Storm Hits Blogger Network

ancientribe writes "Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network, according to an article in Dark Reading. And this isn't simple comment spam, but actual blogs that post spam, and now, Storm executable files. A researcher who's been tracking the Storm-infested blog sites says he's working with Google to clean up this latest appearance of Storm."

Re:They have no idea?

[saxoholic]

I disagree. I don't think that's incompetence. It's an honest admission that more investigating is needed to determine the way these blogs are being infected. Would you prefer them to make up an incorrect hypothesis as to how they're doing this?

Passing Fad

Two articles about 'blogging' in a row. I really hope this isn't what my generation will be known for.

Re:Passing Fad

[Opportunist]

Relax. You can't be worse off than the Disco generation.

No surprise

[Tribbin]

That storm is initiated by the hot damping humid air invading from the female bloggers.

Figures...

[Ethanol-fueled]

Direct correlation between more women bloggers and more infected blogs :)

Skynet

[courtarro]

Did anyone else see Terminator 3? They predicted this "Storm" virus. It was only a matter of time before it became self-aware and began making emo blog posts without human intervention.

Sad...

[SanityInAnarchy]

The sad part is, from what I've seen and heard, this Storm "virus" does need human intervention.

It doesn't do anything technically new. The only thing new here is the particular brand of social engineering used, and it bothers me that this still works.

Re:Sad...

[DaSilva_XiaoPuTao]

While the email's did contain a link that you needed to follow, I believe the site tried to exploit browser vulnerabilities to try infect your computer. In fact I think it generates different pages based on your user agent string to try and exploit the different browsers.

With regards to the link, they were also masked well to show up as a youtube url.

All in all I think this means that you don't have to be a total idiot to get infected, maybe just a little naive.

Re:Sad...

[SanityInAnarchy]

With regards to the link, they were also masked well to show up as a youtube url.

If by "masked well", you mean:

<a href="http://136.159.166.125/">http://www.youtube. com/watch?v=BmcXqxdPoP6</a>

Yeah, I'd say that's more than "just a little naive" -- it's downright stupid. I don't know how Outlook does it, but Kontact/Kmail does two things: First, it defaults to displaying everything as text if it can, with a big red box at the top that says:

Note: This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here.

(Link goes nowhere, as this is Slashdot, not actually Kmail.)

After clicking that link, the HTML is shown, but without images. A similar box will be there if there are external images, allowing you to turn them on. But even with everything enabled, it's still easy as hell -- mouseover the youtube link, and the nappy IP address link shows up in the status bar.

Ok, fine, let's assume that someone can be "just a little naive" at that point -- which I think is a stretch, in this day and age; someone who doesn't know that much should take a course before touching a computer.

In that case, the last time I tried to do that, it opened up Konqueror, which popped up a window asking me what I wanted to do with this file. HINT, HINT, HUGE FUCKING HINT -- the file ends in .exe, which again, every computer user should know, means "executable". But even if they don't, every computer user should at least know not to download/open random files from the Internet, unless it's a format they recognize.

How long did it take us to convince computer users to not open attachments? And now this takes the world by storm...

In IE, if I remember, this is going to give you one prompt to download it or "open" it, and after you click "open", it will download, and then give you at least one, if not two more prompts about the program being unsigned. If you're running Vista, it will give you yet another prompt, telling you that this program needs your permission to continue fucking with your computer.

That's -- let me count -- about five separate clues that you don't even have to go out of your way to run into -- realistically, probably three or four. Not to mention the fact that my spamfilter caught most of these before I even started seeing them and training on them, and that example I just pasted to you contains the email address "jerk2werk@nehp.net" -- yet another obvious clue; I don't know anyone with an email address like that.

And there are yet more clues if you start digging -- turning on "all headers", you can see two "Received:" headers and one "Sender:" header, neither of which matches, in any way, the "From:" header.

I'm not saying that everyone should know how to dig through email headers, until they have to -- but those are just the technical "duh" factors. There's also the nontechnical one -- I didn't make a video, and I didn't upload it to Youtube. I might click that link out of curiosity, but clicking a normal Youtube link doesn't ask me if I want to download or open anything.

So what's sad to me is not only that this kind of shit still happens, but that you, like many others, consider it to be "not stupid, just a little naive." We require Driver's Education in my state to operate a car, which is significantly easier than a computer -- if you don't know how to use a computer, it absolutely IS your fault. Go educate yourself.

As for the browser vulnerability, nope, sorry, read TFA. It's the exact same thing as the email "virus" -- it just has Youtube links to an exe file. Another one is even more obvious -- the link includes the nappy IP address right there, links to a file calle

Re:Sad...

[arivanov]

One comment: The webpage is dynamic. The .exe you see when clicking on the link is the final choice after exploits failed (and they did). If you we Joe Average who did not bother to pay for AV and did not update his machine since he bought it from Best Buy you would have been infected straight away long before that. No prompts.

Re:Sad...

[LordSnooty]

Note: This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here.

And I'm afraid there's your problem right there - the kind of error message which 80% of computer users, ie the naive ones, pay no attention to whatsoever. They either ignore it completely or try and understand what it means but give up. Average people don't know what HTML is, nor what effect an HTML message could have. It's this barrier of misunderstanding which good software needs to negotiate. I'm afraid that's a poor error message.

Re:Sad...

[Opportunist]

And even if all those auto infections run into the ground, how many will click "allow" when you promise them some pr0n?

People are dumb and horny. Not necessarily in this order.

Re:Sad...

[Sancho]

That's what IE7 on Vista does. But it's hard to sandbox "download and run this EXE for me, please" after the user has requested it, clicked ok, clicked "Yes I'm sure", and clicked "I trust this executable, now run it already!"

It's social engineering, and it will always work until/unless we remove control of computers from the users. That's not a solution I'm personally willing to endorse. How about you?

Don't forget the nematodes

[MarkRose]

The blogosphere has hit the mainstream, according to a new survey, which reveals that 80% of Americans know what a blog is, 50% regularly visit blogs, and 8% publish their own blog. The survey also reveals that more women than men are bloggers, with 20% of American women who have visited blogs having their own versus 14% of men.

And 2% of worms!

And I thought Trojans were supposed to prevent infections. Hah.

lol

[thatskinnyguy]

You say "asshats making worms". I say "people creating job security for us IT guys". Sad that its come to this.

Google does not terminate spammers.

72.14.207.191 (blogger.com) is listed in the Spamhaus SBL for their inability or unwillingness to terminate spamvertised blogspot sites. This has been an issue for months.

"Thousands upon thousands of *.blogspot.com pages, all spammed and used to re-direct to other spammer landing pages"

Re:Ballmer's Revenge?

[dedazo]

Oh, they know it's a M$ born disease

That's quite the glib statement, considering that worm requires so much user action (or inaction, depending on how you look at it) to infect a Windows box, it's not even funny.

How many years do you think it will take before some court proves this was intentional?

Are you serious?

Oh, wait a minute... *slaps head* "Erris" is twitter's sockpuppet account, which he uses to shill his own posts.

I thought this looked familar.

Re:They have no idea?

The guy saying "I have no idea" isn't an employee of Google/Blogger, he's just the guy on the outside saying he doesn't know how.

I'm on the outside also, but can tell you how. Blogger has a mail2 feature where you can post to an email address that you make up, and keep secret. Like a password. With users who makeup easy mail2 addresses (then don't monitor or abandon their blogs), and millions of emails being sent by the Storm BotNet, not hard to figure out how they are getting posted. Eventually the botnet hits them, just like they do with regular email addresses, and they get posted to the blog.

And also note, the summary is misleading somewhat. The actual files that do the "infection" aren't hosted on Blogger at all. The same thing that is getting sent to peoples emails are being posted to blogs that leave their mail2 address open and easy. So you still have to fall for the click here to get infected...

This has been going on for awhile. I first saw it at least 2 months ago. It may be increasing, but not new.

I blocked .blogspot.com referrers a few days ago

[innocent_white_lamb]

A couple of days ago, I got tired of the formmail spam that my users were receiving from their "contact me here" webpages. After reviewing my logs, I made .htaccess files on my webserver:
 
order allow,deny
deny from 206.51.229.
deny from 206.51.233.
allow from all
  RewriteEngine on
RewriteCond %{HTTP_REFERER} blogspot\.com [NC]
RewriteRule .* - [F]
 
This has cut the formmail spam that I receive down to zero ever since I set it up.
 
The deny from lines take care of some guy who downloads the html submit form and posts spam from "Darksites.com", and the Rewrite denies access from all .blogspot.com referrers. I still see a few dozen hits every day from all of these, but they are all 403 now so I'm happy.
 
Here is a single example from a few minutes ago:
 
72.47.89.233 --[30/Aug/2007:22:28:22 -0600] "GET / HTTP/1.0" 403 3931 "http://hydrocodone--4t1.blogspot.com" "Opera/9.0 (Macintosh; PPC Mac OS X; U; en)"