Storm Worm Rising

The Storm worm has been an increasing problem in the last few months, but a change in tactics may mean something big is going to happen. The article discusses a bit of back story about the worm, including the somewhat frightening numbers about the millions of spam emails carrying the worm payload. They estimate between a quarter and a million infected systems usable for spam or DDOS attacks.

Nebulous numbers

They estimate between a quarter and a million infected systems usable for spam or DDOS attacks

Wow, you'd think they could narrow the numbers down a bit more. 0.25 - 1M is a pretty big spread.

Re:Nebulous numbers

[another_fanboy]

short hand for "between a quarter million and one million"

A quarter million to a full million is still a large range.

Re:Nebulous numbers

[Poltras]

English is not too difficult to understand if you look at the clues.

You're talking about the game, right?

----
Mods, that joke is on topic, look up the parent original post.

How are these numbers calculated?

[IndieKid]

They estimate between a quarter and a million infected systems usable for spam or DDOS attacks. 0.25 to 1,000,000 is a pretty large range.

Seriously though, how does one go about estimating these numbers? Is it something as simple as an estimate of what proportion of infected e-mails are expected to result in an infected desktop? I doubt that would give a very accurate figure.

Re:How are these numbers calculated?

[everphilski]

250,000. Quarter of a million. Typo.

Re:How are these numbers calculated?

[strongmace]

Article says how they are calculated:

"Joe Stewart, senior security researcher at managed security company SecureWorks, at the Black Hat conference. .....

From the number of infected machines he's found, Stewart estimates that the Storm botnet could comprise anywhere from 250,000 to 1 million infected computers. And that raises questions, along with eyebrows. "

Re:How are these numbers calculated?

[httptech]

The estimate is based on the number of unique IPs we've seen attacking networks we monitor, coupled with our knowledge of how the Storm botnet works. We've seen up to 100,000 bots sending the attack (the ecard spam) in a single day. Storm is a multi-tiered botnet, meaning that not all the bots are tasked with sending the emails. Some are supernodes (first-tier), designed to serve up the ecard executables via HTTP and facilitate communication between the regular (second-tier) nodes. Another factor is that some second-tier nodes will never be seen attacking, since they may be behind firewalls that block port 25 outbound or at an ISP that is doing SMTP blocking, so they may be part of the botnet but difficult to count.

In reality, the only source that can give you a precise count for the Storm botnet is the Storm controller - and he/she's not talking. So we do the best we can at estimating its size given the data available.

Re:How are these numbers calculated?

[Slarty]

Speaking of typos, I find it funny that the crack editorial staff of Network World managed to let a typo slip through in the *2nd word* of the article. All fear "the swifly spiking onslaught of the Storm Worm!"

Re:How are these numbers calculated?

[ObsessiveMathsFreak]

Seriously though, how does one go about estimating these numbers?

• 1. Roll 2D6
• 2. Take the number rolled, and multiply it times the number of worm messages that have arrived in your inbox.
• 3. If your computer is actually infected, square the result.
• 4. Play a game of Solitare
• 5. Add your final score to the result
• 6. Divide the result by your Boss's vigilance.
• 7. Make a saving throw against discovery, and multiply the result by 1000
• 8. Round up to the nearest 100,000
• 9. Publish
• 10. Profit!

Lower bounds are trickier as they will require you to actually care about what you're doing.

Re:How are these numbers calculated?

[pete.com]

It is a very scientific process, you reach inside your ass and pull.

Re:How are these numbers calculated?

[IndieKid]

Yeah I just read that. If 20 million e-mails (according to Joe Stewart in the article) have been found and he estimates that 250k to 1m machines are infected, that implies that somewhere between 1 in 20 and 1 in 80 of the machines he's looked at are infected. I'm assuming somewhere in the middle is what he actually discovered before applying a margin of error - so 1 in 50. I wonder how many machines he actually checked? 50? 500? Were these machines known to have received the e-mail or just random machines?

All I'm saying is that I doubt the methods used to estimate these numbers would stand up to close scrutiny. That's not to say this isn't interesting (the number could be higher than the estimate after all), but I'd rather the article just said "we don't know how many machines are infected, but it's likely to be a lot".

Re:How are these numbers calculated?

[IndieKid]

Thank you, that's much more informative than the original article :-)

Re:How are these numbers calculated?

[Qzukk]

All fear "the swifly spiking onslaught of the Storm Worm!"

It's product placement for Swiffer dusters, able to swifly swiff up dust, viruses and worms.

Re:How are these numbers calculated?

[plague3106]

I think they mean 1,250,000 systems..

Re:How are these numbers calculated?

[John+Nowak]

VOOOOOOOOOOOOOSH

Re:How are these numbers calculated?

[Fnord666]

Seriously though, how does one go about estimating these numbers?

Simple really. Just call Microsoft and ask how many systems are running their OS.

Re:How are these numbers calculated?

Error in line 6 - Divide by zero

Microsoft is going to lose big

[athloi]

If they can't find a way to reach customers and get them fixes for the rampant insecurity of these machines that are compromised. The silent majority of customers are getting frustrated with this sham of a performance, and while saner heads recognize that Redmond does a lot right and some wrong, the emotional response is going to shove them out of dominance in operating systems. Maybe that's why they're better on spacy Web3.x "cloud" and "distributed OS" technologies instead of what made them big, which was getting things done the hard way consistently.

Re:Microsoft is going to lose big

[jpop32]

If they can't find a way to reach customers and get them fixes for the rampant insecurity of these machines that are compromised.

WTF are you talking about? RTFA, please. If you actually did that before funboying around, you'd notice that the program in question is not a worm at all, but a trojan. User has to manually run the attachment, probably clicking through a couple of dialogs practically begging him not to. But, since the user really, really _wants_ to see the cute kittens, or a naked celebrity, or whatever the trojan claims to be, trojan will be run. No OS can defend against the user being a sucker.

So, move along, please. Your tirade is totally off topic here.

Re:Microsoft is going to lose big

[gtall]

"instead of what made them big, which was getting things done the hard way consistently"

Huh? M$ got where they are by good solid crookery, honest hard work had nothing to do with it.

Re:Microsoft is going to lose big

[OriginalArlen]

Microsoft's recent thing about "the cloud" might have something to do with their recent purchase of FrontBridge, an "in-the-cloud" traffic filtering company. (Note the 'E' word is in the titles of most of those articles though it's not in the search...)

Re:Microsoft is going to lose big

[SpiritGod21]

Actually, since Symantec's updates are coming pretty frequently, Norton Antivirus is able to disinfect computers with Storm and keep computers secure. Users just need to know to run their updates.

As for it being a trojan, that's not quite correct. In its original iteration, it did have to be run, but we are receiving more and more emails with code that is executed through the preview pane of Outlook. Depending on how Outlook is set up (which is always to the user's preference, as they tend to do that themselves), they may automatically download attachments, automatically view messages, etc. The main problem for us are the Storm infected PDFs we're receiving, as they're worming into computers without users even opening the attachment. Outlook's just not the most secure by default (though those options can be turned on).

Better education for our users would go a long way, but we can't convince them that they need it and the administration isn't going to make it mandatory to attend computer security courses. So in the end, your tirade is off topic, which you'd be aware of if you did more than read about a virus and actually had to deal with it. Intelligent users will always be able to overcome a virus, no matter what kind it is.

Re:Microsoft is going to lose big

[grcumb]

No OS can defend against the user being a sucker.

No city can defend against devastating rises in the sea level, either, but I'd still choose Denver over Manhattan for that.

Please stop with this childish refusal to differentiate between theoretical vulnerability and actual, measurable risk. Windows is unsafe. That's an indisputable, established, plain-as-the-nose-on-your-face fact. I've run other operating systems in production environments populated with the same suckers that use Windows PCs. In the four years that I've been doing so, the number of successfully exploited Macs and Linux PCs is zero.

To be clear, these results are statistically significant. I'm talking about well over a thousand users total, in nearly every imaginable use case, with little or no supervision.

You can stand there like some sort of demented Jeremiah screaming about Doomsday tomorrow, but I'm sick of Doomsday today.

Re:Microsoft is going to lose big

[Divebus]

I've run other operating systems in production environments populated with the same suckers that use Windows PCs. In the four years that I've been doing so, the number of successfully exploited Macs and Linux PCs is zero.

Ditto here in that timeframe. Out came the PCs and all my trouble went away. Also managed to turn 80 Windows-only users into very happy total Mac heads. You can't even give them a PC.

Re:Microsoft is going to lose big

[drsmithy]

I've run other operating systems in production environments populated with the same suckers that use Windows PCs. In the four years that I've been doing so, the number of successfully exploited Macs and Linux PCs is zero.

So how are your Windows machines being compromised ?

Re:Microsoft is going to lose big

Since when could PDF files be infected with viruses? And these infected PDF's could actually pose a threat?

Love the tag "situationnormal"

[AKAImBatman]

I remember freaking out 10 years ago every time I saw someone running that cutesy little "fireworks display" email attachment. Despite my best efforts, I couldn't get the users to stop unzipping and opening it*. Glad to see that things haven't changed much.

SNAFU (Situation Normal: All F***ed Up)

* Before I get 10 million suggestions for a decade-past issue, yes we did find more effective ways of blocking it.

Re:Love the tag "situationnormal"

[Dragonslicer]

Despite my best efforts, I couldn't get the users to stop unzipping and opening it* * Before I get 10 million suggestions for a decade-past issue, yes we did find more effective ways of blocking it. I don't think that's the footnote I would have gone for with that expression.

Naked teens attack home director

[tttonyyy]

Now I've got your attention worm style, click this link for more information:

http://en.wikipedia.org/wiki/Storm_Worm

Re:Naked teens attack home director

[neo8750]

So where is this naked teen? and why do i not see her nakedness attacking her director? Aww crap not again...

Re:Naked teens attack home director

[JuliaNZ]

Other than a single sentence right at the bottom of TFA, yours is the first post that has actually hinted at what the hell the "Storm Worm" might be. Thanks! And no thanks to the writers of the original article or the /. submitter.

worth worrying about

[esconsult1]

As the publisher of two fairly popular websites, this is something to worry about. Recently all our sites spread across a few dedicated servers in one data center were down. Not because of a direct DDOS attack, but because of a peripheral attack which swamped the network infrastructure at the center. Really, if these guys decided to do more frequent DDOS attacks, anyone could be a target and calling the FBI is cold comfort since in the meantime your sites are down and out.

More information

[apachetoolbox]

http://en.wikipedia.org/wiki/Storm_Worm

...names ranging from "postcard.exe" to "Flash Postcard.exe,"...

Shouldn't everyone be blocking .exe attackments at the MTA? Also look for a service running called wincom32 on infected machines.

Re:More information

[just_another_sean]

The examples I've seen of this don't have an attachment. It's a "click here! to view your postcard!" link in the email. Clikcing the link takes you to a site that says something like "We're trying a new feature on our site, please click here if you do not see your postcard". This link is then to an executable which of course prompts you to download or run. It seems to me you'd have to be pretty naive or just plain stupid to click through to the point of infection but I'm guessing a lot of people do...

For me the biggest problem with these is that there is no attachment for AV to pick off and there is hardly any text and no real advertising in the email so our spam filters don't block it either.

Re:More information

MOD THIS UP!!

We've gotten hundreds of these emails at work over the past month, and not a *single* one has had the payload actually attached as an exe. Every one of them has been a link only, just as the parent describes. The wiki is outdated; this trojan may have started out as an email attachment, but that's not the direct method of infection any more.

What does God need with a starship?

[Billosaur]

"Why do you need a botnet that big?" he asks. "You don't need a million [infected computers] to send spam."

For spam, a million-strong botnet might be overkill. But botnets can do much more - like launching denial-of-service attacks. These attacks aim to overwhelm a Web site or Internet server by sending it a constant stream of garbage data at a particular Web site or Internet server.

So the question is, who is controlling these botnets and why? DDoS attacks can be pretty useful if someone wants to get a point across or to extort money from someone or some company. It will be interesting to see if they can trace it back to the source.

Re:What does God need with a starship?

[ktappe]

"Why do you need a botnet that big?" he asks. "You don't need a million [infected computers] to send spam." For spam, a million-strong botnet might be overkill. But botnets can do much more - like launching denial-of-service attacks.

So the question is, who is controlling these botnets and why?

It is possible that the creators of this worm did not have any idea how successful they would be. They may have figured they'd get 5,000 PC's, not 500,000. Now suddenly they have a monster by the tail and are not sure what to do with it.

Re:What does God need with a starship?

Um, anybody remember that most recent attack on the top-level name servers? And the one about a year prior to that? Most of them got through OK, but maybe things would be different with a million bots on the march? I don't think we'd see Amazon, Google or anybody else (very easily) if the root name servers were out of commission.

Re:What does God need with a starship?

[tkrotchko]

"So the question is, who is controlling these botnets and why?"

I can't answer who, but why is almost certainly:

1) Someone going into the extortion business. They have machines all over the world to command against blackmail targets.

2) Someone who will sell control of portions of these bots to 3rd parties for profit. Either spam, DOS, or whatever.

Removal Tool

[apachetoolbox]

http://www.teamfurry.com/wordpress/2007/07/19/suns hine-on-a-stormy-day/

Re:Removal Tool

[ben0207]

No fukcing way am I going anywhere near a site called Team Furry.

The goggle really might do nothing.

Re:Removal Tool

[jollyreaper]

http://www.teamfurry.com/wordpress/2007/07/19/suns hine-on-a-stormy-day/ I'm too scared to look. On a scale of goatse to tubgirl, how's it rate?

Re:Removal Tool

[Johnny_Law]

http://www.teamfurry.com/wordpress/2007/07/19/su ns hine-on-a-stormy-day/

I'm too scared to look. On a scale of goatse to tubgirl, how's it rate?

Lemon Party

Re:Removal Tool

[n-baxley]

Anyone care to verify this? I'm not about to download an exe that's "supposed" to remove a nasty virus. No offense apachetoolbox.

Re:Removal Tool

[teamfurry]

Hi, as the blogentry and the tool itself suggests, feel free to ask any question from me by mailing me at toni(_at_)teamfurry.com. Shortly put: The tool works a bit similarly to the StormWorm dropper itself. When stormworm is infecting a machine, it checks certain services to see if there is already an earlier variant of itself on the machine. If it detects one, it will remove it. My tool uses the same principle, and effectively removes the infection from the host. If you have any other questions, don't hesitate to mail. Regards, Toni Koivunen Teamfurry.com

Re:Removal Tool

[Wilson_6500]

You know, you have to admit that would be one upside to being furry: it hardens you to just about anything, and it does it quick.

Hm. You know, I thought I'd made a poor choice of words (I should've said "inured" you to anything) but, to judge from most furries I've seen, I was probably right the first time.

Re:Removal Tool

[jollyreaper]

You know, you have to admit that would be one upside to being furry: it hardens you to just about anything, and it does it quick.

Hm. You know, I thought I'd made a poor choice of words (I should've said "inured" you to anything) but, to judge from most furries I've seen, I was probably right the first time. I still remember how I discovered one of my best friends in high school was a furry. I was doing a global search on his computer to find a file and ended up with a picture of two gay mice engaging in hardcore bdsm. Fucking Christ, warn a person, will ya? I could handle the gay part but you add furry to it and it all goes downhill. He's probably into pedo vore by now.

Re:Removal Tool

I think there's one major question people have been asking about your tool upthread, and it's got more to do with the page they see if they hit the link.

Gotta admit I'm also not going near it without links...

Re:Removal Tool

(See the bottom of this comment for the URL linked to below.)

~ $ links http://www.teamfurry.com/wordpress/2007/07/19/suns hine-on-a-stormy-day/ -dump
   Link: pingback

                                    MW-Blog

   About malware, packers and reverse engineering

   << Greetings from Estonia
   Pump & Dump spam arriving as excel attachments >>

Sunshine on a stormy day

   StormWorm has been spreading for quite a bit for now. Otherwise known as
   win32.tibs, win32.zhelatin or Trojan.Peacomm, it has been a widespread
   pesk for a long time.

   StormWorm uses P2P-networking to get it's orders to spam, ddos or update
   itself. It also utilizes a kernel-level driver to activate itself and
   protect itself (rootkit). I wrote a removal tool to remove StormWorm, and
   it should catch various variants nicely. The tool can be downloaded from
   here. As always, all feedback is appreciated. You can send it over to
   toni(_at_)teamfurry.com

   This entry was posted on Thursday, July 19th, 2007 at 10:43 pm and is
   filed under Tools, Malware FreakShow. You can follow any responses to this
   entry through the RSS 2.0 feed. You can leave a response, or trackback
   from your own site.

  3 Responses to "Sunshine on a stormy day"

    1. electricfemme Says:
       July 25th, 2007 at 11:47 pm

       I installed your program to remove stormworm, and it worked so fast,
       or maybe didn't work, that I couldn't tell what it did.

       What my'puter seemed to have was called 551 Stormworm@MXLMinfected
       ip-66.82.4.8 : 53

       Spam mail kept trying to get out in batches of 500 plus or more, but
       Norton wouldn't let it, but did run my hard drive ragged, trying to
       scan each one.

       Hope I did the right thing. Thanks R

    2. toni Says:
       August 1st, 2007 at 8:29 am

       If Norton is quiet currently then the tool worked. I forgot to mention
       that it's a command-line tool. If you run it by doubleclicking the
       SunShine.exe you won't stand a chance of reading the output. If you
       want to see it, go to start->run->cmd and run it from there.

...and the "HERE" link is to:

http://www.teamfurry.com/SunShine.exe

If you feel like running random binaries posted to Slashdot by someone called "teamfurry" at "teamfurry.com"... be my guest. Let us know how it goes...

Re:Removal Tool

[teamfurry]

Haha. No pron or nasty stuff there. Just a blog with a few dozen entries focusing on malware reverse engineering and such.

that is why

[clubhi]

That is why I always do my online banking BEFORE I browse for porn

Maybe there's a silver lining here...

[Novae+D'Arx]

I dunno - maybe this is what we need ~ a botnet big enough to do some real damage could actually catalyze some public awareness. Imagine if they DDoS'd MS, or Amazon, heck, Google? Maybe these guys (esp. Google) could handle this kind of slamming, but they've got lobbyists now. I really wouldn't mind seeing a well-funded FBI task force with the express purpose of rooting out botnets and going after their creators. Yeah, yeah, most of them are not on US soil. I know. However, imagine legislation that actually required the disconnection of infected bots from an ISP until it was cleaned, and a public awareness campaign that painted users who allow this to happen as idiots, and the ISPs as protectors of the rest of the internet users. Most people are concerned that there would be a backlash against the ISPs and they would stop complying for fear of loss of business, but that's where the legislation comes in. It's a quarantine situation - just like IRL, if you've got something nasty and contagious, the CDC can legally quarantine (forcibly, if you're an idiot like the TB guy) you because you're endangering the lives of others by going out and exposing them. Same thing here - don't give the botnets a chance to expand, cut them off, force a windows-cleaning (ISPs could offer a cleanup disk, $5.95 plus tax, or something, to help make it worth it for them - don't want to hurt the small ISPs, even though I think TW and the rest are bastards), and let them reconnect afterwards. Simple, painless, and will definitely make sure people learn their lesson for next time.

Re:Maybe there's a silver lining here...

[Neil+Watson]

Being jaded I see only the chance for broken legislation. I see new laws making it illegal to possess or use legitimate security tools.

Re:Maybe there's a silver lining here...

[DerekLyons]

dunno - maybe this is what we need ~ a botnet big enough to do some real damage could actually catalyze some public awareness. Imagine if they DDoS'd MS, or Amazon, heck, Google?

I can imagine it easily - 99% of the surfers denied acess would simply go "damm internet" and surf elsewhere, or go do something off-net.

Re:Maybe there's a silver lining here...

[fotbr]

And when $ISP decides they'll only support Windows $Version anyone who hasn't "upgraded" is now SOL. Thanks to monopolies and near monopolies, this will turn into a legislated "upgrade or no internet for you" money maker.

Thanks, but no.

Re:Maybe there's a silver lining here...

[another_fanboy]

imagine legislation that actually required the disconnection of infected bots from an ISP until it was cleaned

The problems with legislation are:
(1) the idiots in congress do not have a clue as to what a botnet is and therefore are incapable of creating anything remotely usable;
(2) the average user would not know why his computer cannot access the internet;
(3) many flat out refuse to learn good online habits until forced to and even then they will fight to the bitter end.

Re:Maybe there's a silver lining here...

[shish]

Yeah, yeah, most of them are not on US soil Since when has that ever stopped them?

Re:Maybe there's a silver lining here...

[UID30]

This is most definitely not what we need. Botnets and viruses are either the result of immature over intelligence, or outright malicious criminal act. They cost real people real time/money to combat.

The solution is neither simple, nor painless. If detection of a botnet infection is (as it is now) left to the end user, one would merely have to "not check" in order to circumvent quarantine. And lets face it ... how many users would really allow their ISP to deep scan their system for possible botnet infection? The situation only gets worse if botnet scans are mandated by a government body ... can you imagine every PC in the country running some mandated bloatware developed by the lowest bidder on the government contract? Nope. No chance of that happening.

If the problem were easily solvable, it would have been solved long ago. There is no financial incentive for Redmond to produce a invulnerable OS ... an entire anti-virus industry exists based on their buggy OS ... one in which Redmond actively participates with their own anti-virus solution. Conflict of interest? You do the math.

The only real answer is in accountability. Make both OS manufacturers and virus creators accountable, to some degree, for losses. What would Redmond's bottom line look like if they had to pay damages based on man-hours lost because of holes in their buggy OS? You could even limit the damages to the actual cost of the original OS. I'd be willing to bet on 2 things ... 1) that Bill Gates wouldn't be cashing out his options to the tune of $1B / quarter... and 2) that the next Redmond OS would be a little bit more secure.

Virus creators are another problem ... once identified, they need to spend hard time in a Federal PMITA Prison ... 1 day of time served per infected system. That should make the point. A small sized infection could easily churn up a 20 year sentence. At the current rate of technological change, am pretty sure the perp would have some degree of difficulty repeating the offense at the end of that kind of prison term.

Re:Maybe there's a silver lining here...

[Novae+D'Arx]

That's the wonderful thing about having lobbyists - they "inform" the legislators. In this case, they could let Joe Sixpack Senator (R-TX) about how EEEVIL botnet creators are, how they're harming the InterTubes and online businessess and hence the GNP. The common good doesn't cut much ice anymore, but tell them how it's making businesses lose *money*, and stand back...

Also nice about lobbyists: they can even help these guys draft bills in ways that actually help make things work. MS and Google, at least, have lobbyists now... let's see them get their money's worth.

Re:Maybe there's a silver lining here...

[jpop32]

(1) the idiots in congress do not have a clue as to what a botnet is and therefore are incapable of creating anything remotely usable;

Well, I'm sure that someone is able to explain it to them. If noone else, then Googles lobbyists.

(2) the average user would not know why his computer cannot access the internet;

Maybe user support could clue him in? If he's doesn't care to call them up, then he doesn't need connectivity anyways.

(3) many flat out refuse to learn good online habits until forced to and even then they will fight to the bitter end.

So? We should just let them carry on being assholes? Just bend over and take it?

Re:Maybe there's a silver lining here...

[jpop32]

If the problem were easily solvable, it would have been solved long ago. There is no financial incentive for Redmond to produce a invulnerable OS ...

Barking up a wrong tree, dude.

This thing is a trojan, OS has nothing to do with it. User decided to run the malicious program.

But, I agree with your conclusion. Those responsible should be held accountable. Users that trojaned their machines should be cut off from the net, possibly even fined.

Re:Maybe there's a silver lining here...

[GlL]

I work for a small ISP in Tacoma, WA. We tried selling a cleanup disk. It didn't work because a $9.95 disk cost us 1 hour of phone support per computer on average. The reality is that most of our customers who get infected aren't technically savvy enough to install and run anti-malware software. We now have a flat-rate tech bench fee of $89 to clean up the computer. We still lose money on the deal, but not as much.
What technically minded people in general forget is that most users want their security solution to "just work" with as little contact from the end user as possible. If I were to ask my customers when their AV expires, the answer I would get would be either "I don't know." or "I think I saw a little window pop-up saying something about that." or my favorite "I got rid of that cause it was making my computer run slow."
Now, to speak to the first part of your post, I can guarantee you that there will not be a DDOS against the big sites who have lobbyists. You may ask why, and here is my reasoning:
1)Worms are used primarily for making money.
2)Actions that threaten revenue streams are bad.
3)People with lobbyists can threaten a botnet owner's revenue stream.
4)Because of that a botnet owner will avoid attacking people who can threaten their revenue stream.
Even though it is an illegal business, it is still a business, so will do whatever it deems neccesary to ensure its profit.

Re:Maybe there's a silver lining here...

There is no financial incentive for Redmond to produce a invulnerable OS ... an entire anti-virus industry exists based on their buggy OS ... one in which Redmond actively participates with their own anti-virus solution.

I would have to disagree with this. If this were the case, the good folks over at Clam AV would be out of business. I doubt that many people would classify Linux or BSD as a "buggy OS".

Re:Maybe there's a silver lining here...

[Brian+Knotts]

I don't know what other people use clamav for primarily, but I use it for scanning email, and most of the clients are Windows.

NO!

[everphilski]

Shouldn't everyone be blocking .exe attackments at the MTA?

NO! It's annoying enough that Google rapes through my .zip files looking for .exe's.

If I'm working on a c++ program at work and zip it up and gmail it home (lock the computer while it uploads) and forget to 'make clean' ... I don't get my code. I know its nitpicky and a make clean or a thumb drive will cure my problems but I'm forgetful which tend to preclude both.

Re:NO!

[dr_strang]

Try password protecting your zip file.

Re:NO!

[LiquidCoooled]

Actually, if they are clever enough to scan the zips, maybe they could be clever enough to just filter the exes out leaving the rest.
It annoys me as well, the number of zips I have called .aaa .abc .bmp around because of this is stupid.

Maybe - just maybe - google could consider allowing zips to account users who have specified it as a preference (default block as currently occurs).

Re:NO!

Or just rename the .zip to .piz

Then when you download it, switch it back.

Re:NO!

[everphilski]

Maybe - just maybe - google could consider allowing zips to account users who have specified it as a preference (default block as currently occurs)

Especially when a user is sending it to himself :) I mean, what, am I trying to infest myself with a virus?

Re:NO!

[Chatterton]

You can put a single letter password on your zip files?

Re:NO!

How hard would it be to add a rule to your Makefile that generates the zip file for you and makes sure that there is no .exe in the zip file?

Re:NO!

[cyfer2000]

I use 7zip.

Re:NO!

[LiquidCoooled]

If you are sending it to yourself what happens if add the attachment and leave it in the drafts without actually sending it?

Is the drafts subject to capacity limit (since you haven't sent it) ?

I never tried that 'cos when I am sending code home (if I forgot my mem stick) I send via the work account (right click send to mail recipient is easier than opening browser, logging in, creating a mail, adding attachment...).

Re:NO!

[dark-br]

It makes no difference if you password protect them or not as to list the zip file content no password is needed. You only need the password to correct extract the files.

I've just switched to using RAR and as for now Google is leaving my attachments alone...

M Addario

Re:NO!

[everphilski]

can't say I've ever tried drafting an attachment ... that's a thought though.

Re:NO!

[jamsessionjay]

Rename your zip files .dat - google won't know it's a zip file and assumes it's random junk data. When you get home rename it .zip

Re:NO!

[LiquidCoooled]

I just tested it, it works nicely.
Google warns you if you try sending though...

Re:NO!

Or using svn.

Re:NO!

[Just+Some+Guy]

As a sibling pointed out, that won't work. But you can nest an un-passworded "mycode.zip" inside a password-protected "wrapper.zip" file. Spam filters will see that wrapper.zip contains mycode.zip (because of Zip's stupid encryption (hah!) doesn't protect its content list), but won't be able to examine mycode.zip.

Alternatively, use GPG and go forward.

Re:NO!

[oglueck]

You're honestly abusing email as kind of a SCM tool? Creative...

Re:NO!

[^Case^]

Make a "package" make target that copies all relevant files into a package directory, zips the directory and ship of the mail. If you're using OS X or another un*x variant you can do all this with a single make target.

Why you aren't using version control is another question.

Re:NO!

[Andrewkov]

Ah yes, the 7-Up of Zip programs!

Re:NO!

[everphilski]

2.8 gigs of space ... why not? :) submitting it automatically tags it with a time and date and stores it where you can get to it 99.99% of the time. And as I mentioned elsewehere, I tend to be scatterbrained, and misplace/forget my thumb drive, so its nice to have it a website away. The particular pet projects I'm working on, I'm not paranoid about someone getting a hold of, so I really don't give a crap about having the code on a web mail account.

I did this extensively while working on my masters, now pretty infrequently just when ideas or pet projects pop up.

Re:NO!

[Sylver+Dragon]

Simple answer:
Use FTP and quit abusing email. If you are working in an environment where you are coding for a living, my guess is that you can harass the IT folks into setting up an FTP server and access for you.

Re:NO!

[oglueck]

You get implicit (web) backup as well :-)

Re:NO!

[jrutley]

Use 7-zip instead.

Re:NO!

[LiquidCoooled]

update: it DOESN'T work.

I tried to use the attachment I added at work to a draft when I got home and it made Firefox vanish!

There is a crash happening somewhere...

Re:NO!

believe it or not, google only does this if the file extension is a common archive extension. if you rename your zip file to something else, it'll go right through.

Re:NO!

[PsychoSlashDot]

Try password protecting your zip file. Bad idea. A decent AV program integrated with an MTA will delete/quarantine any file it recognizes as a container that it can't open. Same thing goes for nested containers; at some point you've got to stop and give up. Same thing goes for any file that exceeds a set scanning time limitation. Basically, anything that hasn't been scanned gets dumped.

As the original poster was told, his best bet is to rename the file to something innocent. I've yet to hear of anyone who really blocks .DOC or .XLS for instance. A developer who can't or won't handle renaming a file twice - even several times a day - isn't the kind of guy I want writing code I need to run.

Re:NO!

[ekhben]

Or, ya know, use a revision control system? Centralised or distributed, both will solve your problem, and probably a large number of other problems you've been living with.

Re:NO!

[Eivind+Eklund]

Suggestion: Create a make target that does the mailing (or at least zip creation) - and does it correctly.

Eivind.

Beyond the slashdot effect...

[annamadrigal]

From the article: > For spam, a million-strong botnet might be overkill. > But botnets can do much more - like launching denial-of-service attacks. > These attacks aim to overwhelm a Web site or Internet server by sending > it a constant stream of garbage data at a particular Web site or Internet server.
A few years back there was a spate of DDOS attacks on root servers, for example: http://www.informationweek.com/news/showArticle.jh tml?articleID=197004237 which were described at the time as "possibly featuring millions of computers".
So, is this really such an enormous number? There seems to be a precedent for botnets of this scale....

Re:Beyond the slashdot effect...

[rel4x]

In past years, they really exaggerated the sizes of botnets. They had a lot of trouble telling the different controllers and whatnot.
This one, I have a feeling actually IS that large.
Especially for a few worms, where different variants were released by different groups who bought the source code and modified it. This one quite possibly is that large.
ALSO, 250,000 computers, while it is a massive botnet, is not truly excessive in regards to spam. Take a look at what is being filtered for nowadays. NJABL, DSBL, and the DROP Spamhaus list(ZEN too?) all take the various residential IP ranges out of the mix, or make it much harder to get inboxed with them. The XBL does a good job of listing bots as well. Some botnets that I have seen, there was 96% XBLed. The XBL is enough to doom a message in most cases. None of the dynamic/residential IP blacklists by themselves are enough to bulk folder a message on their own(with most configurations), but also the chances are that a IP that shows up in one, will show up in more than one. Also, on the off chance some administrator was ridiculous enough to use the APEWS list, entire ISPs also will throw a few extra points into the mix. All of this means that whatever numbers someone gets, are worth their time.
For example, let's say 70% of this botnet is RBLed(which is possible, especially given the fact that spamhaus says that the storm worm DDOSed them, and I have trouble believing the logs of that did not factor into the RBL). That leaves 62,500 computers NOT xbled. Subtract another 5-10% for computers that cannot have outgoing port 25 connections. Subtract even more for computers listed in multiple dynamic IP/residential blocklists.
THAT is why this botnet grew to the size that it did.

"The silent majority" is uninformed.

[khasim]

No. "The silent majority" believe that this is the way computers just "work".

They've been shown that in countless movies and TV shows and by "experts" on the news.

They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases.

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

Re:"The silent majority" is uninformed.

[NickFortune]

No. "The silent majority" believe that this is the way computers just "work".

More accurate, perhaps, to say that they think this is just the way computers don't work.

There was a program on last week where they had a collection of self proclaimed grumpy old women listing things they hated about computers - and you know what? Every single complaint was not about computers per se, but about Microsoft software.

There's got to be an opportunity in there somewhere for the FOSS movement. Imagine if we could convince the "I hate computers" brigade that what they mainly hate is Microsoft ...

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

That's just silly. People have different convincer strategies. If nothing else, there are people out there who still haven't heard that there's an alternative. There's a lot of meat left on that bone.

Re:"The silent majority" is uninformed.

[Starker_Kull]

No. "The silent majority" believe that this is the way computers just "work". They've been shown that in countless movies and TV shows and by "experts" on the news. They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases. With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

I don't think that's quite the case any more. Many of the people I work with, toting around notebooks running XP or Vista on them, now openly admire and know about OS X (Linux.... not so much. One step at a time...), and say they would switch 'IF'... and the usual reasons, some quite legitimate, are brought out. However, the fact that many people are AWARE there is an alternative that appears better in their eyes, is a new & positive development. It just takes time, time where products from Redmond continue to be mediocre, and time where other OS's consistently improve in stability, security, usability, and interoperability. These conditions have been occuring consistently for the last 5 years now.

We might get to see Microsoft's OSes slowly head the way of the dino in the next 5 years, especially the more incidents like the above 'worm' occur.

Re:"The silent majority" is uninformed.

[Mr.+Flibble]

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

Well, it is changing it for me! I got an ecard from "friend" and I downloaded the exe on my iMac, and it won't work. I could not see the card. I tried again on my Red Hat Enterprise 4 server, and even after chmod +x *AND* running as root with X windows going, the card would not open.

That is the last straw for me! I can't get cards from my "friend". I am going back to Windows where I can open cards.

Re:"The silent majority" is uninformed.

[lymond01]

With all the past outbreaks on Windows machines, anyone who wanted to migrate has already started their migration. This won't change anything for anyone else.

Response: That's just silly. People have different convincer strategies. If nothing else, there are people out there who still haven't heard that there's an alternative. There's a lot of meat left on that bone.

True. I'd say the long, dark tunnel from XP to Vista has a few side corridors.

Re:"The silent majority" is uninformed.

[Stefanwulf]

They're the ones you see claiming that Linux and Mac's will have the "same problems" as their market share increases.

Out of curiosity, what aspects of the OSX/BSD and Linux architectures are going to stop:

• An uneducated user from executing a binary file they download from a URL they are given
• A process that user is running from executing further code with that user's privileges
• That user's processes from making outbound TCP/UDP connections
• That user's processes from accessing an SMTP server to send emails
• A user from configuring a process to run on logging in

By my thinking, that's really all that's needed for a botnet to work on a given platform. I am certainly ignorant of many details regarding the BSD/Linux kernels and I stand ready to be corrected, but I believe I've seen all those things happening individually as part of day to day user life on my linux box.

Re:"The silent majority" is uninformed.

[plague3106]

There was a program on last week where they had a collection of self proclaimed grumpy old women listing things they hated about computers - and you know what? Every single complaint was not about computers per se, but about Microsoft software.

Such as what?

That's just silly. People have different convincer strategies. If nothing else, there are people out there who still haven't heard that there's an alternative. There's a lot of meat left on that bone.

And alternatives that don't run the software people want won't function as alternatives.

Re:"The silent majority" is uninformed.

People have different convincer strategies. ... There's a lot of meat left on that bone.

Soylent gre^W^W Strategies is people!

Re:"The silent majority" is uninformed.

[NickFortune]

Such as what?

The usual stuff. Clippy, Outlook, "you appear to be writing a letter", Word's grammar checker... that sort of thing. Nip over to annoyances.org and you'll find a hundred or so examples.

And alternatives that don't run the software people want won't function as alternatives.

Oh do behave. That argument might fly for specialist drafting or accountancy software, but not here. For the market segment under discussion, all people want is a browser, a word processor, something to check their email. Maybe an instant messenger if they're a bit advanced.

And something like Ubuntu can do all that quite nicely, thank you.

Re:"The silent majority" is uninformed.

[plague3106]

The usual stuff. Clippy, Outlook, "you appear to be writing a letter", Word's grammar checker... that sort of thing. Nip over to annoyances.org and you'll find a hundred or so examples.

None of those things are with Windows itself though. Annoyances.org isn't the collection of old ladies you discussed, and I'm willing to be quite a bit of /.ers post over there, so I doubt its unbiased. Annoying things are hardly a reason to HATE MS though.

Oh do behave. That argument might fly for specialist drafting or accountancy software, but not here. For the market segment under discussion, all people want is a browser, a word processor, something to check their email. Maybe an instant messenger if they're a bit advanced.

All of the Linux distros I've seen pack in much more than that, which seems like overkill to me. I'd also have to think that the group would find a whole new slew of anoyances with Linux as well. Especially if they can't playback music or watch videos (does YouTube work w/Linux?).

Re:"The silent majority" is uninformed.

[rudegeek]

You're 100% right that UNIX is not silver bullet of security. I'll address few of your points, but don't take my word for it, and my answers would not be kernel-related

An uneducated user from executing a binary file they download from a URL they are given

Mounting /home and /tmp partitions as noexec (you can't run binaries from them) can be helpful here.

A process that user is running from executing further code with that user's privileges

Nothing, that would be silly. :-)

That user's processes from making outbound TCP/UDP connections

Nothing, again.

That user's processes from accessing an SMTP server to send emails

Again, nothing, but difference is, while in Windows most users uses Outlook and virus can read and parse configuration of said program and use this data to perform auth on victim SMTP server. That way you get better chances of replication. Doing simple SMTP server is possible, but it will degenerate successful rate of sending. First, you would have to send from your local IP, and there's a big number of SMTP that would drop connection from dynamic IP. You have no MX, again, drop. If you're behind NAT, your computer will not be traced back by other SMTP, again connection dropout. You would not have RevDNS entry. Again. Simple SMTP in virus will not deal with queue, so any server with greylisting will ignore it.

Not being sysadmin I remember being informed by one that you can forbid user from binding port. On both, BSD and Linux.

A user from configuring a process to run on logging in

Again, nothing -- but that's not the source of problem. :-)

Re:"The silent majority" is uninformed.

[NickFortune]

Soylent gre^W^W Strategies is people!

And all of them so very tast^Wdifferent, too! :)

Convincer strategies was something they told us about on a training course I went on a while back. A convincer strategy is what has to happen inside someone's head before they accept a given proposition as being true.

So, one person's convincer strategy might be that he needs to hear it a certain number of times (and all you need to do is keep on at them) while someone else might need to try it for themselves. Some people need to hear it from someone they consider an authority, and ... well you get the idea. I'm told this is something that good salesmen are very aware of.

So, in the context of switching away from Microsoft, some people out there are going to (say) need 99 virus infestations before they say "enough!", and some of them are currently on number 98. Some of them are going to need to have four or five friends switch first before they consider it seriously; some of them are going need their fave tech blogger to switch and write it all up... to suggest that everyone who is going to switch has already switched ... is wishful thinking at best.

Sorry to follow up a joke post with a serious one - it just occurred to me that I hadn't explained that part at all.

Re:"The silent majority" is uninformed.

[pjbgravely]

All of the Linux distros I've seen pack in much more than that, which seems like overkill to me. I'd also have to think that the group would find a whole new slew of anoyances with Linux as well. Especially if they can't playback music or watch videos (does YouTube work w/Linux?).

Why wouldn't YouTube work with Linux? YouTube runs on Linux. http://uptime.netcraft.com/up/graph?site=youtube.c om
There is a Linux version of flash, it was behind for a while but YouTube still worked even then. I have no problems playing videos on Linux, I do have problems with friends using Microsoft Windows playing anything I send them that isn't a Microsoft Windows media player file.

Re:"The silent majority" is uninformed.

[NickFortune]

None of those things are with Windows itself though.

No, but they are Microsoft though - which is what I said in the first place.

Annoyances.org isn't the collection of old ladies you discussed

You're right, I just used it as a loose example. I'd be more specific about the complaints, but I wasn't expecting a test, and I forgot to make notes. All I can do is report what I remember from the show.

I'm willing to be quite a bit of /.ers post over there, so I doubt its unbiased.

meh. It's a support forum, not an advocacy site. It's not so much "Microsoft sucks" as "what do I do when when the registry fills up?". You don't get a lot of penguin heads there because... well, because we all use Linux and it's a windows support forum.

Annoying things are hardly a reason to HATE MS though.

Hatred isn't a rational act, though, is it? I mean, most people don't wake up in the morning and say "now who shall I hate today? Who is the most rational target for my hatred?". It's not like that. On the other hand, there's no shortage of people who think "if that computer crashes and loses my document one more time today, it's going through that window..." My point is that a lot of the things I heard cited as inspiring this hatred were typical MS grumbling points.

And if it's a good enough reason to hate computers, it's good enough to hate Microsoft. It's just a question of education ;)

I'd also have to think that the group would find a whole new slew of anoyances with Linux as well.

Oh quite possibly, although the latest Ubuntu is getting very good in that respect. But they'd be spared the malware, and the viruses and the worms... which is the starting point for this discussion.

(does YouTube work w/Linux?).

Yes, perfectly. At least since flash 9 was released for Linux.

Re:"The silent majority" is uninformed.

[Lord+Apathy]

That's one long fucking tunnel that they are dragging us kicking and scream all the way.

Re:"The silent majority" is uninformed.

[sootman]

There's got to be an opportunity in there somewhere for the FOSS movement. Imagine if we could convince the "I hate computers" brigade that what they mainly hate is Microsoft ...

Yes, it certainly is an opportunity. And it's something that LUGs, advocates, and others in the FOSS movement have been trying to convince the world of since at least 1998, which is when I became aware of it. You can see how well it's gone so far. Maybe we could ask Mac users for tips--they've been making that same argument for about twice as long. They must be good at convincing people by now. :-)

Re:"The silent majority" is uninformed.

[NickFortune]

And it's something that LUGs, advocates, and others in the FOSS movement have been trying to convince the world of since at least 1998, which is when I became aware of it.

Well, it's not one I've see presented in the five years or so since I've been using Linux. Perhaps the idea isn't as widely disseminated as you think?

Maybe we could ask Mac users for tips--they've been making that same argument for about twice as long.

Indeed. It seems to be the basis of those "I'm a Mac; I'm a PC" adverts. Actually, they seem to be doing rather well, now that you mention it...

Re:"The silent majority" is uninformed.

Real-life, face-to-face experience over the last decade has taught me that when somebody who knows computers sits down to talk with a "lamer", in fact the "lamer" actually isn't stupid, but has been kept deliberately ignorant from years of living in Microsoft's little box. Give them a real system that lets them be smart and they'll start surprising you after a while with just how smart they always were!

I've seen many cases where the user blamed themselves for "not knowing how to use computers". In fact, what they were trying to do was a reasonable thing, but their crappy software failed and they have no idea why.

Re:"The silent majority" is uninformed.

[jez9999]

That is the last straw for me! I can't get cards from my "friend". I am going back to Windows where I can open cards.
--
Try to hack my 31337 firewall! [127.0.0.1]

Yeah, you really should do; you clearly need a more secure OS than the one you're running now. I just hacked your firewall, and man have you got a lot of weird stuff on there. :-) You're lucky I'm not a black-hat.

Re:"The silent majority" is uninformed.

[Divebus]

Annoying things are hardly a reason to HATE MS though.

Yes they are. A few years ago (3) I realized my whole workday was fixing Microsoft specific problems. Since my IT staff was getting downsized, we couldn't keep up. So we deployed a bunch of Macs. Peace, tranquility and productivity prevailed and nearly the entire staff traded their home PCs for Macs. Now THEY hate Microsoft for wasting all that time.

Re:"The silent majority" is uninformed.

[Divebus]

Try to hack my 31337 firewall! [127.0.0.1]

OMG! You managed to copy my entire hard drive! I do need a new firewall

Re:"The silent majority" is uninformed.

[Hucko]

I made that argument to my wife. A couple of hours later she wished to run an *.exe file on my machine. I don't have wine & wasn't there so when I arrived on the machine I got the sore treatment about how my computer doesn't work why can't we have windows? Try explaining to an upset woman that you can't expect a Kenworth diesel engine to work in a Honda Civic.

Re:"The silent majority" is uninformed.

[drsmithy]

Mounting /home and /tmp partitions as noexec (you can't run binaries from them) can be helpful here.

So your solution is the nuclear option of not allowing users to run *anything* that isn't preinstalled ?

Microsoft (or anyone, really) could do that with Windows as well, but it's not really a viable option for an unmanaged machine.

Again, nothing, but difference is [...]

No, there is no difference. Most (if not all) UNIX email programs store their configuration in well-known plaintext files that malicious code can read to find out the ISP's upstream mailserver and the malicious software can simply use that.

If your machine can send email, malicious code running on your machine can almost certainly also send email. Whether the machine is running Outlook (or even Windows) is irrelevant.

No machine where ignorant end users have the ability to make critical configuration and runtime decisions can be "secure", which is why OS X and Linux will/would have exactly the same problems Windows does when their market penetration (in the case of OS X) and user demographic (in the case of Linux) reach similar measures. The vast, vast majority of "security problems" Windows has are the result of end users doing something "stupid".

Re:"The silent majority" is uninformed.

[Blkdeath]

I'd also have to think that the group would find a whole new slew of anoyances with Linux as well. Especially if they can't playback music or watch videos

Yes, I hear this argument all the time. "Wah, the latest codec my pirate video source is using that was written exclusively by and for Microsoft doesn't work under Linux! Linux is useless as a desktop OS!"

For the record, I haven't found a video file yet that VLC Player has had a problem with.

(does YouTube work w/Linux?).

Yes. I think you'll also find that Solitaire, Minesweeper, and a text editor also work under Linux. You can even play MP3s now! (That functionality was added ATLEAST a month ago! I think Linus wrote it ... )

Re:"The silent majority" is uninformed.

[rudegeek]

So your solution is the nuclear option of not allowing users to run *anything* that isn't preinstalled ?

What? Normal user should not install stuff in his home. There's /usr where programs should end up. And that's root job to put'em there. This is a feature because I can force some policy over my users

Most (if not all) UNIX email programs store their configuration in well-known plaintext files

Difference is we didn't saw anything working yet. So while I know it can be done it haven't been done just yet.

No machine where ignorant end users have the ability to make critical configuration and runtime decisions can be "secure"

OK, if I'll put you in a /home with noexec, will forbid you to bind low ports, push all network access to 25/110/80/whatever by proxy, put you in untrusted group with limited access to apps in /usr/bin and will perform simple backup of your home directory -- would you say I provided better evn. to prevent viruses? Because all this can be done with tools that are shipped by most distros.

Again: Linux or BSD is not more secure. But it's more transparent. So it can be secured better. That's my uneducated opinion -- I'm developer not sysadmin.

Re:"The silent majority" is uninformed.

[drsmithy]

What? Normal user should not install stuff in his home.

A "normal user" shouldn't have access to install stuff anywhere else.

There's /usr where programs should end up. And that's root job to put'em there. This is a feature because I can force some policy over my users.

Firstly, most people don't have any systems administrator - let alone a good one - to run their computers. If they did most of the "security problems" we hear about would never have happened.

Secondly, you offer this argument as if it is something that UNIX can do but Windows cannot - yet Windows can lock down the system just as much if you want it to.

Difference is we didn't saw anything working yet. So while I know it can be done it haven't been done just yet.

Stop moving the goalposts.

OK, if I'll put you in a /home with noexec, will forbid you to bind low ports, push all network access to 25/110/80/whatever by proxy, put you in untrusted group with limited access to apps in /usr/bin and will perform simple backup of your home directory -- would you say I provided better evn. to prevent viruses? Because all this can be done with tools that are shipped by most distros.

All if it can be done in Windows, as well. It's easy to secure a machine when you don't have to worry about giving the ignorant end user the ability to complete arbitrary tasks.

However, that doesn't apply to the majority of machines out there - those that are unmanaged - where the majority of security "problems" originate.

Re:"The silent majority" is uninformed.

But I am! I just deleted his

Thank God !!

Glad I got that memo . Oh wait it is an attachmen...

Catalyst for change?

[khasim]

Let's look at DDoS attacks.

#1. Spoofed IP addresses - not that common anymore. It used to be that you'd tie up a machine by having it send replies to machines that did not initiate the connection. There is a simple solution to this. Anyone assigned a block of IP addresses has to make sure that all outbound traffic references IP addresses on that block.

#2. Thousands of machines eating up your bandwidth - the most common type now. This is where the zombie army each makes continued requests of your machine. For webservers, they can request a page over and over and over until they use up all your bandwidth and legitimate visitors cannot get through. This is more difficult to fix. It can partially be handled by blocking the range of addresses that host the zombies. Such as Comcast and Verizon and so forth. There are more complicated attacks. Such has sending half a request.

There's not much that can be done with #2 until a law gets passed saying that the person paying for the Internet connection is responsible for $X of clean-up charges. Then people will have a financial incentive to look at more secure systems.

Re:Catalyst for change?

[neo8750]

here's not much that can be done with #2 until a law gets passed saying that the person paying for the Internet connection is responsible for $X of clean-up charges. Then people will have a financial incentive to look at more secure systems.

I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages. I mean other then the whole aww factor this plan will work.

I personally think that ISPs should notify their users that there are worms/viruses going around (hey got an idea for a company one that works with isps to keep them up to date on worms/viruses and hell maybe even setup the mass mailing needed to get the word out). Through it would probably be best just make it so that the user can't get any of their mail till they read the message from the isp. Sure this may take some recoding to add a feature to smtpd but i think if we are going to help fight these worms we need too make it so the end user is aware of them. (this option may exist)

hell i personally consider myself a higher end user and i don't even know what the most popular/newest worms out there are. But then again i don't open an email unless i know the person for one and i also don't if the topic is off. But then again i don't count on my contacts to keep me upto date on stuff plus if its that crazy they will sooner call then email me.

Re:Catalyst for change?

[teh_chrizzle]

There's not much that can be done with #2 until a law gets passed saying that the person paying for the Internet connection is responsible for $X of clean-up charges. Then people will have a financial incentive to look at more secure systems.

people do not take responsibility for their anything that involves computers. evar. people don't take responsibility for their actions on the computer (i did not delete it! the computer just ate it!), they don't take responsibility for the computer itself (how does all of this crap get on my computer?) and therefore will never ever take responsibility for their computer's actions. evar.

Re:Catalyst for change?

[jpop32]

I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages.

Well, maybe they will then realise that a computer can be a nuisance for others, and learn to treat it as such. Owning a computer is a responsibilty.

I am in favour of some form of punishment for zombied computers for some time now. You would be fined with no questions if you blocked the street with your parked car, granpa or not. Why is someone who blocked internet access for others treated differently?

Re:Catalyst for change?

Regarding #1, apart from uRPF (aka anti-spoofing) - the other reason attackers don't bother with spoofed traffic any more is that it's not needed (and with URPF, it flags up infected machines very fast.) A relative handful of machines that do a full TCP handshake and request the front page of (say) Slashdot will choke the target's upstream connection (and probably the first couple of routers into the SP network) whilst looking no different at all to normal user traffic egressing the network with the eyeballs, but generates a disproportionately large CPU and bandwidth hit on the target. There's no easy way that I can think of to filter such traffic - it doesn't need to hammer away flinging thousands of pps at the target - three or four IP packets can invoke a very large response (the Slashdot front page is around 450K.)

Of course Slashdot's a lot less likely to be a target than, say, Symantec or McAfee. And attacking a probably Akamai'd public website is less effective than attacking infrastructure - mail servers, the outbound routers carrying traffic to/from the internal corporate network, when it comes to blackmail... or even just to damage people who are damaging your efforts to flog fake impotence cures and bootleg watches.

Re:Catalyst for change?

Your computer keeps misspelling 'ever'.

Re:Catalyst for change?

[rudegeek]

I personally think that ISPs

When I was working as developer at ISP in my city IT guys followed this steps:

1. Call person with a infected computer and ask him to disconnect it from the network and fix it
2. His IP was added to monitoring system. If he would not comply, someone would go to his place and disconnect him in a switch box
3. He would have to call back and tell us he fixed his problem, then we restored or let him put eth cable back.
4. If he couldn't do it, we had a list of people near him (also our customers) who agreed to assist helpless people (yeah, you may think it's strange, but people sometimes like to help, and maybe get a cookie or beer, or just a handshake)
5. We could also send someone from IT to fix it for small charge

In our contract there was a paragraph: Keep your computer clean. You're not alone in the network.

Re:Catalyst for change?

[Leto-II]

#1. Spoofed IP addresses - not that common anymore. It used to be that you'd tie up a machine by having it send replies to machines that did not initiate the connection. There is a simple solution to this. Anyone assigned a block of IP addresses has to make sure that all outbound traffic references IP addresses on that block. There might be a simple solution to #1, namely ingress/egress filtering as you suggest, but its not very effective unless deployed nearly everywhere. Anywhere that doesn't use filtering can be used to basically spoof anywhere. Plus, according to results from the Spoofer Project at MIT, even those networks where there is some level of ingress/egress filtering are able to spoof large amounts of IP addresses. Note the percentages in those results are percentages for hosts which do encounter some filtering. If you consider hosts which don't encounter filtering, pretty much any address can be spoofed.

Basically, although there is a simple solution, it doesn't work. It hasn't been deployed everywhere yet and doesn't look like it will ever be everywhere. There is still active research in discovering better ways of discovering and filtering out spoofed packets that don't require 100% deployment. Another poster mentioned uRPF, but that doesn't work in many cases because it assumes symmetric paths (the direction packets take to reach a network is the same direction packets take when coming from that network), but paths on the Internet are not symmetric.

Plus, I believe spoofing still is common. Botnet owners would rather keep their bot identities as anonymous as possible. Spoofing adds another layer of protection in this regard. Sure it can't be used in all situations, but situations where it can be used it usually is used.

Whats Worse? Storm or Nugache

[Evil+W1zard]

We all know that the Storm botnet is a big ol' spambotnet but what about Nugache? Thats the one I'm more concerned as it is fairly huge and just sits there in the dark waiting!!! Has anyone identified WTH that one is prepping for yet or are we still all in wait mode...

Insert Scary Music Here

If you'd like to know more...

[fahrbot-bot]

...let me know and I'll forward you some e-mail...

An email warning I got yesterday

[bzipitidoo]

Yesterday, a non-expert computer user I know sent me an email warning about emails with "postcard for you" in the subject being a carrier for the "worst virus ever". It could erase your entire hard drive!!! The histrionics convinced me it was bogus, so I blew it off. But seems there is something going on after all? That email now looks like it was deliberately timed and edited to ride the next wave of panic.

Re:An email warning I got yesterday

Tell me now.
  Wont ail major updated antivirus programs detect and remove this threat?

So those responsible for its proliferation arr just computer security lame and don't have a clue ? right?

They see an executable and execute it like fools ? Is that about it?

As much as I hate to suggest this...

[goldspider]

...but perhaps we need a law that would require ISPs to disconnect customers with compromised computers, and inform them that they will remain disconnected until the computer(s) has been cleaned.

Us conscientious customers shouldn't have to suffer the conditions imposed on us by people who can't bother to take even the most simple precautions. How much better would service be without all these botnets clogging the tubes?

Re:As much as I hate to suggest this...

we need no such law. There should never be a law that punishes a victim for failing to respond to their situation, and that is all such a law would do. Live with the inconvenience, or convince your ISP to chance their TOS and voluntarily do what you suggest.

Re:As much as I hate to suggest this...

[goldspider]

The "victims" here are everyone who has to deal with the spam, DDoS attacks, and whatever else these botnets are spewing. And it's not a problem that can be limited to or by individual ISPs.

The public has been aware of computer viruses for 20 years now, and there are plenty of free tools (many of which are provided at no cost by ISPs) to prevent an infection. It's long past time people took responsibility for their own computers.

Re:As much as I hate to suggest this...

[Gazzonyx]

True. But perhaps the ISP should just filter out malicious traffic at the edge, before it takes the first hop into their network?

Re:As much as I hate to suggest this...

[scharkalvin]

Most people do NOT know how to protect computers from the internet, NOR SHOULD THEY!
The computer makers and the OS writers should handle this, it's THEIR PRODUCT!!!

Hey DELL and M$! I bought this computer from you and it got itself infected with
spambots because YOU didn't provide the security to prevent this. So (to quote
Weird Al) I'LL SUE YA!

Re:As much as I hate to suggest this...

Here in the Netherlands @home is doing just this, if they find out your computer is producing spam or emitting virus emails they just cut you off. You need to send in a screendump with proof of a recent antivirusprogram running and saying 'no virus found' before they will connect you again.

Re:As much as I hate to suggest this...

[goldspider]

Most people do NOT know how to protect computers from the internet, NOR SHOULD THEY!

Yet we expect people to maintain their own cars. Are you suggesting it's unrealistic to expect people to get regular oil changes?

The computer makers and the OS writers should handle this, it's THEIR PRODUCT!!!

So let's sue automakers when a negligent owner lets their car's engine seize.

Re:As much as I hate to suggest this...

[necro2607]

Actually Shaw cable here in western Canada already does so. A friend of mine was kicked offline for a week because one of the computers in his home network had some spyware or botnet-type trojan running on it which my friend didn't know about. He finally called the ISP wondering why the hell he couldn't get online after many days only to find out that they had disconnected his net connection without even notifying him. It seemed like a pretty harsh treatment of a customer - they didn't even let him know that one of his machines infected with some potentially malicious software (until after he called), and intentionally booted him offline indefinitely because of this. Of course it would have been understandable had they actually let him know what was going on. How long would it have been if he hadn't contacted the ISP himself? Pretty amateur for such a large company (2.3 million customers)...

Re:As much as I hate to suggest this...

[RudeIota]

Many ISPs have done this in the past (Think: BlasterWorm). ISPs that I KNOW have done this in the past include SBC (aka. Pacific Bell, Yahoo), Verizon and Comcast (aka. Roadrunner in some areas, now)

I've also seen Yahoo blacklist SMTP server access for people on their own network from sending emails. They'll do this if they determine the origin IP is abusing their mail service, be it a can of SPAM or a can of worms. I imagine if these ISPs are willing to employ such a tactic, disabling your account wouldn't be too far of a stretch from blocking your outgoing mail access.

This certainly doesn't rule out the webmail variable, but when it comes to receiving email from a 'zombie' computer - webmail is quite a bit safer than pop mail clients.

Re:As much as I hate to suggest this...

[FrostySol]

It's an intriguing thought, but people trying to bring down these bot nets will often purposely infect a machine so they can learn more about the bot net. If you block that machine's traffic you've just taken away a valuable tool in fixing the problem.

Also, I don't know how reliable your ISP is but I don't trust mine at all and can only imagine the problems they would create by blocking peoples machines (wrong IP's blocked, taking weeks to un-block cleaned machines, etc...).

Re:As much as I hate to suggest this...

[ekhben]

How will the ISP detect a compromised computer? Does this require the ISP to keep up to date on methods of detecting viruses? How far behind can they get before they're held liable? How much more do you think they'll charge you, the conscientious customer, for the sudden jump in resources they need to get by?

Re:As much as I hate to suggest this...

Yeah, they also starting blocking outbound SMTP without any notice at all, nothing on my bills, no email to my associated address.
I don't mind that much, but some notice would be nice.

Military?

[wytcld]

It's well-known that the Chinese government has an active computer warfare department. A botnet on this scale is way beyond anything needed for mere industrial blackmail. But if you wanted to bring down large chunks of some nation's Internet quickly, without the attack coming from an obvious (and blockable) source, this would be a great weapon. Let's say you wanted to disable the Internet in Taiwan, or South Korea, or Japan, or all three, just prior to military action. Or let's say you wanted to disrupt financial markets to be sure that your intentional crashing of the dollar had maximal effects.

Re:Military?

[hyperball]

personally, ive always thought deliberately disrupting the US economy would be counter-productive, since all the major economies are interelated. Anyways, i just wanted to refer to this salon article that debunks that dailytelegraph post. bottom line, the original author has no real authority on the issue and is just coming up with scary nonsense. aside from that, the idea of botnets serving the economic interests of international corporations or countries is a great idea. could you imagine spamming ForeX servers or even the stock markets prior to the release of sensitive data, you could make buckets of money with that kind of control over speculation.

how to know

[kisrael]

People who have all mail to a domain going to one gmail account (ok, me) noticed a bunch of this testing the waters looking spam leaking through the filters, one every two minutes or so, with both the subject and the body being a different short 6-10 character string of mostly numbers. No actual selling content.

Incidentally, for Windows lusers who realize they may have been practicing unsafe computing, is there any way to tell that you've been zombified? I know some of these worms are fairly stealthy. Some sort of external monitoring box between the router and the cable modem?

Re:how to know

[dmpyron]

Snort your outbound traffic. Not something the naive user can do, but anyone reading and posting to /. probably won't class as "naive". But if you're not naive, you're probably running several different protection schemes. As much as I hate it, ZA Pro will do a good job of detecting and blocking most outbound traffic that you don't want to get out. AdAwatch does a pretty good job of preventing software from installing. It even makes it a real PITA to do things like upgrade Acrobat. Or Windows. But if you really want to know for sure, re-image your system from time to time. Or install something like PC Vive (www.pcvive.com) on your clean system.

Question on that article

[Gazzonyx]

Now I've got your attention worm style, click this link for more information:

http://en.wikipedia.org/wiki/Storm_Worm I'm interested in something from that wikipedia article; it mentions that the source code to storm specifically avoids infecting Windows Server 2003 boxes. Anyone know why the author would go out of his way to not hit 2K3 boxes?

Perhaps to avoid infecting government servers (and upping the ante, if he got caught)? That's the only thing I could think of. I'm sure there's a very logical reason, but I have no idea what it might be.

Re:Question on that article

[bpfinn]

The FBI won't usually investigate a computer intrusion unless there has been a significant amount of money lost because of it. Perhaps the author believes that avoiding Windows 2003 Servers will reduce the chances of infecting some big corporation's "very important server".

Re:Question on that article

[necro2607]

Anyone know why the author would go out of his way to not hit 2K3 boxes? ... I'm sure there's a very logical reason, but I have no idea what it might be.

Well, all "windows server reliability" jokes aside, it could just be that the author's code had some issues running as expected on the 2003 server machines (due to some behaviour in that version of the OS as opposed to other versions), that perhaps he/she didn't feel like debugging or figuring out.

Re:Question on that article

[anilg]

My best guess is related to the way security companies work (the pay-per-problem model).

The companies that care enough about their security issues are those with critical servers, and many of these use win 2K3.

Storm affecting these boxes would mean quicker detection of the virus, and lesser migration. Without these (and with users who dont update anti-virus signatures very regularly), the virus has a greater potential of spreading. Of course, the author didn't imagine Storm would be this popular, and that this anti-2k3 trick wouldn't really matter.

Re:Question on that article

[farker+haiku]

Because it's a US government written worm? I imagine that we needed to up the ante in the botnet arms race with China.

Re:Question on that article

[ABCC]

Perhaps it's just what the author uses at work or home and he can't be arsed dealing with it/doesn't want to risk infecting himself/his friends.

Re:Question on that article

[Karl0Erik]

If you use 2K3, you have no friends.

Re:Question on that article

[The_mad_linguist]

The author's running Server 2k3, and doesn't want it to trace back to him? It's a logical reason, just not a very plausible one.

Re:Question on that article

[Randym]

Anyone know why the author would go out of his way to not hit 2K3 boxes? Perhaps to avoid infecting government servers (and upping the ante, if he got caught)?

Perhaps 2K3 boxes *are* the final target. SKauthor may be building the biggest botnet of all time *specifically* to try and take down the government.

If that is the case, then I'll bet when we finally trace SK to its source, we'll find a foreign government behind it, like Iran ... or Russia.

Why not offer to swap them ahead of time?

[khasim]

I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages. I mean other then the whole aww factor this plan will work.

Why wait?

Why not take a few pro-active measures? Such as emailing all your clients with the new rules and offering to assist them in evaluating their systems ... automatically?

hell i personally consider myself a higher end user and i don't even know what the most popular/newest worms out there are.

Why would you need to know about the newest worms? The focus should be on the security of the system.

A default installation of Ubuntu does not have any open ports. It is immune to all worms except anything that might attack the TCP/IP stack itself.

It's still susceptible to trojans, but even those can be mitigated.

And it is easy to check most Linux distributions with a Live CD. So the idea is to limit the possible avenues of attack and have a system in place so that successful attacks can be recognized and removed.

Re:Why not offer to swap them ahead of time?

[neo8750]

I wonder how grandma and grandpa will feel when get a letter in the mail to discover that there internet they use to only check mails from the kids/grandkids has been hijacked by a worm that they never heard about and now have to pay fines to cover damages. I mean other then the whole aww factor this plan will work.

Why wait?

I never said it shouldn't be put into affect i said really only problem is the whole "aww poor them" factor and we know that can be looked over easily especially when you slap them with a we told you in an email/letter.

you can have your system locked down from the outside world but still doesn't stop the user from creating a hole by running malicious code. And having an up to date knowledge of worms and viruses floating about would significantly hinder spreading of them.

encapsulate the zip

[Gazzonyx]

They don't (or didn't, as of the last time I sent myself an executable - within the last year) scan RAR or 7Zips for executables. Also, they won't check a doubly encapsulated archive; if you RAR or 7zip or gzip the folder, and then zip that, you should be fine. The best method is to use a lower compression method on the folder first (zip or gzip), and then encapsulate it with an archiver that uses a larger library (like 7zip or bzip2). This will keep it from 'bloating' on the second compression.

Had this show up

[sanjacguy]

We had this show up in our infrastructure. All the emails were this:

Hi. Worshipper has sent you a greeting card.

See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:

http://682.81.0.23/?9907cd64e28cae3d7703a3b01bda de (Poster's note: This URL has been altered to protect the rampant mad clickers amongst us)

Or copy and paste it into your browser's "Location" box (where Internet addresses go).

We hope you enjoy your awesome card.

Wishing you the best, Administrator, americangreetings.com

Re:Had this show up

[Lord+of+Hyphens]

I've had one of those (of slightly differing texts) every other day for the past couple weeks. Thunderbird flags it as suspicious, and even if it didn't, I'd still delete it anyway (yeah, like executables as attachments doesn't raise red flags all over the place anyway).

Re:Had this show up

[Degrees]

Apparently this is a version of the original Storm Worm. The original sent along executable file attachments. This version asks the user to click on the link, which then uses javascript to push down the .exe and launch it. Some of the infected machines become web servers to deliver the trojan, others become spam engines to spread the invitations.

Here is an article from SANS: Riding out yet Another Storm Wave (June 28, 2007), and The wave continues - Subject line variation from June 30.

Mandatory Disconnect of Infected Computers

[BoRegardless]

Make it a Federal Law that ISPs must disconnect infected computers, and users would be forced to fix things very quickly.

Then if a botnet attack comes, turn off the overseas pipes as needed. Yeah I am a dreamer, but I am at least half way practical.

Re:Mandatory Disconnect of Infected Computers

[Howitzer86]

You can't force users to fix there computer... nor would you need to. I suffered a week without the internet and couldn't stand it. If they can't watch Youtube, download porn, or read Slashdot they won't need to be forced or threatened.

But yeah, that is a very good idea. Currently my university will block the ip of any infected computer automatically - including the student's wireless laptops - if it detects spyware or viruses (or P2P connections). In order to reestablish a connection, you have to remove the offender and ask them to reconnect you.

Re:Mandatory Disconnect of Infected Computers

[cavemanf16]

Maybe on a college campus this is a generally good practice since the risk of infection and destruction is likely much higher than if it was suburbia with a bunch of old grandma houses up and down each street, but this would not be an adequate action to take legislatively.

The U.S. already bans assault weapons, various drugs, and other "nefarious" activities or items which it believes making laws against will somehow magically protect the populace from pure anarchy. Unfortunately, these legislative measures have not all been useful in stemming the tide of the various levels of activities considered by the populace as "wrong." Kicking soccer moms and crusty old guys off of the 'net to eliminate spam- and bot-nets just isn't going to work. What we'll get instead are ISPs, colleges, and government organizations controlling ALL of the access to "the Internet" which specifically goes against the redundant nature and open freedom of what the Internet was originally intended to be used for: disseminating information.

What you suggest is just another proposition of the Child Online Protection Act, CAN-SPAM, and the non-neutral network; which per the Electronic Frontier Foundation and many armchair politician slashdotters are all big failures at an attempt to force everyone to "just get along", a la Rodney King.

I don't think we'll ever see a solution...

...until software companies are forced to include normal consumer warranties (as in suitable for purpose, ability to access the internet with better security out of the box) and until individual zombie owners can get charged with "maintaining an attractive nuisance". The software sellers don't give a crap, as they have zero liability because of their ridiculous EULA and because the law let's them get away with it, and big corporations are scared to sue the 800 lb gorilla over this issue obviously-buncha pansie asses if you ask me), and the people who get infected don't care enough to do much about it, as the last decade has proven over and over again. Make it hurt both parties there financially, you'll see better coding and much reduced malwarez. And I could care less if this means much longer release cycles and the engineers take precedence over the marketing weasels and the PHB investor class. It will have to *hurt* those folks deeply in the wallet to get them to enter the 21st century and assume normal adult business responsibility for their alleged "products".

Without those measures, we'll never have any sort of decent widespread security, it will always be too little, too late, catch up crap and the big dogs still raking in the billions for perpetual beta-crapware

Now free software I don't have as much of a problem with, as they don't charge any money for it, but the stuff that costs serious folding money-needs a normal consumer warranty.

Re:I don't think we'll ever see a solution...

[plague3106]

If you're not going to apply it to free software then you shouldn't apply it to everyone. There's only so much vendors can do as well, because a user wants to be in control of their own computer, and may install viruses or bots unknowningly.

Cut the breakline on your car and see if it falls under your car's warranty.

Re:I don't think we'll ever see a solution...

[LurkerXXX]

I believe what we have here is a free market. If you don't like the non-warranty offered by one company, don't buy their product. Buy the one product from a company that does give the warranty you want. But I think you will have a REAL tough time coming up with one that 's willing to do that though, be it closed or open source.

Re:I don't think we'll ever see a solution...

[hondo77]

I believe what we have here is a free market. If you don't like the non-warranty offered by one company, don't buy their product. Buy the one product from a company that does give the warranty you want.

Or one could buy the product that doesn't get turned into a zombie. Thus spake the Apple fanboy. ;-)

Re:I don't think we'll ever see a solution...

[LurkerXXX]

I've seen numerous Apple users blindly type in the administrator username/password when prompted to by a program without having any idea why they needed to. If Apple's market share ever gets high enough to make it a juicy target, there are going to be Apple botnets as well.

What about the Twinkie?

Imagine this twinkie represents the total amount of Storm Worm spam in the financial sector networks alone...

...That's a big twinkie...

Re:What about the Twinkie?

[Kris_B_04]

But is it better than carrying an unlicensed nuclear accelerator on our backs? :)
Kris

Done and done

[wezeldog]

Brighthouse in my area does this. Let us say that I had my windows laptop infected (hypothetically, of course) one evening. The next morning I fire up my Linux desktop to check news, read Penny Arcade, etc. Brighthouse redirected my first request to a page stating that a machine attached to my cable modem is blasting out emails and I need to address it or some further action would be taken. Sure enough, it sent out over 30,000 emails overnight. I fixed and let them know. I don't know what the further action would have been, but they were on it.

SPAM - the stupid side of things...

[PortHaven]

Government and Big Corp always seem to be there when you don't want them. But they're never there when you do.

For year's I've wondered why we have such a persistant SPAM problem. There are number of things that can be done - but aren't.

- I don't believe there is ANY excuse for old viruses to circulate the web. I understand a new virus, but once a virus is known it should be stopped at the ISP & backbone levels.

- Where is the government? SPAM supposedly costs business' billions of dollars a year. That would mean to me that a portion of the trillions of dollars paid to the U.S. government in taxes should be allocated to it's cessation. Nail the spammers, and nail them hard.

- I get the same Myspace SPAM message a few times a week for a year now. So do most others on MySpace. The spam uses the same image for finance loans over and over. WHY? It should have been stopped ages ago.

- How to stop it...well, the easy way is to have a government or corporate entity utilize the SPAM service and trace the money back to it's source. Oh, and don't tell me that it's outside of our jurisdiction in some 3rd world country.

- If it's in a third world country. Let's help that nation's economic situation. A nice reward for x individual and company to be shut down would do wonders. Now, if that $10,000 reward happens to have Storm Controller's head removed from his body. It'd be a downright dirty shame...but not much more.

*growls*

Re:SPAM - the stupid side of things...

You must be new here....

Re:SPAM - the stupid side of things...

[OriginalArlen]

You have suggested a solution to the spam problem. Your idea advocates a

(x) technical (x) legislative ( ) market-based (x) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
(x) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(x) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
(x) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:SPAM - the stupid side of things...

[erroneus]

Of all the canned slashdot responses, this form has GOT to be the most intollerable. Isn't it enough to say "I don't think it will work?" This sort of response says the following about your character:

[*] You're an arrogant ass
[*] You're presumptuous and probably didn't read what he wrote
[*] You don't believe there's a solution because you didn't think of it first

People discuss on these forums to express their thoughts, ideas and feelings on any given matter. Just because you have been here longer than some and have heard or seen the same [bad] ideas over and over and over doesn't mean the responders are unworthy of responding. In fact, it really seems to suggest that since you lack patience and understanding that maybe you have outgrown slashdot and should probably move on to other areas where you can antagonize others with your snobby and smug attitude.

Re:SPAM - the stupid side of things...

[OriginalArlen]

right. Thanks for putting me straight on that.

Cool

[nurb432]

With a bit of luck it will kill the entire net for days, perhaps weeks.

Then perhaps something might actually be done about this nonsense once and for all. The only way something will get done is if hits the pocket books of enough 'big players'

Re:Cool

[Overzeetop]

Do you realize the kind of productivity spike we could get if the 'net was down for, say, a week? One day would be lost to people trying to get back up, admittedly, but then we'd all just start doing work, checking the 'net connection more and more infrequently. After a week, we'd probably run out of work on our desks that didn't need internet lookups, though most of us still have paper catalogs around so it wouldn't be a total loss. Faxing would get popular again, as would phones and voicemail...but no outside IM and email to deal with.

I'm going to call it a net win for productivity and busniess in general. Which means that it's most likely that big business is behind the internet shutdown...and the Storm worm.

Shit, where'd I put that damned tinfoil hat...

Re:Cool

[Reservoir+Penguin]

Sure, Sir Elton Shutdown the Internet! Then we'll all go to bars and basements jamming together, building up on each others rhythms, creating beautiful live music!

Question on attachments

In the past few weeks I've been seeing a lot of the "greeting card" mail. But in the past few days I've seen a huge increase in spam, most of it with a .pdf attachment. More of the same or something else?

Re:Question on attachments

[tkrotchko]

I've seen a huge spike in SPAM on my hotmail accounts.

Also, the PDF's emails are simply a way to get past spam filters; they're all viagra/meds style ads. These started appearing about a month ago.

not important

[memnock]

ahh. that explains my hour's worth of BSOD yesterday. couldn't have been anything i intentionally did. heh.

ISP Solution

[ancientt]

Every web page the infected connection tries to go to says: This is a message from [YourISP]. In accordance with Federal regulations, your Internet access has been temporarily suspended. Your connection has been identified as one which has the [Virus flavor of the week]. You can download a removal tool: [link here] or contact us at 800-whatever. If you prefer, you may contact us at the phone number listed on your service bill.

Every email gets bounced/returned with the same message.

It would work without the "In accordance with Federal regulations" but probably not as well as people are a lot more likely to complain about something they voluntarily pay for. It wouldn't be that hard to implement for any size ISP, and they could do anything from active scanning or passive monitoring to only reacting to reports of infected machines.

Re:ISP Solution

[DerekLyons]

The funny part is - in any other context Slashdot would be screaming about ISP's monitoring their traffic and/or vigilante justice (being susceptible to abuse as it is).

Why not an anti-virus virus?

[ChronoFish]

Could you imagine an anti-virus virus?

A virus that searches your memory/drive for other viruses/spam/spyware, kills and removes them if any are found, replicates, then cleans up after itself....

-CF

Re:Why not an anti-virus virus?

[novocastrian]

Sound nice in theory, but in practice there's no way it'd work. Most of these worms still rely on dumb users clicking/running attachments, which is how the anti-virus would need to spread as well. Ok, so you receive an email from a friend (or stranger) saying "here's a great tool to remove viruses from your computer! Click the attachment!". How long before a virus maker starts distributing identical messages with a somewhat different payload?

Re:Why not an anti-virus virus?

No imagination required, they have existed for ages. Numerous malicious worms / trojans try to kill off the competition, and there have been some "benign" ones in the wild just as you describe, e.g. Code Green and friends created to respond to Code Red / Code Red 2. The problem is that there can't really be a truly benign / beneficial worm because it's still changing systems without permission, e.g. some of the anti-Code-Red ones made it hard to tell which machines had been patched properly. Also any self-replicating code tends to have unexpected side effects. Welchia was created to combat Blaster, but bought subnets to their knees ping scanning for machines to patch, in many cases causing more disruption than Blaster did ...

Re:Why not an anti-virus virus?

[Faylone]

I don't have to imagine it, I've had to clean such a virus off my sister's laptop.

Linux won't run it! :(

[kimvette]

I'm sitting here all pissed off because I just can't get that trojan to run. I've been fiddling with wine for hours and even tried it under crossover office, and damn it, I just can't get my machine infected. The next step is going to be installing Windows into a qemu image because I just don't want to miss out on full Windows compatibility! Grrrr.

Seriously though, I thought Windows was supposed to be more secure, and less prone to this stuff than Linux? I mean, that's what Microsoft's Get The Facts campaign was all about wasn't it? I know, one can claim that Linux just isn't much of a target because of market share, but the reality is that the security model is vastly superior.

Windows can be made secure, but so many programs are STILL coded such that administrative access is provided that backwards compatibility is Windows' Achilles' Heel. I was hoping Microsoft would use XP (and more recently, Vista) as a breaking point (like Apple did with OS X) but sadly they didn't in either case.

I hope these infections REALLY blow up and cripple the Internet for a few days, because it would make many people question the wisdom in continuing to pay for cosmetic updates to Windows.

Re:Linux won't run it! :(

Windows can be made secure, but so many programs are STILL coded such that administrative access is provided that backwards compatibility is Windows' Achilles' Heel. I was hoping Microsoft would use XP (and more recently, Vista) as a breaking point (like Apple did with OS X) but sadly they didn't in either case.

Pfff, people already scream bloody murder over the handful of apps that AREN'T vista compatible... I can't even *imagine* the hullabaloo that would come about should they have taken that path. Microsoft realizes that the only way to make people want your OS is to make sure that you have the most useful programs available for your OS (Thus developer tools are practically free - express edition anyone?).

I'm sure that if you talked to any of the Vista boys they would have straight up sacrificed their first born in exchange for a chance to cut an all new OS with now backwards compatibility. If you read up on the history of Windows and the things those guys have had to do to make sure programs run correctly on the latest version of their OS - it'd melt your brain. The fact is, most programmers are lazy idiots who refuse to follow Microsoft's best practices. So even when they design all of the APIs and everything else to make programs be secure, compatible with future OSs, stable, etc programmers find a way to just ignore it and do whatever they want. I know this because I work for a place that does just that! ugh.

Aaaand I don't care what OS you have - if people are freaking retarded enough to always go around clicking on pictures of kittens and naked chicks you will always have trojans floating around. Hacking 101 - Social Engineering! You don't need to be smart, you just have to count on the user being dumb.

The only thing I can think of is that all e-mail clients should come with whitelist spam checking by default. Then make adding new addresses to the whitelist completely brainless. Most of these people (like my mom) are getting e-mail from probably 10 different friends / family and that's it. They can add the addresses they want to receive e-mail from in a few minutes. No big deal. More advanced users will just be smart enough to turn it off or change it to blacklist.

WinRAR

[RudeIota]

Compressing my EXEs with RAR files works for me. :)

www.rarsoft.com

getting around google virus scans

[lightyear4]

tac yourarchive.zip > reversed.zip

attach reversed.zip, download remotely and then

tac reversed.zip > yourarchive.zip

works perfectly :) ***

***"man tac" if youre unaware of it

Vigilante worms

[yters]

Does anyone make these? I'm thinking of worms that purposefully go out and deactivate malicious worms without trying to form botnets themselves. I've heard of virii deleting each other, but this is still for the purpose of controlling the box.

Re:Vigilante worms

[mjwx]

The idea has been put forward and dismissed a number of times. The virii are either too ineffective or (unintentionally) destructive on their own.

File host service!

[antdude]

Get a secure file host or use YouSendIt (SSL supported).

sigh

[suezz]

windows is one nasty piece of crap

Re:sigh

your mom

(man i'm sick of fanboys on /.)

What is Affected?

[His+Shadow]

Just another in a long list of security sites that seem incapable of describing who is affected and what should be done about it.

"The silent majority" isn't here.

"Oh do behave. That argument might fly for specialist drafting or accountancy software, but not here. For the market segment under discussion, all people want is a browser, a word processor, something to check their email. Maybe an instant messenger if they're a bit advanced."

Sounds like you're the one who should behave. Those "grumpy, old ladies" could be running their knitting/sewing machines hooked up to their computer. People in other words are doing a lot more than you think with their PCs. And trying to address the deficiencies of Linux by saying "but they'll never do that" is just plain ignorance.

Re:"The silent majority" isn't here.

[NickFortune]

Those "grumpy, old ladies" could be running their knitting/sewing machines hooked up to their computer.

They could indeed. Probably not those particular ones however. The show is callled Grumpy Old Women and takes a handful of the BBC's more curmudgeonly female celebs and gives them free rein to gripe about the things that wind them up. Not as good as Grumpy Old Men (IMHO) but that could be down to gender bias on my part.

The "silent majority" however (and no, it's not my choice of phrase, either) don't on the whole do such things. Most of the non geeks I've spoken to use their computer for surfing, p2p, messaging, email or WP. That's not generally a controversial opinion, even among the Redmond faithful.

And trying to address the deficiencies of Linux by saying "but they'll never do that" is just plain ignorance.

If that was what I was doing, (and I don't accept that Linux is deficient in comparison to Windows) then I'd be more likely to use the term "disingenuous". But you know, saying that Windows is better because it has software which little old ladies may someday want to use to program their knitting machines.. well that's like saying Linux is better because they may someday decide to learn C and write their own device drivers. I suppose each argument has merit to the extent that the relevant scenario is possible; I just don't think either probability to be particularly high, which renders the arguments rather less than compelling.

On the other hand, sooner or later someone is going to write a Linux package to drive those knitting machines. Of course windows may get less annoying in the same time frame. But there are people who don't have knitting machines who might prefer not to wait for either occurrence.

What does Linux need with a botnet?

"Now suddenly they have a monster by the tail and are not sure what to do with it."

Use it to make Linux look good.

Military?-DDOSing the third world.

And all those countries are more vulnerable with their uber high-speed, always on, everything's a connection compared to the "backwards, can't get the lead out, everything's a cap, throttle's not just for cars" US.

Re:My fp worm

[jujuchef]

Wow dude(ette) parent! You've been branded Troll! You have to be like in the top 5 posts these days on /. to get that title! Consider yourself adorned!

It brings a sniff (a sniff?) to my eye when like, 1 in 5 were branded Trolls like the parasitic technophiles we are.

I hear other countries can get internet too now!

Virus creators are another problem ... once identified, they need to spend hard time in a Federal PMITA Prison ... 1 day of time served per infected system. That should make the point. A small sized infection could easily churn up a 20 year sentence. At the current rate of technological change, am pretty sure the perp would have some degree of difficulty repeating the offense at the end of that kind of prison term.

How's that going to deter Borat in Kazakhstan?

Re:bad analogies

[Hucko]

Hmmm.. should have been a Honda Civic engine driving a Kenworth.

Re: Not Cool

Not Cool. You might become productive, but my business is internet only, which means zero $ for me. I can guarantee that all of my machines are clean, but that's easy to do when you only have 4 boxes, and you happen to know WTF you're doing.

Mod Parent Up

[dkf]

Using subversion (or other similar SCM) is absolutely the right solution for this, especially if you ever expand to include a third location or any other developer.

Otherwise, a thumb drive is a good investment and you can just make it part of your standard pocket contents (like house keys and wallet).

SELinux

[Werrismys]

Short answer: SELinux properly configured.

home car maint

no longer true

now-a-days you have to prove that you've had your car maintenance performed by an authorized shop - or else you void your warranty

and port 25

And ISPs need to turn off random outgoing port 25 for home users.

[REN-ISAC]Storm Worm DDoS Threat to the EDU Sector

[pgn674]

Here's a notice to the education sector and what the Storm Worm can mean to universities: http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind 0708&L=cio&T=0&F=&S=&P=4540