Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Hits Blogger Network

Posted by CowboyNeal on from the ridin'-the-storm-out dept.

ancientribe writes "Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network, according to an article in Dark Reading. And this isn't simple comment spam, but actual blogs that post spam, and now, Storm executable files. A researcher who's been tracking the Storm-infested blog sites says he's working with Google to clean up this latest appearance of Storm."

5 of 89 comments (clear)

  1. Sad... by SanityInAnarchy · · Score: 5, Informative

    The sad part is, from what I've seen and heard, this Storm "virus" does need human intervention.

    It doesn't do anything technically new. The only thing new here is the particular brand of social engineering used, and it bothers me that this still works.

    --
    Don't thank God, thank a doctor!
    1. Re:Sad... by DaSilva_XiaoPuTao · · Score: 4, Informative

      While the email's did contain a link that you needed to follow, I believe the site tried to exploit browser vulnerabilities to try infect your computer. In fact I think it generates different pages based on your user agent string to try and exploit the different browsers.

      With regards to the link, they were also masked well to show up as a youtube url.

      All in all I think this means that you don't have to be a total idiot to get infected, maybe just a little naive.

    2. Re:Sad... by SanityInAnarchy · · Score: 4, Informative

      With regards to the link, they were also masked well to show up as a youtube url.

      If by "masked well", you mean:

      <a href="http://136.159.166.125/">http://www.youtube. com/watch?v=BmcXqxdPoP6</a>

      Yeah, I'd say that's more than "just a little naive" -- it's downright stupid. I don't know how Outlook does it, but Kontact/Kmail does two things: First, it defaults to displaying everything as text if it can, with a big red box at the top that says:

      Note: This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here.

      (Link goes nowhere, as this is Slashdot, not actually Kmail.)

      After clicking that link, the HTML is shown, but without images. A similar box will be there if there are external images, allowing you to turn them on. But even with everything enabled, it's still easy as hell -- mouseover the youtube link, and the nappy IP address link shows up in the status bar.

      Ok, fine, let's assume that someone can be "just a little naive" at that point -- which I think is a stretch, in this day and age; someone who doesn't know that much should take a course before touching a computer.

      In that case, the last time I tried to do that, it opened up Konqueror, which popped up a window asking me what I wanted to do with this file. HINT, HINT, HUGE FUCKING HINT -- the file ends in .exe, which again, every computer user should know, means "executable". But even if they don't, every computer user should at least know not to download/open random files from the Internet, unless it's a format they recognize.

      How long did it take us to convince computer users to not open attachments? And now this takes the world by storm...

      In IE, if I remember, this is going to give you one prompt to download it or "open" it, and after you click "open", it will download, and then give you at least one, if not two more prompts about the program being unsigned. If you're running Vista, it will give you yet another prompt, telling you that this program needs your permission to continue fucking with your computer.

      That's -- let me count -- about five separate clues that you don't even have to go out of your way to run into -- realistically, probably three or four. Not to mention the fact that my spamfilter caught most of these before I even started seeing them and training on them, and that example I just pasted to you contains the email address "jerk2werk@nehp.net" -- yet another obvious clue; I don't know anyone with an email address like that.

      And there are yet more clues if you start digging -- turning on "all headers", you can see two "Received:" headers and one "Sender:" header, neither of which matches, in any way, the "From:" header.

      I'm not saying that everyone should know how to dig through email headers, until they have to -- but those are just the technical "duh" factors. There's also the nontechnical one -- I didn't make a video, and I didn't upload it to Youtube. I might click that link out of curiosity, but clicking a normal Youtube link doesn't ask me if I want to download or open anything.

      So what's sad to me is not only that this kind of shit still happens, but that you, like many others, consider it to be "not stupid, just a little naive." We require Driver's Education in my state to operate a car, which is significantly easier than a computer -- if you don't know how to use a computer, it absolutely IS your fault. Go educate yourself.

      As for the browser vulnerability, nope, sorry, read TFA. It's the exact same thing as the email "virus" -- it just has Youtube links to an exe file. Another one is even more obvious -- the link includes the nappy IP address right there, links to a file calle

      --
      Don't thank God, thank a doctor!
    3. Re:Sad... by arivanov · · Score: 3, Informative

      One comment: The webpage is dynamic. The .exe you see when clicking on the link is the final choice after exploits failed (and they did). If you we Joe Average who did not bother to pay for AV and did not update his machine since he bought it from Best Buy you would have been infected straight away long before that. No prompts.

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
  2. I blocked .blogspot.com referrers a few days ago by innocent_white_lamb · · Score: 3, Informative

    A couple of days ago, I got tired of the formmail spam that my users were receiving from their "contact me here" webpages. After reviewing my logs, I made .htaccess files on my webserver:
     
    order allow,deny
    deny from 206.51.229.
    deny from 206.51.233.
    allow from all
      RewriteEngine on
    RewriteCond %{HTTP_REFERER} blogspot\.com [NC]
    RewriteRule .* - [F]
     
    This has cut the formmail spam that I receive down to zero ever since I set it up.
     
    The deny from lines take care of some guy who downloads the html submit form and posts spam from "Darksites.com", and the Rewrite denies access from all .blogspot.com referrers. I still see a few dozen hits every day from all of these, but they are all 403 now so I'm happy.
     
    Here is a single example from a few minutes ago:
     
    72.47.89.233 --[30/Aug/2007:22:28:22 -0600] "GET / HTTP/1.0" 403 3931 "http://hydrocodone--4t1.blogspot.com" "Opera/9.0 (Macintosh; PPC Mac OS X; U; en)"

    --
    If you're a zombie and you know it, bite your friend!