot Mac and Linux users also run executable programs from their desktops? You're confusing the ability to run a program of your choice with the means by which someone is fooling you into thinking you should choose to run it, right?

    --
    Don't disappoint your bird dog. Go to the range.
  6. Re:waaaait just one second... by adolf · · Score: 5, Insightful

    And you could presumably trick users w/o regard to the OS they use. But it's far more likely that the windows user is logged in with full Admin privileges.

    But it doesn't matter.

    The trojan/worm need not be an administrator to trash a user's computer, even with Linux. Let's use Ubuntu as an example. It can still send mail and propagate just fine as a regular user. It can also trash that user's documents and files (which are likely to be the only important data on the machine). It can use a crontab entry to start a daemon on a high-numbered port, which will run without user interaction, or without them even being logged in. That daemon won't be root, but it will still be capable of being a very proficient zombie.

    After that, for good measure, it can just run gksudo and simply ask the user for root permission. Ubuntu users are absolutely content to enter their own password into gksudo whenever prompted, especially when performing updates and patches (as this claims to be). So, the trojan will readily then gain root and be free to run completely amock. Trashing or rooting the OS is the obvious next step, but it's probably not even needed after all of the damage and infiltration already accomplished as a regular user.

    Seriously - just because it's not Windows does not mean that it's secure. As long as people are able to run arbitrary programs on their own computers, these types of things will continue to be a problem...no matter what kind of computer it is, and no matter if it has root/administrator priveledges or not.

    --
    Kid-proof tablet..
  7. computer IQ test? by Bill,+Shooter+of+Bul · · Score: 4, Funny

    That is absolutely true. I guess the only real solution I can think of is require some sort of computer IQ test, instead of cancel or allow.

    Are you sure you want to do this?

    "YES"

    OK what is the end result of this computation 15 XOR 24 ?

    " UM 17?"

    No, please call your son to ask permission to perform this operation.

    --
    Well.. maybe. Or Maybe not. But Definitely not sort of.
  8. Trojan is so US centric by TechyImmigrant · · Score: 4, Funny

    It may be a Storm Trojan in the USA, however in the UK it would be called a Storm Durex. Either are good for penetration.

    --
    Evil people are out to get you.
  9. Re:Nope by Ilgaz · · Score: 4, Interesting

    I choose to report my spam instead of ignoring so believe or not, I saw a single Canadian IP spamming (sending that worm) to 3 different mailboxes which has nothing to do with eachother. I even added to spamcop.net report comment "Please take care of this IP" and added the kaspersky virus ID. Guess what happened in return? A kind "thank you we took care of it" from Canadian ISP? No, 2 more spams from same IP! :)

    I have checked the senderbase.org entry and it says like 3500% volume increase over 1 day from that IP!

    Still, as old timer I feel uncomfortable posting the IP on web whether it is spammer/worm infected or not. I mean that worm really took off, perhaps the owner of botnet finally accepted the price offered by mob,mafia whatever using it. Yet again, no worries, Clam detects even without opening that password protected zipped junk.