Storm and the Future of Social Engineering

Albert writes "Storm shows several key characteristics, some new and advanced. It uses cunning social engineering techniques — such as tying spam campaigns to a current event or site of interest — as well as a blend of email and the Web to spread. It is highly coordinated, yet decentralized — and with Storm using the latest generation of P2P technology, it cannot be disabled by simply 'cutting off its head.' In addition, Storm is self-propagating — once infected, computers send out massive amounts of Storm spam to keep recruiting new nodes."

Self created problem?

Social engineering is often a bit of a self created problem. Look at this (legitimate, yes, I confirmed) email I got today. I reported a very easily reproducible bug, in a internet hosting (for a client) software package. Here is there response:

Hi Eric

Please forward us the username and password that your using so we can login and test this problem

Cheers,

Bruce Renner
Betta Computer Services Pty Ltd
Unit 2 / 55 Tradelink Rd, Hillcrest, 4118
Ph: 3809 2999
Fx: 3809 3999

http://www.bettacomputers.com.au

Note: This message may contain privileged and confidential information that is the property of the intended recipient. The information herein is intended only for use of the addressee. If you are not the intended recipient, then you are requested to return e-mail to Betta Computer Services Pty Ltd and destroy any copies made. Copying or disseminating any of this message is prohibited. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Betta Computer Services Pty Ltd.

Re:Self created problem?

[DriedClexler]

Similar problem here. Time Warner Cable claimed I was late on a bill (true, it turns out) and so they called me and asked me to pay immediately. First, I thought, "Okay, they're not stupid enough to have a policy expecting customers to give out their CC info to someone claiming to be from TW. They just want my verbal authorization to bill a number I already gave them."

Then it turns out the guy did want my CC number. When I pointed out that I have no way of knowing that this is really TW or a scammer, so the best I can do is acknowledge his notice and check my own online account, he responded, and I'm not making this up, "Yes, I understand. But I can GUARANTEE YOU that this really is Time Warner."

I replied, "No, you can't." and hung up.

Then of course, after I paid, they tried the same thing then realized mid-call I had paid it.

Re:Self created problem?

[hobbit]

Tell me about it.

Some background to the particular bee in my bonnet: OS X is designed with a certain folder structure repeated in various different places: /System/Library (for Apple), /Library (for systemwide installation), ~/Library (for individual users), /Network/Library (for all machines on a network). These folders form a sort of search path, rather like /usr/local/bin:/usr/bin but for all sorts of things (preferences, fonts, plugins, etc.)

However, the GUI installation tool only allows for installation by default into /Library. It is possible to override this at the command line, but it's not possible to create an installer that gives the user the option of installing into ~/Library, or does so by default.

The upshot of this is that every install that uses Apple's installer asks you for your admin password (so that it can write to /Library). Not because it necessarily needs to write system-wide stuff, but because as an application developer, you'd have to hack it to be able to write to ~/Library.

In other words, Apple has been training users these past 8 years to type their admin password at the drop of a hat.

This will certainly come back to bite them.

Re:ZOMG BOTZ

[Magada]

Speaking as someone who's in the business... pretty much, yes. Also, IronPort is on a charm offensive because of the takeover - trying to convince everyone that they won't be less nimble now that they're chained to the big ol' dinosaur in the corner.

Opinions:

[ledow]

Not surprised.
Took it's time.
Why isn't every virus doing this?

Seriously, this has always been possible, always been a threat. It's not surprising. It's "different" but you can't even call some parts of that "new"... other people thought of these things years ago.

I wouldn't be surprised if the next step is an "evolution"... instead of a simple worm, we get a virus that changes itself programmatically to avoid detection, uses information from previous successful hacks to propogate itself (e.g. "People click on me if I claim to be from this website... I'll send out some more of me claiming to be from that and similar websites"), or authors piggy-back increasingly more complex viruses on the back of Storm, so that eventually there is just a "swarm", instead of a "Storm".

And then the "virus swarm" will be seen as a single entity and you'll be defending your computers against it and reading adverts for "Anti-SWARM" software, etc.

Why. . ?

[Fantastic+Lad]

Okay. So something has been confusing me for ages now. --The program propagates itself; spreads copies of itself all over the place. So why doesn't somebody look at the code in one of those copies to determine everything anybody would ever want to know about it thus enabling people to pretty much ignore it?

I know that this is what anti-virus companies do, but the way people talk about Storm and similar bot nets, makes it sound as though there is some elusive quality which allows it to do all these unexpected things. What gives? It's just a program. What's the big deal? Or IS there a big deal? I've never been infected.

-FL

Re:A Little Education can bring calm after the sto

[Sloppy]

How can we teach everyone to pay attention when .. lights on the cable modem go nuts .. ?

Send them a bigger network usage bill the following month.