Faux-CNN Spam Blitz Delivers Malicious Flash

CWmike writes "More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today. The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a fake newer edition, which delivers a Trojan horse — identified by multiple names, including Cbeplay.a — that 'phones home' to a malicious server to grab and install additional malware."

Ahhh, that explains it

[Chris+Pimlott]

I was wondering why I being spammed with such a seemingly innocuous message, I thought perhaps it was just a filter poisoning attempt.

Re:Ahhh, that explains it

1995 called, they asked if "for(;;)alert("ha ha");" still f**ks current browsers for the average user?

Re:Ahhh, that explains it

[Shivetya]

I have about a hundred in my spam box, they were all addressed to a contact name on a websites I maintain. None were sent to either personal address or the protected email address listed elsewhere on one site I have.

I did receive them on the corporate level and can only assume to name they spoofed allowed them to broadcast to all notes users... then again knowing some of my co-workers

Re:Ahhh, that explains it

[cayenne8]

Well...you gotta figure pretty much anything from CNN is spam, and is to be ignored, or at viewed with suspicion....

:-)

Re:Ahhh, that explains it

[fbjon]

2008 replied, surprisingly they said Firefox gets stuck, but Opera doesn't.

Re:Ahhh, that explains it

I got a variation on this as an e-mail from a friend on Facebook.
[
SoAndSo sent you a message.

Subject: Hey ya.

"My friend catched you on hidden cam. LOL:
http://URL
]

It tries to get you to install a 'new" flash player.

Re:Ahhh, that explains it

[Lord+Apathy]

Mods on crack again? A Troll? Sounds like sound advice to me.

I got one of these

it took me quite a while to figure out why this would be effective spam.

Then I had a look a the HTML view. Quite insidious.

It provides what looks like a linkified http://www.cnn.com/xxxxxxx that actually referrs to a different url.

Re:I got one of these

The spam filter we use shows both "from" addresses....and it's clear that it's NOT cnn....

*hugs hexamail*

Re:I got one of these

[hannas]

One arrived in my mailbox of an account I rarely check (used to run on *nix, now owned by m$). A quick tour through the Spam folder revealed another 50 from "Today" (2008/08/06) & "Yesterday" (2008/08/05). my main email account, gmail, had yet to receive any.

are they targeting anyone in particular (aside from the usual morons)?

hannas

Re:I got one of these

[Mix+Master+Nixon]

I checked and yep, there's tons of copies of this email in my spam folder. The alleged CNN headlines, differing from mail to mail, are awesome.

4. Bill Clinton Regrets, 'I Am Not a Racist'

2. Bill Clinton and Monika seen again

5. Angry, late, tired passengers make computers crash

7. Celebrity was seen naked on the beach

7. Drunken Man Can't Erase Arrest

3. Michael Jackson is sued by his own dog

Olympics-Wear ox pendant to avoid rat clashes, leaders

9. Obama beats McCain

Re:I got one of these

[ben2umbc]

it took me quite a while to figure out why this would be effective spam.

Then I had a look a the HTML view. Quite insidious.

It provides what looks like a linkified http://www.cnn.com/xxxxxxx that actually referrs to a different url.

Thats funny, all of the story links I had in mine referred to an obviously non-cnn website. The 'legal' and 'unsubscribe' links however pointed to cnn.com

Re:I got one of these

[SausageOfDoom]

They're just spamming everyone. However, I'd guess it's pretty easy for someone as large as gmail to filter - there are only a handful of compromised domains that it's serving on.

Does anyone know if the site itself exploits any browser loopholes? The descriptions all say you have to download an executable, but I'm surprised they haven't put some exploits in there for drive-by attacks.

Re:I got one of these

[xarak]

My favourite is when

http://www.foo.com/host/in/index.html
actually points to
http://www.foo.com.host.in/index.html

Got to have the eyes peeled to detect those...

Re:I got one of these

[LilBlackDemon]

I got a "New York Attacked by Terrorists." I knew it was wrong because I work in NYC :P

snooze

[toby]

"Trojan found that installs malware on Windows computers."

Wake me up when the rest of us need to worry. Oh, and tag this microsoft windows please.

Re:snooze

[Atlantis-Rising]

It's not a Windows problem, per se; the fact that it installs malware on Windows computers is functionally irrelevant.

PEBKAC- Problem Exists Between Keyboard and Chair.

There's absolutely no reason such a functionally identical attack would not work against any operating system you care to name, or even a theoretically perfect operating system were one to be invented.

Programs the user executes run in the user's security context. If you can trick the user, you can do whatever the user can do, or in this case, install malicious software.

Re:snooze

[2nd+Post!]

It's hard to write a trojan that runs on multiple operating systems. They would need to write multiplatform trojans, and for now only Windows has the dominance to ensure profitability.

Not that it isn't possible; Adobe after all has Flash for both Mac and Windows PCs.

Re:snooze

[Atlantis-Rising]

Of course that's true in general (Java, perhaps?) but that's not really the issue, although it is an argument for systems diversity in general as opposed to any kind of monoculture.

The issue is that users are stupid. They will remain stupid regardless of what kind of operating system you plunk them in front of, and for my money I'd much rather Microsoft (or antivirus vendors or whomever else) spend their time working to fix actual holes- security flaws that can be exploited without exploiting the vulnerability of the user's stupidity.

Because, to be honest, the security flaw that is the user's intelligence or lack thereof is not something that Microsoft can, or should, fix.

Re:snooze

Don't forget they also have a Linux version of flash. My simple C++ programs required little modifcation to the system calls for command line to work between linux and windows.

Re:snooze

absolutely right! mod UP UP UP!

Re:snooze

[2nd+Post!]

I suspect it should be possible to create a sandbox within a system that limits the capabilities of userland apps.

In other words instead of a UAC system you have a sandbox where user installed apps live and cannot get out of and the system can monitor these apps and their behaviors for maliciousness.

Re:snooze

[Atlantis-Rising]

Sure you could. Some of us do that right now- I have a VM running with a bare-bones Windows XP installation for IE and Firefox.

But this suffers problems. Namely, that if anything from the sandbox can't get out and harm the main system, you... can't get anything out of the sandbox.

The problem, as I said, is that programs run in the user's security context. It's perfectly possible to limit the capability of userland applications, but this does little good from a user's perspective; the user's data also resides in userland, and is the valuable part of the system. They don't really care if the kernel is still working if all their data is hosed.

Ultimately, as long as the user can access their data, so can a hostile program, so long as the user is willing to run it.

The only way to prevent this, essentially, is to prohibit anything from being deleted or modified- just write a new copy of whatever data you change, and write a transactional flag that stats that deleted data has had the 'deleted' attribute applied to it. Basically, an end-to-end journal of all file operations. And that'd be an enormous storage problem. Perhaps it is a solution in a handful of cases- if you can lock all the system files so they can't be written or modified and then ensure the user's data is never deleted or modified, only added to... maybe that's the solution. But it's not one I'd want to run at home, certainly.

Re:snooze

[Nerdfest]

ZoneAlarm has a product called ForceField, that does it within Windows. I haven't tried it, but I think it sandboxes most of the browser, creates a dummy file system, etc. It seems like a good idea that should cover most exploits, at least until it gets popular.

Re:snooze

[humphrm]

There's absolutely no reason such a functionally identical attack would not work against any operating system you care to name

Mac OS X.

Running on an iPhone.

A non-3G iPhone.

Re:snooze

Wake me up when the rest of us need to worry.

Yea, because hundreds and thousands (or hundreds-of-thousands) of compromised Windows boxes on the internet couldn't possibly have an untoward effect on anyone else...

dumbass

Re:snooze

[edalytical]

It's not a Windows problem nor is it a user problem. BTU (blame the user) is easy to toss around for us geeks, but it really masks the true issue here.

That is, user have be trained to install browser plugins by content providers. These so-called content providers only want to control their content, it's inconsequential to them that they're also exerting control over their viewers. It's also ironic that the mindless stride to control viewers has led that control into the hands of even more dishonest criminals.

In a sense most content provider plugins are trojans themselves. That is, they tell the user they'll provide the ability to view their content, but what they really do is take functionality out of the software and take control away from the user.

This trojan is possible because installing a trojan is an accepted Internet practice. Quick raise you hand if you have RealPlayer installed. Ideally a browser is all anyone needs to view the web, but at some point during commercialization of the Internet the community took a step in the wrong direction: Flash, RealPlayer. Barf. Don't you see, the problem is clearly not the users fault.

The problem, in fact, lies with the likes of Adobe, Real and Microsoft for creating stupid crap like Flash, RealPlayer, Silverlight then demanding users install these without thought to view content. If there were nice standards that provided the functionality of these plugins in the browser this would be a non-issue -- the trojan would never have been created.

Re:snooze

[Atlantis-Rising]

I'm not sure how you can blame the content providers. I'm trying to come up with an analogy, but I can't- I think your model is that flawed.

The user has a choice. The user is not forced to install browser plugins. Moreover, not all those plugins are harmful; are you arguing that a monopoly is better for users than diversity? Because that appears to be what you're claiming.

Really, I think you've mixed your own ideological struggles with content providers with the technical issue- and the technical issue is that the security flaw here is not software. It's the user.

Even if you're right about the cause of the flaw, which I strongly disagree with, that doesn't change the flaw.

Re:snooze

[hairyfeet]

Here is a nice little freeware sandbox I use for bad ID10T Windows problems.Works well and is easy to use.Enjoy! P.S. It'll work on FF and anything else you want to sandbox,not just browsers.

Re:snooze

[Goaway]

There's absolutely no reason such a functionally identical attack would not work against any operating system you care to name,

Well, the enormous hassle involved in getting software outside of a repository installed on a Linux system would leave it quite hardened against this kind of attack.

Re:snooze

[edalytical]

I'm not sure how you can blame the content providers.

It's not hard to understand, let me spell it out for you in user-friendly terms. Content providers often require users to install additional software thus the user is not suspicious when a website wants them to install additional software. Simple isn't it.

There is even terminology in psychology for this, it's called: positive reinforcement. That is the user is used to installing additional software without negative consequence thus they are likely to install more additional software without thought. After all the last time they installed additional software they were rewarded with cool content.

This has nothing to do with choice. It doesn't have anything to do with some plugins not being harmful. I'm not arguing for a monopoly at all, that is a very distorted interpretation of my post. I am talking about behavior, namely reinforced behavior. I'm not say it was intentional and/or malicious on the parts of content providers or Adobe or Microsoft and Real. What I am saying is the trojan was possible indirectly because of them.

Re:snooze

[Atlantis-Rising]

Blame implies they are guilty of some misdeed. They are not.

They have no responsibility for the user's lack of competence, and positive reinforcement is no excuse.

That would be appropriate if, in fact, they were reinforcing the fact that the user should do something wrong, but that is not the case.

Re:snooze

[JonSimons]

It's not a Windows problem, per se; the fact that it installs malware on Windows computers is functionally irrelevant.

I don't use Windows, thus I couldn't be affected by this particular crap at all. It is a Windows problem. Now, the issue of ignorant users is also a problem; but don't let Windows off the hook.

Re:snooze

[Atlantis-Rising]

If that is the case, then how do you change Windows to defend the user?

If, in fact, the problem is with Windows, then obviously there is something Microsoft can fix to-

Oh, wait, no. They can't. The operating system is not doing anything wrong.

Re:snooze

[edalytical]

You got +5 way to go, you must be right. *in caveman voice* User dumb, me omniscient. *end caveman voice* Enjoy the bliss.

Re:snooze

[AaronLawrence]

That's also nearly irrelevant, because what scammers want these days is either your user data (either by reading files or just getting you to type it in) or to use your bandwidth for spamming. Damaging user data is a rare and minor concern these days.

Of course they do need to be able to write exes (etc) to the system. But it doesnt help that a correct copy is still archived away - the new bad one is already running.

Re:snooze

[odiroot]

Good point. This article needs at least microsoft windows tag. But on /. you get -1 Flamebait, sigh.

Re:snooze

[halcyon1234]

PEBKAC- Problem Exists Between Keyboard and Chair.

Also know as "A Layer 8 Issue"

Re:snooze

[kenif]

It would be easy to blame Windoze (mainly because MS security has always been a band-aid retrofit), but this is a social engineering problem that targets Windoze users because they are (proportionally speaking) more naive and arguably dumber. I know, as I have to clean up after them. For some reason, typing grammatically incorrect upper-case sentences into Outlook Express makes people think they are computer whiz.

Re:snooze

[The+Angry+Mick]

The user has a choice. The user is not forced to install browser plugins.

That's not always true.

I work for a law firm and there are many government and court related web sites that require some sort of plug-in to view their content. The Medicaid manuals in my state require MS word or a Word viewer AND Adobe Acrobat, court reporter services require e-transcript viewers such as RealLegal and/or specialty audio-visual players instead of Windows Media Player, multiple county courts require DjVu and/or Acrobat, and our Secretary of State's website is entirely done in Flash. Without these plug-ins, these sites are technically useless, so the user is required to install the plug-in.

Re:snooze

[sabt-pestnu]

PEBKAC- Problem Exists Between Keyboard and Chair.

I've also heard this referred to as an "error 60" (60 centimeters from the monitor), or an ID-10-t error...

Re:snooze

[Lennie]

There is also a flash-plugin for Linux

Re:snooze

[Lennie]

That's why you give stupid users a linux or unix computer or laptop and no rights and set noexec on /home and /tmp (and make sure they can only write there).

Re:snooze

[Dark_Gravity]

Adobe after all has Flash for both Mac and Windows PCs.

Adobe has Flash for Linux PCs too.

Linux on a PPC would be immune, since Adobe has no Flash for Linux on PPC.

Re:snooze

[washort]

A "theoretically perfect" operating system would be immune to these attacks. Even an operating system that's just a little better designed would be. You nailed the problem: programs users execute receive all the user's powers. Designs for systems that don't do this are fairly well understood (look up 'capability security'), and can be as sophisticated as needed -- you could design rules for browser-launched stuff along the lines of "only allow access to an app-specific portion of the filesystem", "don't allow direct socket connections to other internet sites" (while perhaps still allowing requests through a system-provided resource API), or even "don't allow direct socket access _after_ anything has been read from the local filesystem". It's quite feasible to come up with a system that's as flexible as legitimate application authors would need while having an interface to security controls that's comprehensible to non-technical users. Discussion of that here: http://www.skyhunter.com/marcs/granmaRulesPola.html

Re:snooze

[Atlantis-Rising]

I can't see how those rules would have prevented this attack.

Firstly, again, the user would define the security context of the application- not necessarily a problem if you have users who can define 'security context'. Most can't, and as a result, telling them to do so is worse than useless (as the Vista UAC program demonstrates).

Your average user does not know what permissions a specific application requires to execute its function correctly.

For example, a piece of software that bases its security apparatus around public-key infrastructure would need to be able to check the Certificate Revocation List. However, the CRL is not necessarily stored at the same place as the application generally operates. To an untested user, it would appear that the application is behaving improperly, when in fact, the application is behaving exactly as designed and exactly as it should.

It was Albert Einstein who coined the truism that "...problems cannot be solved at the same level of consciousness at which they are created."

In this case, I think, the problem with security (of any kind, to be honest, from electronic warfare to physical security to computer security) is that you can only 'solve' the problem when the user understands the problem to the same level as the solution. You can't create a solution that requires less knowledge than the problem.

For a perhaps clearer example, locks: The answer to someone turning the handle and opening your door and walking in is a lock. But that doesn't stop a variety of other attacks, like say kicking down the door or picking the lock. There are, of course, solutions to those problems as well, but they require knowledge of the problem in order to sufficiently utilize and apply a solution (reinforced doors, multi-factor identification, etc).

I don't see computer security as being any different. You can't dumb it down because to do so doesn't solve the problem- it only solves a specific subset of problems, those that are created at the same complexity as the level to which you have dumbed down the solution.

Finally!

I thought I was on crack! I thought my mailserver got hacked. I have been receiving 20+ of these messages for the past 3 days...

Update exchange's filter rules, with no affect.

Lets get this filtered!

Re:Finally!

[nurb432]

20+? That is small time.

Cbeplay.a

[shvytejimas]

It is windows only.
A relief, kinda..

Luckily GNU/Linus is secure...

[Skiron]

... it takes a lot to get the kosher flashplayer to work, let alone a hooky one.

Re:Luckily GNU/Linus is secure...

If you are using fedora it's 2 steps:

# rpm -Uvh http://linuxdownload.adobe.com/adobe-release/adobe-release-i386-1.0-1.noarch.rpm

# yum install flash-plugin

Windows is MUCH harder, because "average users" end up spending all their time re-installing everything when shit like this virus happens.

Re:Luckily GNU/Linus is secure...

[againjj]

I have very deliberately avoided installing Flash on my machines. This story provides yet another reason why such a policy is good. It keeps out some annoying ads, too.

Re:Luckily GNU/Linus is secure...

[Gavagai80]

Copying one file is a lot?

Re:Luckily GNU/Linus is secure...

The only problem, of course, is retarded names like "rpm" and "yum" that open source developers think are clever, somehow. People can't remember that shit at all.

So in reality, there are an indeterminate number of steps you're missing, where they spend time figuring out how to do the two meaningful steps.

Re:Luckily GNU/Linus is secure...

[yo_tuco]

"I have very deliberately avoided installing Flash on my machines. This story provides yet another reason why such a policy is good." Maybe not. You could have Flash installed and never have this problem. By knowing what version of Flash you have installed, you wouldn't go out and get the bogus one. I mean new versions of Flash aren't released that frequently. And if you're half asleep, you'd know a new version Ads are not a big problem either if you install the Flash Block add-on for Firefox.

Re:Luckily GNU/Linus is secure...

[Belial6]

It took me a total of 6 mouse clicks, typing the word "flash", and entering my password to get flash installed in Linux. I know you thought you were being funny, but that joke is just old. It's about as funny as cracking jokes about your walk to your outhouse.

Re:Luckily GNU/Linus is secure...

What the fuck are you talking about? The "indeterminate number of steps you're missing" is the same "indeterminate number of steps you're missing" when you start out with windows in learning that an *.exe file is an executable and you get to figure out which one is the program, and which one is the installer. Oh, wait, sorry, forgot, my bad, you probably install everything from CD and let the CD make the decision for you with whatever is in it's autorun.inf file. Not that you would want to disable such shit to prevent someone like Sony from installing a rootkit on your machine or anything like that.

It's a different OS and has different ways of doing things. If you started in *nix you would be just as confused with drive letters and *.exe's your first time on a windows box. It confused the hell out of me when switching to linux that I didn't have drive letters, now I wonder how the hell I got along with them.

Re:Luckily GNU/Linus is secure...

Actually I don't have any problems with it whatsoever - but I'm not a flaming moron who has to go off on Internet tirades to stop myself from feeling like a loser. I also don't get emotional about operating systems.

Maybe you oughta calm down a bit, son.

Re:Luckily GNU/Linus is secure...

[Eccles]

The kosher flash player often also takes up a heck of a lot of CPU on Firefox, while IE doesn't take so much CPU with the same page. Has there been any consideration of writing a third party flash player for Windows/Mac? Or is it assumed Adobe would just break it as soon as it could?

Faux-CNN Spam Blitz Delivers Malicious Flash?

[morari]

More like "Faux-CNN Spam Wolf Blitzer Delivers Malicious Flash"!

Re:Faux-CNN Spam Blitz Delivers Malicious Flash?

[wik]

Pleas God, no. Nobody wants Wolf flashing us.

WINDOWS ONLY.

Of course, if you are smart enough not to run Microsoft Windows, this doesn't affect you...

Here's a nickel, kid. Go get yourself a *real* operating system...

Re:WINDOWS ONLY.

[corsec67]

Instead of a nickel, how about giving that kid a CDR of a better OS?

Re:WINDOWS ONLY.

[oldspewey]

Here's a nickel, kid. Go get yourself a *real* operating system...

I enjoy playing around with Linux. I have a couple spare partitions on my desktop machine where I'll install an interesting new distro when I have some time (right now I have Kubuntu and WinXP set up as dual-boot), and maybe learn a little something about package management or do some cool things in bash ... whatever, doesn't matter to me ... it's the exploring that's the important thing.

You know what? Every time I read a post like the above, it turns me off Linux just a tiny bit.

Re:WINDOWS ONLY.

[dedazo]

Of course, if you are smart enough not to run Microsoft Windows, this doesn't affect you...

Of course you can also run Windows and avoid doing unsafe, stupid things. That usually works.

Here's a nickel, kid.

Since I'm on a 3270 terminal to an OS/390 box the size of your house right now, here's your nickel back, and a check for $50.

Re:WINDOWS ONLY.

[computersareevil]

Of course you can also run Windows and avoid doing unsafe, stupid things.

Um, running Windows is unsafe and stupid.

Re:WINDOWS ONLY.

[dedazo]

Is it really? I've owned many Windows computers over the past 20 years and I've never had any problems with security. Well, there was that one floppy in the early 90s I accidentally booted off of...

There's 8 Windows boxes here on my den right now. Three servers, two laptops and three workstations. None of them are pwned, rooted, infected, trojaned or otherwise compromised. And they've never been. None of my Server 2003 colo boxes have ever been compromised either. I'm curious, what do you find difficult about securing Windows?

Re:WINDOWS ONLY.

[computersareevil]

How many Windows viruses, trojans, and other malware programs are there successfully spreading in the wild? Thousands? TENS of thousands?

OK, now how many Linux, BSD, or OS X viruses, trojans, other malware programs are successfully spreading in the wild? ZERO, ZILCH, NADA, ZIP.

So you tell me: How difficult is it to secure Windows? Must be damn near impossible.

You even admit that despite your self-proclaimed superior ability to secure Windows, you were still a victim of a trojan.

Re:WINDOWS ONLY.

If someone saying something like that turns you off of Linux, you can expect to hear a lot more of that from people who don't want you to use Linux.

What in the world some jackass' trite comment has to do with your being "turned on" to Linux is beyond me. Either Linux is potentially valuable to you or it isn't. And the GP didn't even mention Linux.

Stop giving other people so much power over your behavior. You are responsible for your behavior, even if you let other people do your thinking for you.

"I wanted to use Linux but some jackass made a trite comment not even directed at me, so it's his fault I don't like Linux." What would you think about someone who made a statement like that?

Re:WINDOWS ONLY.

[Lulfas]

How many Windows users are there successfully spreading in the wild? Millions? TENS of millions? OK, now how many LINUX, BSD, or OS X users are successfully spreading in the wild? 500k? 2-3million at the most? Just admit it. Most people use windows. Therefore, it will have the most problems. Not enough people to matter use other systems. They don't matter.

Re:WINDOWS ONLY.

[ksd1337]

OK, now how many Linux, BSD, or OS X viruses, trojans, other malware programs are successfully spreading in the wild? ZERO, ZILCH, NADA, ZIP.

That's because no one bothers to write malware for these systems. The majority of computer users use Windows, so that's the target audience.

It's very easy to secure Windows. Just be careful what you do with your computer, especially if it has an Internet connection. If you want to download some $exCashMoneyV!@gRa_UltimateSearchBar toolbar, that's your fault.

I'm no fan of Microsoft, but I don't bash them for things they didn't do.

Re:WINDOWS ONLY.

[dedazo]

How many Windows viruses, trojans, and other malware programs are there successfully spreading in the wild?

MyDoom, which holds the record for fastest-spreading worm ever, did so through email and required significant user action.

OK, now how many Linux, BSD, or OS X viruses, trojans, other malware programs are successfully spreading in the wild? ZERO, ZILCH, NADA, ZIP.

Statistically, there are about as many of those as there are normal desktop computer users for the platform, since most of these attacks rely on social engineering (as opposed to actual vulnerabilities) to succeed. So the lack of malware for your platform is not due to its inherent superiority, but to the size of its installed base. Windows may have more attack vectors than Linux or OS X, but that doesn't mean that they can be avoided with $0.05 worth of simple common sense.

So you tell me: How difficult is it to secure Windows? Must be damn near impossible.

No, that's why I asked you the question. It's not at all. If it were, those 100K machine botnets would have 100 million zombies instead, and that's not the case, is it? Or do you figure the malware vendors are just not interested in a potential pool of that size? By most measures there's about a billion computers in the planet running some version of Windows.

You even admit that despite your self-proclaimed superior ability to secure Windows, you were still a victim of a trojan.

Oh, sure. But there's no need to be quippy about it. That happened almost 20 years ago, and it was the first and last time any of my systems were compromised. I guess I'm a good learner.

And by the way, "superior ability" is not needed at all. Just patch your boxes and don't download or run stuff from untrusted sources. That should take care of about 99.99% of all your problems. And that's true of any OS.

Re:WINDOWS ONLY.

I love free software, but I am sick and tired of you retarded linux zealots.

Re:WINDOWS ONLY.

Where does the OP say they run Linux?

Your own bias is showing through.

Re:WINDOWS ONLY.

[D+Ninja]

Three servers, two laptops and three workstations. None of them are pwned, rooted, infected, trojaned or otherwise compromised. And they've never been.

Prove it.

(Not that I don't believe you...but that's a pretty heavy statement to make.)

Re:WINDOWS ONLY.

[networkzombie]

> Since I'm on a 3270 terminal to an OS/390 box the size of your house right now

I doubt that. My house is pretty small. Do you have a Kaypro?

Re:WINDOWS ONLY.

Bwah, that's a laugh & 1/2: This is SLASHDOT - home of the "Pro-Linux/Pro-*NIX variant", & that's just common-knowledge to anybody who visits here regularly. Lord knows, if you post nearly anything favorable about Microsoft, Bill Gates, or Windows itself (or conversely, anything negative (though it may be true) about *NIX in general) here? You get "modded down" here, 9/10 times! I've been "hanging around" here, posting as A/C (because registered users are RIDICULOUSLY EASY to "track" here, & that to myself is a "no-no" in & OF itself) for around 5 yrs. now, & this is something I've noted here myself, & see that I am not alone in that.

Re:WINDOWS ONLY.

[strelitsa]

Prove it.

Prove that his boxen have never been Pwned. Logical fallacy much?

Re:WINDOWS ONLY.

[gaspyy]

How would installing a different OS help in any way?

I now, some memes are popular here, but it's getting tiresome.

Short version of the story: users are tricked into installing malicious software.

No vulnerability is exploited; the fact that it's Windows and not Linux-distro-of-the-month is irrelevant (remember, once installed, if the software can read your home directory and send passwords and CC details, it achieved its goal - it may not need full system access). The fact that Flash is involved is irrelevant too - it could be a "special" video codec, or java or whatever.

Re:WINDOWS ONLY.

This is /.. Windows is evil. Period. On a logical note, it is less the OS and more the user. Granted, certain things should never happen (email client -> install, browser -> install, at least outside a sandbox)... but a user willing to click on ANYTHING is the underlying issue.

Like me, you play smart. I haven't used antivirus software for many years and rarely have issues (none attributed to a virus). Boot times on all my boxes are all less than 40 seconds and they have been up for max 3 years (excluding power outages). Uh, and yes, I do use them frequently/daily! :D

Re:WINDOWS ONLY.

[RandomFactor]

More 'Windows users spreading in the wild' than 'Linux users spreading in the wild' ...well yeah that's common knowledge!

Re:WINDOWS ONLY.

[dedazo]

Prove it.

OK... how?

that's a pretty heavy statement to make

I frankly don't understand why. This is not black magic, a trojan cannot enter a computer via osmosis or a teleporter, and it cannot function without being detected, unless it does absolutely nothing of value. The attack vectors and the symptoms are known. It follows that it's relatively simple to know if you have been compromised in any way. Unless you know something about the way Windows works that I don't?

Re:WINDOWS ONLY.

[DMUTPeregrine]

Kerio Personal Firewall (with app behaviour blocking set to paranoid levels), ClamWIN/avg/NOD32/other good antivirus (not norton/mcaffe/etc), and Anti Hook do a good job of securing windows. iptables, clamav, and maybe a graphical frontend for iptables like KMyFirewall do a good job securing linux... But iptables is built in. And in the Windows case, Antivirus really isn't needed with a good firewall/behavior blocker (Kerio+Anti Hook, for example.) Any system, when placed behind secure enough walls, can be secure from threats outside the walls. Some systems are more secure against internal threats than others. In Linux, most of what you can easily screw up is your own home directory. In Windows XP, you can screw anything except other user's home directories, and often even them, and in Vista you can't screw much up if UAC is on, but it often gets turned off. Linux and Vista both have security. Linux just has usable security. Security alone is worthless if the user removes it to do work, it must not interfere with the normal operation of a computer.

Re:WINDOWS ONLY.

MyDoom, which holds the record for fastest-spreading worm ever, did so through email and required significant user action.

And, do tell, what is the only operating system MyDoom runs under?

I'm on a Mac!

[objekt]

You insensitive...er, umm...yeah, I'm alright.

And a big "Ha-ha!" to windoze users.

My flash player was working earlier...

[iztehsux]

Botnets for sale!

IE7 Scam

[nurb432]

There is another similar one pushing 'IE 7 is now available for download' from 'Microsoft'.

ya.. right...

Re:IE7 Scam

[22_9_3_11_25]

I don't know why you were modded funny because I actually received this in my inbox at work this morning. I of course deleted it but was considering sending out a warning.

Re:IE7 Scam

[Lennie]

There also seems to be a MSN-update available, because I had an e-mail about that too.

More secure, yes.

[nurb432]

But not invincible..

Re:More secure, yes.

[VdG]

With Linux making some small inroads on the desktop, (http://linux.slashdot.org/article.pl?sid=08/08/05/2310205 http://linux.slashdot.org/article.pl?sid=08/08/04/2140203 ) it's going to become a worthwhile target for malware soon. I suspect we're going to find out just how secure it is. Fingers crossed...

Sure it's a trojan...

But is Cbeplay easy to develop for?

Facebook, too?

[MaliciousSmurf]

Here's an excerpt from a message posted by a friend on EVERYONE's wall: (X's are mine, just to add some security) "HEY GUYS GET YOUR GAMING ON! ENTER AND WIN A PS3 Or Free PLASMA ITS EASY AND FREE SIGN UP AT THE URL BELOW http://xxxxx.imageshack.us/XXXXX/gameonit4.swf "

Re:Facebook, too?

[kap.devoid]

Unfortunately yes and probably every other social networking site soon as well. http://www.securityfocus.com/brief/786?ref=rss

Lawsuit?

[cdrguru]

Too bad nobody is ever going to find the folks responsible for this. Pretty much any email that even has the letters "cnn" in it will go in the trash now. Do you think any email of a forwarded story from the CNN site would possibly get through today? Next week? It wouldn't surprise me if CNN.com ad rates took a nosedive because of this as well. Who wants to go to "the spammer" web site?

This is the sort of extremely bad PR that CNN would be well within their rights to sue the pants off of whoever started this nonsense. Unfortunately, it probably originated somewhere that doesn't care about US companies, US laws or what people think about spam. Also, how exactly would you prove where it came from?

Hope someone is getting paid real good for this. I don't think this can put CNN out of business, but it is certainly going to hurt real bad.

Re:Lawsuit?

[dedazo]

Considering how difficult and expensive it is to track down, indict and convict spammers and malware peddlers (not to mention they later tend to escape and commit suicide), I doubt CNN has the time or energy to do this.

You're never going to fix people's stupidity, which is ultimately the root of the problem.

Re:Lawsuit?

Pretty much any email that even has the letters "cnn" in it will go in the trash now. Do you think any email of a forwarded story from the CNN site would possibly get through today?

Yeah, and as it is NO banking site as far as I am concerned can use email to it's own users. I assume that ANY email from someone claiming to be a bank that I utilize over the web, is a phish and goes right into the spambucket. In fact, if things get much worse then I won't be using the internet for banking anymore at all, though that would be a lot less convenient. Trust is not something that seems on the horizon, and the quickest way to completely scuttle it would be for the Fed, Microsoft or AT&T & the like step up and claim to offer it via one of their usual hackneyed schemes...

Re:Lawsuit?

[trawg]

It's certainly a good advertisement for digitally signed email.

I realise digital signatures are still beyond the reach of most people that use email, but for those of us that actually know what they are and how to use them, it's a pretty decent solution to this problem - at least for people that want to receive email from CNN.

1) Sign up to CNN for emails
2) Enter your public key in your CNN alerts profile
3) Configure your mail client in such a way as to only accept email purporting to be from CNN that is digitally signed
4) Any email from CNN that is digitally signed, verify the signature - if it matches, accept it, if it doesn't, throw it in the spam pile.

Re:Lawsuit?

[ignavus]

I never watch or listen to CNN - it is not available on any channel on my TV and I am not interested in it.

I would put any email from CNN straight into the bin. So spammers trying to impersonate CNN are going to get exactly the same treatment.

So spammers - keep impersonating the firms I don't care about (and that's almost all of them).

Re:Lawsuit?

[drew30319]

I've no idea how many sites were used but the one used in the site that spammed me is already down. The site is/was (www . weddingsinsardinia . com) if you're curious. (well, that's the site even if you're not curious - but you know what I mean)

I only received one of these and am surprised, I have a dozen or so domains, so I guess the spam filters caught on pretty quickly.

Re:Lawsuit?

[Blackknight]

Forwarded articles should go to the trash any way, if I wanted to read it I'd go to the site.

Re:Lawsuit?

[DotNM]

I've given my bank my work email address... which happens to be with the bank itself, thus allowing me to verify the sender because it'd be in the internal email system. I don't get much email from it at all though, just some newsletter from my investment account that I have with the bank I work at.

Re:Lawsuit?

[Baricom]

CNN and AOL are both owned by Time Warner, and AOL has tracked down and successfully prosecuted a number of spammers before. The size and level of publicity behind this spam attack might make it worth CNN's while to pursue.

Re:Lawsuit?

[blacklint]

Banks sending emails can be very useful. I have my bank send me balance alerts, and when I see one I type in my bank's URL, avoid the tethered login, and transfer some funds. I can't think of a better way for this to work, and if someone does send me a phishing message I don't detect, I'll log into my account and see that it wasn't from the bank anyways.

Re:Lawsuit?

[rampant+poodle]

No mod points today but I love simple and effective. This meets both standards.

Re:Lawsuit?

Thanks for tell us about your personal TV viewing habbits, but why should I care?

Re:Lawsuit?

[AlXtreme]

An even better solution would be to simply use RSS.

Problem solved (until hackers use the DNS attack to feed you an RSS feed with modified links. Nothing is fool-proof).

PKI for email will take off once regular email becomes useless. So in that sense, we should be rooting for the spammers.

Re:Lawsuit?

Why would CNN need your public key to sign their mail?

Re:Lawsuit?

[sqlrob]

Which actually means squat, in many cases.

Most of the "bank" e-mail I've seen is outsourced and the links also go to the original provider, redirecting to the bank later. Unless you're familiar with the companies involved, telling a real bank e-mail from a phish is incredibly difficult.

Re:Lawsuit?

[The+Angry+Mick]

That's an awful lot of effort for what is essentially a piece of e-mail that is visually identical to the CNN home page. Why not just go there instead?

Re:Lawsuit?

[Blackknight]

They've also got this neat feature called RSS, where you can subscribe to stuff that you actually want.

Re:Lawsuit?

[gillbates]

Never underestimate the power of the investigative reporter.

Reporters earn their living finding secrets that powerful people don't want exposed. If any one of the reporters at CNN has a technical background, they stand a better than even chance of finding out who perpetrated the attacks.

The real problem comes in bring action against someone who is likely outside the US. Then again, CNN probably has offices in every country, so this might not be as difficult for them as it would for a purely US corporation.

Re:Lawsuit?

[DMUTPeregrine]

Too many steps.
You should have a public/private key pair, and probably a smart card.
1) Sign up for CNN emails. Your browser enters your public key in the background.
2) Your e-mail client downloads CNN's public key, checks the signature, and displays the message as red or green in the inbox. Or sends all unsigned messages from any sender who has signed messages in the past to an "unverified mail" folder (bad name, what's unverified? Everyone knows what spam is. Perhaps unknown sender?) Extra security can be applied to unsigned mail.

But note the important thing: The user doesn't have to do anything more than sign up like they normally would. The e-mail client and web browser should do all the work, behind the scenes, automagically. Also, you don't actually need the user's public key unless you're encrypting, or the user is sending e-mail.

Google Mail

[jefu]

I've received nine of these (in just a few hours) on my usual (university) email address. But google mail keeps telling me about them, instead of marking them as spam or phishing and just moving them out of the way. Worse yet it leaves them on my (university) mail server which has an absurdly low quota - so I'll have to remove them manually. This means I need to deal with this crap twice - once when google mail tells me it won't give it to me and once when I need to login to the server and manually delete them. It would be so much nicer if google mail would flag these as spam or phishing, take them off the server and just make them invisible.

Of course (and yes, I'm contradicting myself) I'd also like (since I'm interested in viruses and the like) to be able to set a flag where I could say, "Let me download this. Yes, I do know what I'm doing" and give it to me in some nice packed format.

Re:Google Mail

[porkUpine]

There is an easy fix for this in Gmail. You'll need to create a new filter like the following


Matches: is:spam
Do this: Skip Inbox, Delete it

Re:Google Mail

[jefu]

Nope. Can't. Google says there is a virus and so it was left on the server. Is there a way to change that?

Re:Google Mail

Worse yet it leaves them on my (university) mail server

After reading your post like 5 times I finally realized that you're missing the point:
Gmail is not going to accept that email because it knows there's a virus in it. And you're complaining about that?

If you *really* want those emails, I suggest setting up your university address to just forward everything to gmail. Then you can create a filter or just delete them once.

Re:Google Mail

[jefu]

I'd prefer that gmail accept the mail from the server and mark it as spam/phishing/whatever. I'd also like to be able to set a preference that allows me to decide that "yes, I would like to download that" and have gmail give it to me in a packed up format that I'd have to unpack somehow - just to make it hard for someone to inadvertently run the thing.

Re:Google Mail

[Kent+Recal]

Oh and while we're google bashing here: I would like if google groups would echo my own damn posts back to me like every other mailing list software does!

Lawsuit? No. DEATH PENALTY.

This attack shows a complete disregard for fellow humans by the 100s of millions. The only fair punishment is the death penalty. There may even be some deterrent effect from that, but even without it should still be DEATH!

Lessons Learned

[Nymz]

Companies doing business on the web have curtailed the functionality of email correspondence, and often tell consumers the only safe method is to visit their site and log in. Acquiring software isn't much different, get it from the source. Personally, I find the incessant requirement of plug-ins to be breaking the web when no alternative (text) is offered. /Get off my lawn!

Re:Lessons Learned

[r7]

Make that "Companies doing business on the web without basic spam filters in place". Our mailservers all run Spamassassin which easily recognized and tagged these as spam: score=8.449 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_DYNAMIC_DHCP=1.398, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.2, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_NONE=0.1, SARE_MONEYTERMS=0.681]. Companies that can't even manage to implement basic spam filters are at a competitve disadvantage. Those that curtail their email correspondence are, well, a good oppotunity for short sellers.

Perhaps more revealing is how many Slashdot posters are missing the real point of this story. It's not phishing, which is old news, but the security flaws of a proprietary and closed source application. There's no way Adobe can secure Flash without taking it to open source and getting the resulting peer review. That's information security 101. Heck, Adobe hasn't even figured out how to release a version of Flash for 64bit Linux, which is a heck of a lot easier than security code audits. Appears that, despite claims to the contrary, Linux users care more about free as in wallets than free as in source.

Re:Lessons Learned

[DavidTC]

Dude, spamassassin didn't recognize that message as spam.

DNS_FROM_OPENWHOIS, HELO_DYNAMIC_DHCP, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_PBL,RCVD_IN_XBL, and RDNS_NONE are origin checks, not message checks. (Well, the helo isn't technically, but forging it would be worse than correctly stating the dynamic IP.)

According to the message checks, that message scored BAYES_50=0.001 and HTML_MESSAGE=0.001 using standard spamassassin checks, and SARE_MONEYTERMS=0.681 from the very nice SAREs checks that smart mail admin install. That is almost certainly not enough to mark it as spam. And the 'money terms' probably triggered by sheer chance, considering this thing is scraping CNN.com for headlines. Other messages sent by this thing probably wouldn't trip over that.

The reason it was blocked was that it came from an IP that was current blacklisted for spamming and was clearly a dynamic IP, not that spamassassin recognized the message. Any mail from that IP would have been blocked. Spamassassin actually fell down pretty badly on the content analysis.

Re:Lessons Learned

[dfn_deux]

Any admin, such as myself, whom works for a large ISP can look at your spam assassin header there and see a big reason why we can't and generally don't use your solution for filtering.

score=8.449 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_DYNAMIC_DHCP=1.398, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.2, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_NONE=0.1, SARE_MONEYTERMS=0.681]

The majority of your spam ranking scores depend on some third party real time blacklisting services. My mail servers pass about a quarter of a billion mails daily, we end up on these blacklists quite frequently from ass hats whom manage the variety of 3rd party blacklists regularly accept falsified headers as proof of origin and they accept heuristic results from filtering appliances (I'm looking right at you barracuda) which can't tell the difference between high volume non-spam forwards and real spam. If you weight your spam filter to use that much blacklist input then there is a strong possibility that you are black holing tons of mail from large ISPs and/or causing all sorts of upstream queuing problems and delivery delays for users at your domain. Hopefully your servers only tag up the headers and don't actively do reputation blocking or any other such non-sense... Let your users make the final decision.

Re:Lessons Learned

[TropicalCoder]

It's not phishing, which is old news, but the security flaws of a proprietary and closed source application. There's no way Adobe can secure Flash without taking it to open source and getting the resulting peer review.

No - it is phishing - the social engineering kind, and it has nothing to do with the security of Adobe Flash. It just fools the user into thinking he is going to download a new Flash player, but he ends up with a virus. I suppose you didn't RTFA.

Re:Lessons Learned

[r7]

The reason it was blocked was that it came from an IP that was current blacklisted for spamming and was clearly a dynamic IP, not that spamassassin recognized the message. Any mail from that IP would have been blocked. Spamassassin actually fell down pretty badly on the content analysis.

Partially correct, but you're forgetting that headers _are_ content as much as the body, and any properly configured Spamassassin takes full advantage of RBLs, RHSBLs, and CBLs to identify spam (as much as any other signature). On this (well configured) server anything above 6.0 is discarded, yielding no false positives and rare false negatives (~2 per week per account). Sure it would have scored higher if it had better analyzed the hrefs, but the point is that it recognized the messages as spam.

Re:Lessons Learned

[n3r0.m4dski11z]

Content preview:
THE DAILY TOP 10 from CNN.com Top videos and stories as of: Aug 1,
    2008 3:58 PM EDT

Content analysis details: (10.4 points, 2.0 required)

  pts rule name description

  0.0 HTML_MESSAGE BODY: HTML included in message
  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
                                                        [score: 1.0000]
  1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
                                [Blocked - see ]
  3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
                                                        [12.41.37.114 listed in sbl-xbl.spamhaus.org]
  1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
                                                        [12.41.37.114 listed in dnsbl.sorbs.net]

Seems as though bayes99 got it.

Re:Lessons Learned

[DavidTC]

Yeah, spamassassin will eventually train itself if it keeps getting near-identical messages from spam sources.

But the first wave will get through.

This is why greylisting to everywhere but spamtraps is a good idea. Let the spamtrap spam in, feed it directly to spamassassin, and even if the greylists get past, by then spamassassin's catching it.

Alternately, there's razor and pyzor, but I honestly don't know much about that.

Re:Lessons Learned

[DavidTC]

The hrefs all went to the same place, from the spam I saw, and it was a somewhat 'legit' looking URL, not IP address or spam keywords in it, so until spamassassin knows about that specific one, it's rather moot.

Speaking of that, is there anyone, now that SAREs is not updating (I notice you use them, I do too), that's providing good rules?

Also, my spamassassin doesn't do RBLs and RHSBLs...simply because I use postfix's policyd-weight and nothing that triggered on both spamcop and the XBL would make it to spamassassin. :)

Re:Lessons Learned

[The+End+Of+Days]

But if the zealots had to start dealing in facts, they'd realize that their answers aren't perfect for everyone. We can't have that happen, so we coddle them. That keeps them safely here on Slashdot, bitching to each other, and leaves the streets safe for us "normals."

It's Fox News

[actionbastard]

Damn their oily hides!

What, no CNN link?

[Chris+Pimlott]

I can see the headline now: "We're not spamming you (really)"

Re:What, no CNN link?

[Vukovar]

How about "Fair & Balanced malware"....

Re:What, no CNN link?

Well, between the trojan and the flash and javascript nightmare which crashes some browsers that is cnn.com, I suspect most people are choosing the virus. There's no point in putting it up on the website.

Re:What, no CNN link?

fair and balanced? o'rly?

Must be a slow day at slashdot...

[TheMCP]

A trojan-horse application is being delivered by email, masquerading as content from a major corporation.

This is news? We're supposed to be surprised?

The future of Malware?

[jeiler]

Cross-posted from my journal.

And now we have the latest malware wave, where 1000+ legitimate sites have been hacked to serve a fake Flash player. This is going to seriously hurt CNN's reputation (and ad revenue), as a lot of folks are going to set their mail servers to delete stuff that even mentions CNN. Worse yet, it's going to put a serious hurting on the 1000+ hacked sites: CNN has enough goodwill and trust built up that it will survive the onslaught, but the "other victims" may end up blacklisted by a lot of folks.

Most malware authors have learned not to crap in their own bed: the days of a virus that wiped your files are fading; now we have malware that more-or-less uses your files alone, but uses your connection to send spam or do DoS attacks. If they make the attack less blatant, it's less likely to be discovered and cleaned up.

While the malware authors may be trying to stay quiet on the PC, they sure don't mind hurting companies ... and that hurts the internet as a whole. As much as some in the geek community may dislike it, the Internet is payed for by commerce--internet sales, services, and subscriptions indirectly pay for the infrastructure we all use. If these small companies are hurt by spammers and malware authors, then the small companies may be less willing to maintain an internet presence--which means there will be less people who pay the ISPs to maintain and improve the infrastructure.

There are a lot of contingent statements in the above paragraph, and maybe I'm getting more worried than I should be, but I have to wonder: how long will it be until spammers, scammers, and other low-grade shits ruin the Internet for everyone?

Re:The future of Malware?

[robogun]

I think Flash takes the hit, and maybe video news delivery as well. But to be honest, what's the great loss? I like CNN and have it bookmarked, but nothing is more irritating than a story that is video only. Unless the story is visually compelling, there is no need to waste so much bandwidth.

Re:The future of Malware?

[Red+Flayer]

There are a lot of contingent statements in the above paragraph, and maybe I'm getting more worried than I should be, but I have to wonder: how long will it be until spammers, scammers, and other low-grade shits ruin the Internet for everyone?

I'd be more concerned about the internet being ruined by net partisaniality (for lack of a better term -- what exactly is the opposite of net neutrality?). The internet ceasing to be a content-agnostic delivery system for bits would be the real tragedy.

As far as spammers, phishers, scammers, etc -- the world has always been full of them, and the internet has just made them more efficient. We will always have people who are not "netsmart" just as we have people who are not "streetsmart". The public at large has always born some of the cost of these people getting suckered, be it through having to pay for security (police, etc), or lost or misdirected productivity.

Re:The future of Malware?

[registrar]

Your doom-and-gloom is misguided. The internet won't get wrecked by scams like this. The only thing that distinguishes the internet from the rest of life is the connectivity. Individual behaviours that are recognisable as sociopathic outside the internet (scamming, bullying, stalking, spamming) are not somehow going to win on the internet.

Yes, the connectivity allows sociopaths to make life suck for more people simultaneously than was previously possible, or make it suck more for one person than was previously possible. But the goodies have the same connectivity improvement as the baddies. The non-sociopaths just want to get online and do their thing (read, communicate, buy, sell, make spam filters, prosecute child molesters) without trampling on people. The goodies have always outweighed the baddies on the internet, and there is no reason to believe the balance is changing.

The real threat to the internet is from organisations who use PR machines to avoid transferring common decency from the rest of life. For example, companies who compete unfairly (Microsoft), get laws passed to define "internet only" crimes in their favour, sue people they would otherwise leave alone (RIAA), inadequately protect private data publicly accessible, and of course, nations who spy on everyone. These organisations leave everyone with a feeling of distrust that they cannot overcome.

Re:The future of Malware?

[jeiler]

The internet ceasing to be a content-agnostic delivery system for bits would be the real tragedy.

This is starting to wander off-topic, but the Internet has never been "content agnostic"--and the WWW is even less so. At least since the advent of the "commercial Internet," and even to some extent on the pre-commercial "academic internet," content (and locations) is vetted by the administrators of the various service providers. Back in the days of the academic Internet--your sysop doesn't like netnews? He can tell the college administrators "It's full of porn," block port 119, and there's not a damn thing most users could do about it. Worse yet--your sysop has a beef against Indiana State University? He can block the whole domain, and you have to go outside your school's network to get there.

Now in the days of the "Commercial Internet," it's even worse. Most providers treat it as a business instead of content-agnostic media--well, that's completely understandable, given that it is a business. And by treating the Internet as a business, blocking (or even simply refusing to support) things like Usenet actually saves them money, making them more profitable.

Now come the spammers, and how do the local ISPs react? Do they block the offending websites? If so, do they take the time to weed through and block the specific pages, or do they just do a quick-and-dirty block of the name or IP range? The second takes less time and effort--which means less expense.

I dunno. Maybe registrar is right, and I'm just doom-and-glooming. But I'm sick and tired of the "content-agnostic delivery system" being hijacked by the very people who I pay money each month to be able to use the damn thing.

Re:The future of Malware?

[cdrguru]

Problem is the "goodies" aren't doing anything while the "baddies" are very, very active in making themselves known. All that is required is for the "baddies" to win - make the Internet unusable - is for the current situation to continue.

Re:The future of Malware?

[registrar]

I just don't see any evidence that the internet is becoming unusable. The goodies have made it possible to filter my spam with amazing accuracy. It is now better than it has been in the last decade.

My computer is so secure that I don't need any antivirus software. That never used to be the case. (Though this malicious flash thingy suggests that it may become the case again.) Even Microsoft's security is improving. Vista is plainly much more secure than 98, 2000, early XP, etc.

If the internet as a whole (or any component of it) is easily broken, that needs to be fixed technologically and/or legislatively. When infrastructure fails, you never blame the user, whether they were ignorant or malicious. At best, it is merely pointless and irresponsible.

The only serious question the GGP implies is whether the technological fixes will be worthwhile. They are better now than ever before, why shouldn't that continue?

Re:The future of Malware?

[registrar]

... less willing to maintain an internet presence...

Yeah, and you're going to stop breathing because I farted? For CNN, the internet is about as dispensible as air.

Re:WINDOWS ONLY. LINUX IS NOT ANY MORE SECURE

In its DEFAULT setup, especially regarding security? Maybe... but, NOT if you do this:

HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA, + make it "fun to do", via CIS Tool Guidance:

http://www.tcmagazine.com/forums/index.php?s=69e3a8383c24ab823ef36b246b66ce88&showtopic=2662

Then again, IF you look there? Linux doesn't do ANY BETTER "outta-the-box/oem-stock" (yes, even SeLinux bearing distros) either, as both OS' stock only score into the mid-40's of 100 possible ranges, initially (until you 'security-harden' them).

Both reach 90's++ ranges, IF you take the time to do the work required, per CIS Tool guidance and the other points that guide notes to look out for, & shore up.

My Spam Filters Worked This Time

My ISP-provided spam filter caught this one and tossed it into the e-carp can and so did Gmail's spam filter. In the ISP-provided spam e-box, I've been noticing quite a bit of faux news email headers, including thousands dead in a stampede at a soccer game?? Dumbass spammers.

Sourceforge harvested, gmail bounced it

[coljac]

This spam helped me find a bug in my procmail recipe - this was sent to my Sourceforge email address (never had spam there before), and was forwarded on to Google which bounced it as an illegal attachment. Kudos to Google for being on the ball.

The 1,200 recursive bounce messages that ensued were no-one's fault but my own. :)

Nope. Package Management Stops This.

[right+handed]

Attacks like this don't work outside of Winblows. The problem is that users have been conditioned to needing a never ending series of non free "upgrades" from untrusted sites to do what they want. I can download Gnash all day from Ubuntu and never find a trojan. Not even Apple users have the same problem. Users of other OS have been conditioned to get their software from a place they can trust. Free software users have learned not to trust non free software like Flash itself.

I started seeing this at work 2 days ago...

[Bubba]

Solution to unintelligent users was to block all downloads of "get_flash_update.exe" on our proxy server.

Removal process was fairly trivial; All processes/files were > 10 chars randomized like a362b462da6.exe/scr. Processes were easily killable and removable without having to do anything fancy like boot off a Linux CD.

The only things we found that it installed was XP AntiVirus 2008 under C:\program files\[random > 10 digit name]. Again, fairly easy to remove.

Another day, another spam mail getting through our crappy anti-spam service.

Re:I started seeing this at work 2 days ago...

[Bubba]

For those that care for more information,

Also found Infostealer CbEvtSvc.exe in System32 directory, so you have to kill this and delete as well.

You also need to remove a registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\[random name from above] (for machines infected with XP Antivirus 2008).

Also, you need to ask the user who actually clicked on the message to get the machine infected to to run these commands then have them reboot (basically resets display preference tabs, disables active desktop (what was Microsoft thinking; but what a great way to load BHO's at login)):

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispBackgroundPage /t REG_DWORD /d 0
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispScrSavPage /t REG_DWORD /d 0
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoDispSettingsPage /t REG_DWORD /d 0
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_DWORD /d 0
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoActiveDesktop /t REG_DWORD /d 0

Hopefully some of my sample submissions made it to your vendors by today...

HTH,
Bubba

Re:I started seeing this at work 2 days ago...

[DigiShaman]

I cleaned up 8 or 9 PCs this July with XP Antivirus 2008 and 2009. Don't be fooled. That fucker is the causes all sorts of hell. It removes display window tabs such as screen savers and background. It does this to prevent you from rooting it out of the sytem. I've also seen it modify logon registry setting. Clear it out and the infected files, and you will send the machine into an endless log-on / log-off mode.

I found AVG to be very effective at removing the hidden crap. So far, this malware has slipped past Symantec, McAfee, and Trend Micro (all corporate editions).

Re:I started seeing this at work 2 days ago...

[mike9989]

Thanks for this. I saw one of my students install this damn thing before I could stop him. I will try this and more than likely just re-image the damn machine on the weekend.
On an related note : All the "I'm running Linux and it doesn't affect me" posts don't really do anything to help those who, for one reason or another, HAVE to run windows. I, personally would prefer to use Linux, but most businesses use Windows, most of my company's products work on Windows and most users are familiar with Windows, and therefore, I HAVE to use Windows at work (home is another matter!)

Re:I started seeing this at work 2 days ago...

You have to do more than just remove "XP Antivirus 2008"

this is a rootkit virus. Rootkit.Win32.KernelBot.bk

it also installs itself in your system32/drivers/ directory as random name such as 447818e8.sys

once you remove "xp antivirus 2008" you THINK you have removed it. In the background you are sending out THOUSANDS of emails (probably the CNN Alerts email)

launching task manager will not show it because the rootkit hides the virus.

I tried 15 different virus scanners and the only one that detected and removed it was A-SQUARED (http://www.emsisoft.com/en/)
I didnt try AVG, I heard that one will remove it as well.

you can also check your router for traffic through SMTP port 25. If you see a massive amount of traffic you know its still on there.

Until all the virus scan companies get on the ball and get a solution this CNN crap will continue.

these rootkit viruses are hard to track down, but they cant be ignored. Your email server will end up on blacklists everywhere.

Re:I started seeing this at work 2 days ago...

to add to that comment...

I tracked a computer that had that virus and it sent out over 750,000 emails in an 8 hour day.

I was able to remove the virus from the infected computer but at the cost of nearly a million spam emails being sent out.

"Malicious Flash"

No way am I clicking a link on an article with a headline of "Malicious Flash". goatse is not an experience i wish to repeat.

SELinux

[Danathar]

Not if you are using SELinux that is properly configured, in which case the access controls are set at the level of the applications security context.

Not saying that it's perfect, but it would help and I'm sure that is where most OS's are going to head in the future.

Re:SELinux

[Atlantis-Rising]

But who sets the application's security context? The user, of course.

(You might argue the administrator sets the security context of the application, and that would be correct; but in this case, the administrator and the user are one and the same.

I realize there exists a separate paradigm where you have a competent administrator sitting on top of an incompetent user and basically 'screening' what happens- in that case, indeed, the 'user' we are referring to is competent and therefore able to provide the security context as appropriate.)

What Malicious Email?

[rossz]

I haven't received a single one. This is why I run my own mail server. I don't trust other people to do a good job.

Without looking at the logs, my guess is the Zen list from Spamhaus.org is doing the good work here.

Re:What Malicious Email?

fortune cookie is appropriate fir once

vuja de: The feeling that you've *never*, *ever* been in this situation before.

PEBKAW3C

[Mateo_LeFou]

I might just be on a hobbyhorse here, but it seems like a proper HTML5 standard with a -video- tag and a recommended codec would put a stop to all this "Download the latest executable thingamajig to view the media on this site"

(if you hadn't heard, this was tried, and any DRM-incompatible codec was called a "non-starter" by the "content industry")

Re:PEBKAW3C

[Atlantis-Rising]

I think that would require people to actually know what the hell the HTML5 standard is and what its video tag would be.

Such a system wouldn't put a stop to anything- and nor, quite frankly, would one expect it to; just because there is a standard does not mean that disobedience to the dictates of such standard implies a lack of security.

Re:PEBKAW3C

[Tubal-Cain]

I think that would require people to actually know what the hell the HTML5 standard is and what its video tag would be.

No, you just need the website authors and the browser authors (IE, I'm looking at you). And those are the people one would hope are already aware of HTML 5 (Especially considering that MS, Mozilla, Opera Software, and Apple are all members of W3C).

Re:PEBKAW3C

[mad.frog]

"Your browser does not support HTML5.1 video codec. Click here to download an update."

Re:PEBKAW3C

[kenif]

Yes! Another one for OpenDNS...

Re:WINDOWS ONLY. Dilbert source

And here's the original Dilbert comic for that line

http://ozguru.mu.nu/Photos/2005-11-11--Dilbert_Unix.jpg

getting software outside of a repository installed

[pbhj]

Like clicking on a .deb package, [entering password,] and letting gdebi install it?

Re:Nope. Package Management Stops This.

[d34thm0nk3y]

Not even Apple users have the same problem. Users of other OS have been conditioned to get their software from a place they can trust. Free software users have learned not to trust non free software like Flash itself.

So where do Apple users get their Flash updates from then?

LIAR.

[deadzero]

Windows gets autorooted in less than 4 minutes. Why do you persist in calling it safe? Because you are a liar.

Re:LIAR.

Twitter, you do know you're a stupid cunt, right? Just checkin...

Re:LIAR.

So, I assume a completely unpatched version of Debian from 8 years ago won't have any security flaws either?

Wait... did someone just say "SSL"? Hm, must be the wind.

Re:LIAR.

You have a point, but the thing is, there's no reason anyone would be using an 8-year old Debian CD to install. OTOH, most XP installs by home users are done with old discs.

You and I may know how to slipstream, but the average person installing XP sure as hell doesn't.

OTOH, more and more users now are setting up their PCs behind routers that block most of the ports by default. That has helped a lot.

Re:LIAR.

[jwilcox154]

Perhaps it is safe. When I installed Windows XP with Service Pack 2, my machine was not auto-rooted at all. In fact, I have been free of malware for quite some time. I simply stay away from questionable sites and email. Then I also have Mozilla Firefox installed as well.

No matter how secure an Operating System is, there will always be someone who could be so ignorant enough to get malware. All it would take for any GNU/Linux install to get malware is for someone to be dumb enough to get access to the Root account and install software that has the malware linked to it. Not that I am condemning GNU/Linux as it is a great operating system as well. What I am pointing out is the user is generally the root of the problem.

WINDOWS SHILL

Now I understand. dedazo appears to be a well-know Micro$oft shill.

Linux Sux

[Jafar00]

It's unfair. I clicked the link in the email, and it told me to update flash, but the flash updater I downloaded from their site doesn't work on my computer.

How am I supposed to see the CNN videos if they don't make a linux version? Linux sux, I'm going back to windows. :(

Re:Linux Sux

[DoctorPepper]

I know you're being funny, and it is. I just wanted to say I also use Linux and my wife uses a Mac, and we don't have these problems.

It never ceases to amaze me that people will bitch and moan about spam/viruses/trojans, yet still use the same old Windows/Outlook/Internet Explorer combo that creates 99% of this problem.

Ok, go ahead and say it: "but there will be Linux/Mac/*BSD viruses, you just wait!". Well, I've been waiting for almost 10 years now, and still haven't seen one. Call me when they're available. Until then, I'm just going to keep on laughing at all you Windows users, every time another one of these things gets out. :-)

Re:Linux Sux

[Jafar00]

Yes, of course I was being funny. :)
It's all well and good making a virus for Linux, but the virus writer not only has to dupe the Linux user into manually downloading the virus, he also has to socially engineer the Linux user to install it, preferably with root privileges in order to actually do any real damage.
Why bother going through all that when you can just set up a web page or send some spam to auto infect windows users instead?

Spam, spam, spam, spam...

[Deven]

This is a REALLY aggressive spam campaign. I never received a message with the subject of "CNN.com Daily Top 10" until 2 days ago at 1:49 PM. Since then, I have received 1,799 of these messages and counting. Of course, I get spammed to death already -- my email address (deven@ties.org) has been public for many years, and I don't even hide it here on Slashdot, even though it really is my primary email address. Spam has grown to the point where I am receiving over 10,000 messages every single day. (Yes, that's about a million messages in 3 months.)

On a separate note, I received an email yesterday with the title "Action required to avoid account access interruption" -- and it was actually a legitimate email! I receive such emails daily from phishing attempts, but this one was actually sent to me by TD Ameritrade.

It's a sad state of affairs when it's the legitimate email that comes as a surprise.

Might as well be

[freeweed]

Security is not a binary thing, and no one in their right mind has never claimed it is - beyond misinterpretation of unqualified comments.

50,000:1 in my books means that the 1 is damn nigh invincible. Anything else is academic.

PS: I just got pointed out today how stupid the UAC in Vista is. "A program is attempting to access your computer - cancel/allow?" Um, what kind of program exists that DOESN'T "access my computer"? This question was posed by a complete computer novice, so I'm not even speaking on a technical level here. By any definition of "access", technical or n00b, that's what programs do - access the computer. Who would ever say no, unless they maybe accidentally clicked on the wrong program entirely. If I clicked on something, of course I want it to access my computer.

Re:Might as well be

[nurb432]

Don't forget not all infections come from direct user interaction.

Sure, its the majority since people are stupid, but there are self replicating/spreading worms out there.

Re:Might as well be

[freeweed]

Absolutely, and it's the self-replicating kind that make Linux/OSX/anything *nix-based shine.

It's also the self-replicating kind that have caused the most damage in the past.

Re:Might as well be

[nurb432]

The first real worm was unix based...

Mail reader flaw

[wytcld]

Why don't all mail readers which display html simply do what Slashdot does - show the real site linked to in brackets next to whatever text is in the link, like "cnn.com [http://somewhere.de]" - perhaps with highlighting when both look like urls, but they don't match? That would kill so many phishing attempts.

Re:Mail reader flaw

[rantingkitten]

It's definitely not a bad idea, but the type of person who would fall for this stuff is probably not the type of person who really even understands what a URL is, nevermind how to read one or that they can be something other than what they appear to be.

Re:Mail reader flaw

[Posting as A/c to cover my own stupidity]

I got one of these yesterday; and (as I'd been doing a bit of drunken browsing recently) suspected I may have been put onto a mailing list.

Checked the URL to the unsubscribe link which looked like it terminated at the CNN site and hit that. Then realised that if it was a phishing attempt I've just confirmed one of my e-mail addresses. Bugger.

Didn't get hit by any of the flash update trojanware though (I believe) as I wasn't interested in the content. Still, I've chalked this up as a lesson to learn from.

I probably still have the e-mail in my junk folder, so will have another look at the URLs and see how well the links are obfuscated.

Re:Mail reader flaw

[Dark_Gravity]

Why don't all mail readers which display html simply do what Slashdot does - show the real site linked to in brackets next to whatever text is in the link, like "cnn.com [http://somewhere.de]" - perhaps with highlighting when both look like urls, but they don't match? That would kill so many phishing attempts.

I can't think of any valid reason for HTML email to exist in the first place.

Settings for Outlook

[ashitaka]

A while ago I had a regular email that would for whatever reason lock up Outlook when trying to download its HTML content.

So I set Outlook to always show plain text versions of all emails. This has provided two benefits:

1) Much faster message display
2) Malicious emails are easier to spot

In this case it was a while bunch of links where the text was http://x.cnn.com/ but the actual href was http://seomthing.de.

In Outlook 2007: Tools - Trust Center - E-Mail Security - Read all standard mail in plain text.

Re:Settings for Outlook

[KiloByte]

Indeed, HTML mail is a WTF in itself. But not so bad a WTF as even contemplating using Outlook.

Not Flash

[dFaust]

Just to be clear, users are downloading malicious software that is posing as the Flash Player. "Malicious Flash", to me, means Flash content (a SWF) that uses a vulnerability in the Flash Player to compromise a user's system. While Flash hasn't had a spotless security record, I don't know of any instances where a vulnerability in the Flash Player has been exploited on a scale such as this. In the past few years, Adobe has really strived to make Flash Player much more secure. Were this to be an actual case of "malicious Flash", I think it would be a big PR problem for Adobe and make end users extra wary of Flash for some time to come.

The wording in the title seems to me like calling someone social engineering some passwords a "WIndows security vulnerability" - misleading and inaccurate, at best.

uhuh...

[rickb928]

Saw it.

Figured it out in 12 seconds.

Deleted it.

Blacklisted it.

As if CNN got me subscribed somehow, and is using some podunk server in East Gish.

pity da fools that got sucked in.

Re:uhuh...

[Zomalaja]

Seems amazing that anyone actually thought CNN was suddenly sending them a top ten, with headlines that were mostly not quite right. Sheesh people, read before you click.

Re:Nope. Package Management Stops This.

[lmpeters]

So where do Apple users get their Flash updates from then?

I think they're bundled with Safari, thus the updates would come from the Mac OS X "Software Update" tool.

Pfuh ... Call me when they ported it ...

[freaker_TuC]

Call me when they ported it to mac so we can have the same user experience ...

Any project maintainers?

Re:Nope. Package Management Stops This.

[blacklint]

I use OS X, and although Flash does ship with the system, I have downloaded newer versions direct from Adobe. I've also downloaded third party codecs such as Windows Media/Flip4Mac from Microsoft, and the open source Perian. Granted, I do trust all of those as much as one can trust Adobe and Microsoft, but third party plugins are not unheard of on the Mac, just rarer.

Oh, and don't forget all of the people who have jailbroken their Apple iPhones with software obtained from the shadiest places possible (such as RapidShare)! People have no problems installing random binaries on their systems.

Re:Nope. Package Management Stops This.

[Atlantis-Rising]

The problem is that 'places people can trust' often don't release the software and media that people want to run or view.

Microsoft is not going to release today's latest screener movies via BitTorrent, and Debian is not going to add "Asian Teen Whores IV" to its download repositories.

Your solution is great for OS upgrades, and some applications and their updates, but it certainly doesn't work everywhere.

Hi twitter

14th account?

Ugggh!

[alcmaeon]

I read the title and I got and image of Bill O'Reilly and Anderson Cooper mooning everybody. Now I need to go scrub my brain with lye soap.

The *real* story...

[mikelieman]

Is that CNN's "Crack Team of Reporters" can't discover the responsible parties.

Re:Nope. Package Management Stops This.

[lmpeters]

That is true, although now that I think about it, most of the third-party Mac OS X applications I use (including Perian but not Flip4Mac) are very good about checking for updates automatically, thus there's at least a tiny shred of hope that the user of such an application wouldn't be suckered in by this "plug-in is out of date; download this new one" trick.

That being said, I am fully aware that Apple users are just as vulnerable to social engineering as their PC counterparts.

And as long as we're on the subject, thus far I haven't had any problems accessing any website on my Mac due to having a possibly dated version of Flash (your own mileage may vary, of course). I have occasionally run into problems due to Adobe's failure to port other plug-ins to the Intel Mac (such as Shockwave), but that seems more like a case of either incompetence or laziness on Adobe's part--not much any of us can do about that unless there's an open-source alternative that runs natively on Intel (and the few incidents I had weren't serious enough that I was compelled to go looking).

Re:Nope. Package Management Stops This.

"Winblows"?

Changing the odds of the spammers' game

[shanen]

We need to change the odds of the spammers' game to make them the losers. My suggestion to make Gmail a very hostile environment for spammers.

Re:Nope. Package Management Stops This.

[hdparm]

RPM is much better!

It would be fairly obvious on unix...

[Viol8]

... if malicious software was starting up when you log in - something having modified your .profile, .bashrc , whatever. Also it would be dead easy to remove. Not so with windows which generally takes an age to log in anyway so you probably wouldn't even notice a few extra seconds, and the places where a user space trojan initiator script can hide are so varied.

Yes under unix a user space process could fork off a daemon which remains running after you log out but once discovered running its easily killed and the binary easily found.

Re:Nope. Package Management Stops This.

Duh, read the emails.
I got mine updated from cnn.com.1234567.compromised-servers.net/trojan.app

Re:Lawsuit? - Not a chance.

[janrinok]

Unfortunately, it probably originated somewhere that doesn't care about US companies, US laws....

Well, that covers most of the world then.

....or what people think about spam.

True, but it is probably an accurate statement to say that spammers don't care what people think about spam.

Re:getting software outside of a repository instal

[LilBlackDemon]

Thereby installing it into the local repository, where you can still find it and fully remove it?

innocuous message???

[RobBebop]

I got 7 of these in my Google Spam folder on August 5th. None of them look remotely like spam. You can VERY EASILY see that the links don't point to cnn.com by OnMouseOvering the links when reading them in Google's client.

That being said, I am not sure if legit CNN.com e-mails are going to start getting flagged (not that I think many people would let CNN.com deliver them "news" in the first place) but CNN.com itself is a disaster-pot of obnoxious Flash ads with Dancing Mortgage rates and Spinning Whirlwinds.

If they really want goodwill, they should make it possible for their site to load reliably with No-Script turned on. As it stands, I only use them for a very limited amount of content that they provide (sports stories and the politic stories not picked up on Slashdot).

Re:innocuous message???

[bobmarleypeople]

My Gmail got some of these too and put them in spam. My Live mail, on the other hand, finds them perfectly fine. Yet another reason why Microsoft fails.

This is at least a week old.

[Joce640k]

I followed one of these a few days ago inside VirtualPC to see if AVG would spot it (it did).

It put Firefox inside an endless loop of popups telling me to download a new flash player (I don't have noscript on that copy) so it's pretty mean in that respect - you can't press cancel to make it go away you have to kill the browser with the task manager.

That you know of...

Just because you see no symptoms doesn't mean your box hasn't been pwned... I've seen plenty of boxen that have been compromised and sending out data over the network yet the console seems fine.

Re:That you know of...

[dedazo]

Yeah, because it's super hard to open a console and run netstat -a or look at the traffic logs on my router.

Avoide anything CNN, problem fixed.

[Krojack]

I do. If I had seen one of these I would have avoided it because it has "CNN" somewhere in it.

Re:getting software outside of a repository instal

[pbhj]

Doubtless, but he only claimed it was hard to install non-repos software ... which I find so absurd that I must have misunderstood.

There's 0install and autopackage too. Though I forget the details I think 0install counts as repos but not autopackage.

Re:

[clint999]

The problem is that 'places people can trust' often don't release the software and media that people want to run or view.Microsoft is not going to release today's latest screener movies via BitTorrent, and Debian is not going to add "Asian Teen Whores IV" to its download repositories.Your solution is great for OS upgrades, and some applications and their updates, but it certainly doesn't work everywhere.