Slashdot Mirror
Storm Botnet Returns As Part of New Year's Attacks
Trailrunner7 writes "A new spam campaign that appeared shortly before the New Year is part of a new effort by the crew behind the Storm/Waledac botnet and is using some rather elementary tactics — in combination with fast-flux — to attempt to compromise unsuspecting users. The new attack emerged late last week and is fronted by a fairly lame spam campaign that is sending millions of emails that appear to be holiday e-cards, one of the older and more threadbare techniques in this particular game. According to an analysis of the attack by the researchers at the Shadowserver Foundation, victims who click on the link in the email are directed to one of a number of compromised domains, which then redirect the user to another page that displays a message asking the user to download a fake Flash player. This, of course, installs a piece of malware on the victim's machine."
the victim's machine
So it installs flash?
One year per infected computer. HARD LABOR, not some wimpy country club prison. Assuming it can proved that there was malicious intent.
Can my karma get any worse than bad? Let's find out!
...one of the older and more threadbare techniques in this particular game.
Criminals don't care how old it is, but rather how successful it is. Please try to remember that, people. Technology doesn't have to be new or complicated to be useful, and deriding it because it is older is telling of a lack of experience with the thing. Spam will continue to be effective because it only costs a few dollars to register a domain, a little bit less to setup a distribution point, and once you have a few compromised hosts, it pays for itself -- and then some.
#fuckbeta #iamslashdot #dicemustdie
Agreed there, there's 2 different re-directs and then a file download. I understand how people still fall for this, but it still amazes me that people go thru all of that still.
"The only constant in the universe is change." - Unknown author
Nice troll. You can't blame "those windoze flaws" for users clicking on, elevating to admin, and installing malicious software. This could happen the same way on any OS that allows any form of elevation (Mac, Ubuntu, etc.). This is just users in need of education (which they will never get) and is one of the reasons that some folks SHOULD be subject to "trusted computing" (even though it pains me to say that as I absolutely hate the idea).
From: Joe User (sksj3838lsk@reallywarmmail.com)
To: You
Subject: Bunny
Attachment: bunnyhop.exe
Hey check out this cool bunny, it hops around the screen and follows your mouse pointer, it sometimes hides behind windows! Just double-click on the attachement.
Bye!
Joe
one of the older and more threadbare techniques
If it works, expect them to use it.
Funnyhacks - Wierd, unusual, and fun hacks
country club prison is better then letting rapists out to make room for a hacker.
This is something i've been thinking about for years. I want to do a mass mailout to all employees at all our clients (with the managers permission of course) in almost exactly the same way as this virus does, except instead of actually installing malicious software it keeps track of how many people click the link, and of those, how many then proceed to download the software. Far easier to send each manager a report of "x of your employees would now be infected if this was a real virus" (i'd probably not put individual employees names on there) than to fix the damage caused by viruses.
Time to get coding I guess...
It's more like an invitation to attack yourself.
MAYBE I feel sorry for the elderly or disabled who for whatever reason want an e-card from an unspecified friend, but why wouldn't they ask themselves why a FRIEND would send you a link to a site that requires you to install something to see a dumb-ass picture. My 76 yr old tech-disabled mother wouldn't buy into that crap.
Ok, maybe its not fair. Maybe it is, but the truth is that the email clients and the web browsers are installing this crap on peoples machines. Without the programs to go out and make the tcpip connections, that shit would stay on their compromised boxes. Since the current click-to-proceed systems are currently -not- working, the ante should be upped and make it impossible to use these client programs to hurt the boxes they reside on.
I am talking about making it -impossible- to save a file that can run as a program. Either in zip form or in real form. No click through, no nuthin. If the consumers want to download a -program- then only their anti-virus package should be able to do that. At that point, the anti-virus program takes responsibility for the behaviour of the downloaded content.
Firefox, chrome, thunderbird, explorer, whatever. These packages are RESPONSIBLE for injecting unsafe content onto systems without an immune system. Like someone throwing manure at someone with no immune system. Or feeding peanuts to someone known to have that allergy.
I am saying that the only safe way to download content to boxes now is to use the anti-virus programs as a download/installation agent. And we have to hold the agent responsible.
or what chrome os is doing and sandboxing everything; but yeah windows really needs to up their game as their user base is the overly trusting crowd, i think not letting any 3rd party program startup on its own is a start w/o alot of flaming hoops to jump tho first would be a start
warning pointless sig
If you can't download without the anti-virus, how do you download the antivirus?
Do we really want to give a process huge control over what your system can or can not do? Its not the browser's fault. Its the user's fault. *NIX has a 'runnable' bit - which prevents programs with that bit set to 0 from running. Its still the user who flicks it on. Does this protect against social attacks like this one? Nope. Neither would "THIS PROGRAM WANTS YOU TO INSTALL" - because you're expecting that.
You can't blame the browsers. You can only blame the users.
Great idea.
So someone like me, who doesn't run antivirus, because I've never been infected, ever, in over 20 years, can never actually download anything, because the antivirus software that's not on my machine is the only program allowed to download anything?
Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.
Browsers are for surfing the Internet.
Why should you move functionality from where it makes sense, to where it doesn't? From there, it's just a short step to unmaintainable spaghetti code.
"City hall" in German is "Rathaus" Kinda explains a few things......
Actually there IS an easy way to sandbox everything, it just isn't made by MSFT. For the clueless or unsuspecting just give them a combination of Comodo Antivirus or Internet Security (both free) and Comodo Time Machine which is also free. Comodo AV will by default sandbox everything unless specifically told not to, with full file and registry virtualization, and I have gotten several reports from customers and family members that it has stopped some serious nasties when they clicked the wrong link.
I consider Comodo Time Machine the flip side of that coin, protecting the user from themselves and their families stupidity the way Comodo AV protects them from the web. My GF is currently having to live two hours away to help with the family farm after her father had a heart attack. One day she forgot to log off before going out to make rounds on the farm and her niece got into her admin account and somehow managed to completely trash the system32 folder. Thanks to Time Machine I was able to walk her through by phone a complete restore of a machine that wouldn't even boot, and it took less than 15 minutes. Just press F11 when you see the Comodo Clock, tell the program where you want to go back to, and let it go. It was just that easy and in less than 15 minutes she was back to a perfectly running desktop.
So believe me, between dealing with clueless customers and family members that can pick up more viruses than a Bangkok whore any solution I recommend has been put through some serious stress testing, and those two Comodo apps put together makes for a pretty much idiot proof Windows. With that combo pretty much the only thing you can't fix by phone is a HDD failure, and since I recommend USB HDDs for backups set to auto backup their important folders and image the OS drive even that can be restored to health by me in less than an hour. It is a lot less stressful for them, and a lot less work for me. I'd call that a win/win all around.
ACs don't waste your time replying, your posts are never seen by me.
And I can protect my friends from viruses but giving them linux. :)
Protection against these malware authors proves to be rather simple.
"To prevent this day from getting any worse, I'll just read ERROR as GOOD THING" 1GJU8xLuDKDxEs4KLf8fAGyptoDsqvEsBT
Warning - ignore the poster quoted above - APK is an infamous, banned, abusive, stalking, mentally deranged, troll - who refuses to take his medication, as part of his condition is the delusion that "he knows better than the doctors"
At best his proposed cure for "everything" is a partial, weak solution, requiring constant prescient maintenance *with* admin/root access - a 14+MB ineffectual solutions that *might* have been of some, immeasurably small, use in 1995.
Away with you foul troll, back to cross-linking to your many aliases, fake references, and your bullshit "developer" status, and stalking the polite and blameless.
You are the only compelling argument for the government censoring the internet.
I can't find the Linux install [ducks and covers]
+1 for this. I have family who will benefit from this :-)
And until it remains so, this is going to be going on constantly.
expandfairuse.org
Great idea.
I agree, so does my Security Gateway.
Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.
1. My "anti-virus" scans all inbound Internet data -- ergo, I use it while I'm surfing the web.
2. Antivirus software can not be used to remove viruses. How is an antivirus running on a root-kitted system supposed to remove the rootkit? How can you ever be 100% sure that your infected system really is disinfected without scanning from another untainted OS and/or machine? Once you're infected, it's wipe & re-image time...
P.S. Modern bot-nets run silently -- You could be infected right now & not know it. My gateway alerts me to suspicious network activity...
Why should you move functionality from where it makes sense, to where it doesn't?
I can update just the gateway and all machines behind it benefit, instead of having all the machines install new AV signatures.
Granted, I primarily use Linux, but I have several Windows boxes I use for compatibility testing. It's a pain to keep them all up to date (even with VMs & disk images), or to scan them all via net-boot or boot CD periodically. I can avoid the entire mess if I scan all inbound data.
From there, it's just a short step to unmaintainable spaghetti code.
I disagree... It doesn't have to be spaghetti code (really a moot point: No matter how pristine and elegant the code is, it's always one developer away from becoming spaghetti code).
Considering that the alternatives are praying to $deity that MS will patch your systems before they're infected, or keeping a large, invasive, processor intensive AV software suite up to date & running on each machine, I think an external real-time network AV is an elegant solution.
(If performance is needed I place my Fedora system or Game Console in the DMZ).
Well I'm happy to help. Dealing with quite a few senior customers I found there really isn't any way to break them of their trusting nature, I guess because they grew up in a time when there weren't so many douchebags. But I would like to point out there are a couple of things you'll have to do, although I doubt it will affect any clueless family members.
1.-Comodo Time Machine does not like dual boots with Win 7. Linux, win9x, win2k, not a problem. But if you install windows 7 to anywhere but the C: drive it changes itself to C: on startup, for example I am running Windows 7 and even though I installed on my D: it currently says it is on C: and my XP which is on C: is on E:. it does this because win 7 file and registry virtualization requires the C: drive letter but as a side effect it freaks Time Machine out. it won't hurt anything, it just won't run.
2.-after first install and scan it will take Comodo Av or Comodo Internet Security (on XP I prefer CIS, and on Vista/7 I prefer Comodo AV, as the firewall in XP doesn't block outbound like Comodo AV and Vista/7 does) about a week to learn their usage habits. By that I mean it will ask them "Did you mean to launch this?" for the first week until it learns their apps. If you know which apps they use most often you can launch them yourself, otherwise they will have to click yes when they first launch an app. Once it has learned their patterns it is pretty unobtrusive and doesn't require an email address or constantly hit the with pop ups wanting to upsell them either. It also has a well designed control system so if someone knowledgeable such as yourself wants you can customize everything to your tastes or the desired security level, for example setting a rule that all browsers MUST run in the sandbox. It also has an excellent whitelist so once the PC is declared clean essential windows services won't cause a permission pop up.
But if you have clueless relatives or those you have to support that live a good distance the Comodo one two punch along with Ninite and Filehippo Update Checker really are a Godsend. Ninite gives you a simple way to give them the latest of the most popular apps and codecs, so if say they call and say "It says I need Flash" you can send them to Ninite and tell them after running it if it still asks for Flash it is a virus. With Ninite it is easy as "check box, run installer" since it does a full web based unattended with NO TOOLBARS or other crap. And with Filehippo it will put a little icon that uses just a few dozen KB of RAM in the tray and will alert them if a third part app is out of date, because as we know third party apps like Adobe Reader when out of date (which I just give them Foxit from the Ninite site) are one of the biggest sources of malware drive bys.
But with these plus those two Comodo apps I linked to earlier you can take the hassle and guesswork out of admin duties for family PCs. Comodo AV keeps them clean, Time Machine gives you a way to restore easily by phone even if they manage to BSOD the box, Ninite gives you an easy secure way to get them the latest apps, and Filehippo lets them keep them updated so YOU don't have to. Believe me with nearly 2 decades supporting home and small business users there really is no easier way to keep a Windows box up and running smooth.
ACs don't waste your time replying, your posts are never seen by me.
It'll take me all of 5 minutes (and 10 dollars) to register 'leolati1.com' and bypass your host file tinkering. Once you adapt from that - I can go with 'leolati2' or letters, or random numbers at the end.
Blacklists don't work. Especially not when its blacklisting an internet domain which can be replaced very quickly.
See my subject-line above. When you can come back, on topic, and technically disprove anything I stated above, then, you'd actually be on topic, like you're supposed to be, and you'd actually have posted something worth reading.
Yep - I see it, though given the (entirely predictable) post it's just a peedie hypocritical. My repudiation of your host file based malware panacea needs no expansion - it's adequately summarizes the points made by others many times before.
Your claims have been been shown as worthless dozens of times by people whose opinions I find worthy of respect.
You vs. Bruce Schneier? I don't think so. Have you ever managed to convince anyone that you're not a raving loon? If so how long did it take before they added you to their personal blacklist of witling fools to be ignored?.
I've previously given you a lot of time by reading, and considering your claims. You wasted my time - I want my money back, but you are factually bankrupt. I guess I'll just have to live with the loss.
Yawn. fin.
Antivirus software is not for surfing the Internet. Antivirus software is for scanning for and removing viruses.
1. My "anti-virus" scans all inbound Internet data -- ergo, I use it while I'm surfing the web.
2. Antivirus software can not be used to remove viruses. How is an antivirus running on a root-kitted system supposed to remove the rootkit?
It's not. But nowhere in my post did I say it's for removing viruses that have already infected the machine it's running on.
It's for removing viruses from email, removing viruses from network traffic, removing viruses from USB drives, etc,etc. For crappy viruses, it can also remove them from the currently running system. However, you're right; root-kitted machines cannot generally be cleaned by A/V running in the infected environment.
However, this is all semantic bullshit, and largely irrelevant to my original point, which was this:
There's a big difference between:
a) downloading something with your browser, and your A/V saying "Wait a minute while I check that."
and
b) wanting to download something, so your browser says "I can't do this," then says to your A/V software "Hey...download this URL for me, here's a bunch of cookies you might need, session ID, and all sorts of POST data, and you'd better include this referrer URL, or you might get banned. Oh.....can you let me know when you've got that downloaded, so I can tell the user that it's done?"
"City hall" in German is "Rathaus" Kinda explains a few things......