Storm Hits Blogger Network

ancientribe writes "Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network, according to an article in Dark Reading. And this isn't simple comment spam, but actual blogs that post spam, and now, Storm executable files. A researcher who's been tracking the Storm-infested blog sites says he's working with Google to clean up this latest appearance of Storm."

Passing Fad

[by Anonymous Coward]

Two articles about 'blogging' in a row. I really hope this isn't what my generation will be known for.

Re:Passing Fad

[Opportunist (166417)]

Relax. You can't be worse off than the Disco generation.

Re:

[Adambomb (118938)]

Are you sure? What has more eye-blinding potential, an epileptic-unfriendly room full of coked up disco dancers, or the average blog?

Tough Call.

Re:

[The Good Reverend (84440)]

I really hope this isn't what my generation will be known for.

The sound of the word aside, I can't understand this elitist mentality I see here and other places with a computer-oriented crowd when it comes to blogging. Whenever you hear "blogging", think "allowing everyone to write on the web easily" - that's all it is. It's what we were promised in the early 90s, before most people even had computers - the ability to have our voices heard and self-publish.

For the first time in history, almost anyone can ge

Re:

[lymond01 (314120)]

"But they're letting anyone in!" -- Slashdotters wanting the Tubes for themselves

No surprise

[Tribbin (565963)]

That storm is initiated by the hot damping humid air invading from the female bloggers.

Figures...

[Ethanol-fueled (1125189)]

Direct correlation between more women bloggers and more infected blogs :)

Re:

[budgenator (254554)]

Women with infected blogs, OMG I bet that leaves a stain.

Skynet

[courtarro (786894)]

Did anyone else see Terminator 3? They predicted this "Storm" virus. It was only a matter of time before it became self-aware and began making emo blog posts without human intervention.

Sad...

[SanityInAnarchy (655584)]

The sad part is, from what I've seen and heard, this Storm "virus" does need human intervention.

It doesn't do anything technically new. The only thing new here is the particular brand of social engineering used, and it bothers me that this still works.

Re:Sad...

[DaSilva_XiaoPuTao (1036976)]

While the email's did contain a link that you needed to follow, I believe the site tried to exploit browser vulnerabilities to try infect your computer. In fact I think it generates different pages based on your user agent string to try and exploit the different browsers.

With regards to the link, they were also masked well to show up as a youtube url.

All in all I think this means that you don't have to be a total idiot to get infected, maybe just a little naive.

Re:

[Kris_J (10111)]

*double checks user agent*

Yup, mine is still 'Mozilla/5.0 (Windows; U)', thanks to Proxomitron. No reason to make it easy for people to exploit my browser.

Re:Sad...

[SanityInAnarchy (655584)]

With regards to the link, they were also masked well to show up as a youtube url.

If by "masked well", you mean:

<a href="http://136.159.166.125/">http://www.youtube. com/watch?v=BmcXqxdPoP6</a>

Yeah, I'd say that's more than "just a little naive" -- it's downright stupid. I don't know how Outlook does it, but Kontact/Kmail does two things: First, it defaults to displaying everything as text if it can, with a big red box at the top that says:

Note: This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here [about].

(Link goes nowhere, as this is Slashdot, not actually Kmail.)

After clicking that link, the HTML is shown, but without images. A similar box will be there if there are external images, allowing you to turn them on. But even with everything enabled, it's still easy as hell -- mouseover the youtube link, and the nappy IP address link shows up in the status bar.

Ok, fine, let's assume that someone can be "just a little naive" at that point -- which I think is a stretch, in this day and age; someone who doesn't know that much should take a course before touching a computer.

In that case, the last time I tried to do that, it opened up Konqueror, which popped up a window asking me what I wanted to do with this file. HINT, HINT, HUGE FUCKING HINT -- the file ends in .exe, which again, every computer user should know, means "executable". But even if they don't, every computer user should at least know not to download/open random files from the Internet, unless it's a format they recognize.

How long did it take us to convince computer users to not open attachments? And now this takes the world by storm...

In IE, if I remember, this is going to give you one prompt to download it or "open" it, and after you click "open", it will download, and then give you at least one, if not two more prompts about the program being unsigned. If you're running Vista, it will give you yet another prompt, telling you that this program needs your permission to continue fucking with your computer.

That's -- let me count -- about five separate clues that you don't even have to go out of your way to run into -- realistically, probably three or four. Not to mention the fact that my spamfilter caught most of these before I even started seeing them and training on them, and that example I just pasted to you contains the email address "jerk2werk@nehp.net" -- yet another obvious clue; I don't know anyone with an email address like that.

And there are yet more clues if you start digging -- turning on "all headers", you can see two "Received:" headers and one "Sender:" header, neither of which matches, in any way, the "From:" header.

I'm not saying that everyone should know how to dig through email headers, until they have to -- but those are just the technical "duh" factors. There's also the nontechnical one -- I didn't make a video, and I didn't upload it to Youtube. I might click that link out of curiosity, but clicking a normal Youtube link doesn't ask me if I want to download or open anything.

So what's sad to me is not only that this kind of shit still happens, but that you, like many others, consider it to be "not stupid, just a little naive." We require Driver's Education in my state to operate a car, which is significantly easier than a computer -- if you don't know how to use a computer, it absolutely IS your fault. Go educate yourself.

As for the browser vulnerability, nope, sorry, read TFA. It's the exact same thing as the email "virus" -- it just has Youtube links to an exe file. Another one is even more obvious -- the link includes the nappy IP address right there, links to a file calle

Re:Sad...

[arivanov (12034)]

One comment: The webpage is dynamic. The .exe you see when clicking on the link is the final choice after exploits failed (and they did). If you we Joe Average who did not bother to pay for AV and did not update his machine since he bought it from Best Buy you would have been infected straight away long before that. No prompts.

Re:Sad...

[Opportunist (166417)]

And even if all those auto infections run into the ground, how many will click "allow" when you promise them some pr0n?

People are dumb and horny. Not necessarily in this order.

Re:

[DaSilva_XiaoPuTao (1036976)]

As for the browser vulnerability, nope, sorry, read TFA. It's the exact same thing as the email "virus" -- it just has Youtube links to an exe file.

Are you sure about that? I just downloaded one of the said pages that the emails link too, and looking at the source its got a massive javascript script, with what looked like to me as some exploit code. If this is the case and it is indeed an exploit allowing auto execution, then really I can't call someone stupid for falling for it, just ignorant.

With regards to the forced computer training, much like driving training people must get to drive a car, I agree, I think it would be a great idea. However, ho

Re:

[The Master Control P (655590)]

Fool me once, shame on you. Fool me twice, shame on me. The situation here isn't like getting scammed your first time behind a till. It's like you were scammed on a regular basis, and failed to learn anything no matter how many times they did the same thing. Likewise, I'd forgive someone for getting infected if it was the first time they were using email or on the Internet. But if your machine regularly needs to have accumulating malware removed despite years of experience, then yes you are an idiot, becaus

Re:

[Sancho (17056)]

You hit the nail on the head. The reason that so many people don't learn is because there is no pain involved in cleaning up an infected computer. They don't pay anything--they get their nephew or children or grandchildren to do it for them, and everything's peachy. There were almost zero negative effects for the person who clicked on the attachment.

Lots of people have grown into thinking that computers just get infected, and that there's nothing you can do about it. It's very sad, really.

Re:

[petermgreen (876956)]

Very few consider following links to be a big no no.
and honestly it shouldn't be. We follow links to sites we don't know on the web in search of information all the time if browsers can't handle that safely they are not fit for purpose. If browser authors can't write high enough quality code then other measures (such as running the browser in a sandbox) need to be considered.

Re:Sad...

[Sancho (17056)]

That's what IE7 on Vista does. But it's hard to sandbox "download and run this EXE for me, please" after the user has requested it, clicked ok, clicked "Yes I'm sure", and clicked "I trust this executable, now run it already!"

It's social engineering, and it will always work until/unless we remove control of computers from the users. That's not a solution I'm personally willing to endorse. How about you?

Re:

[petermgreen (876956)]

I was under the impression that this worm only resorted to the "tell the user to download the exe" tactic if the exploits failed.

but yes unfortunately humans are very often the weak point in many systems :(

Re:

[Pope (17780)]

Eh, this has turned into a rant, but all I'm saying is, people who get infected with malware, are not always idiots, just ignorant.

That's the whole point: stop letting people BE ignorant, and force some schooling on them to cure them of that terrible infliction.

Re:

[budgenator (254554)]

I just downloaded one of the said pages that the emails link too, and looking at the source its got a massive javascript script, with what looked like to me as some exploit code.
I saw something like that on a page described as a comcast one-click-fix page, made me glad that I scouted out the link in Firefox running in Linux; the sent by address email whois'ed to comcast, and the page address whois'ed back to comcast, but it still looked freaky to me. I suppose it could be legit, but I also suppose comast's

Re:Sad...

[LordSnooty (853791)]

Note: This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here.

And I'm afraid there's your problem right there - the kind of error message which 80% of computer users, ie the naive ones, pay no attention to whatsoever. They either ignore it completely or try and understand what it means but give up. Average people don't know what HTML is, nor what effect an HTML message could have. It's this barrier of misunderstanding which good software needs to negotiate. I'm afraid that's a poor error message.

Re:

[SanityInAnarchy (655584)]

the kind of error message which 80% of computer users, ie the naive ones, pay no attention to whatsoever.

It's not an error message.

They either ignore it completely or try and understand what it means but give up.

Which is truly pathetic. Wikipedia has a good definition [wikipedia.org], and it's the second result from a Google search. I have another: HTML in an email makes it more than just plain text -- that means it can have bold and italic. It also means it can have viruses and spyware.

That's right -- I just explained

Re:

[Opportunist (166417)]

Which is truly pathetic. Wikipedia has a good definition, and it's the second result from a Google search.

You mean, like, going out yourself to get information? Instead of expecting to be spoon fed?

C'mon, what planet are you living on?

We need to start forcing this kind of basic education on that 80% of computer users.

No. We just have to hold people liable for their own stupidity. You got infected and now your life savings are gone? Sucks to be you. No, your bank won't cover that. A fool and his money are ea

Re:

[LordSnooty (853791)]

What you're saying is right, but it's still not basic enough. Have you dealt with many clueless users? Even the idea that a message can be plain text, and then with bold & italic, will be beyond many people, never mind what the implications for malware are. And, as someone below points out, you expect people to look this information up? No, they just ignore it and click Yes or Agree or OK, anything to get rid of that message which is stopping me working. How else do you think malware in the form of BHOs

Re:

[SanityInAnarchy (655584)]

you'd have ISPs, auction sites, hardware manufacturers up in arms

Let's think about that.

ISPs benefit, because no one's running botnets that waste their bandwidth and send tons of spam, thus marking them on blacklists.

Auction sites benefit, because no one can develop a botnet to infect others, and cause them to create fallacious auctions. And eBay in particular benefits, because PayPal now has less fraud to deal with, because no one's going to enter their paypal information on a phishing site anymore.

Har

Re:

[budgenator (254554)]

My boss was able to click "OK" before the alert box had completely rendered!

Re:

[Grismar (840501)]

What users "should" know is completely irrelevant. (not even touching on the fact that it's only what you happen to think they should know, no exactly popular opinion, but that's not the issue here)

If they "should" know, but don't, the shit is still going to hit the fan. Sadly, we software engineers have to consider what a user is likely to know and build from there. Which is exactly what these Storm authors have done and what these blogging software designers should have done.

And yes, I think the designers

Re:

[SanityInAnarchy (655584)]

What users "should" know is completely irrelevant. (not even touching on the fact that it's only what you happen to think they should know, no exactly popular opinion, but that's not the issue here)

I don't think so.

If I buy a knife, and I should know not to stab myself in the face, and I do it anyway, whose fault is it?

Sadly, we software engineers have to consider what a user is likely to know and build from there. Which is exactly what these Storm authors have done and what these blogging software desig

Re:

[SanityInAnarchy (655584)]

For the same reason that I know the big pedal in my car is the brake, and the little one is the accelerator, and I know what "brake" and "accelerator" means.

For the same reason that I know red means stop, and green means go.

Because if they don't know what a program (executable) is, they won't know the difference between a harmless webpage and a harmful exe.

Don't forget the nematodes

[MarkRose (820682)]

The blogosphere has hit the mainstream, according to a new survey, which reveals that 80% of Americans know what a blog is, 50% regularly visit blogs, and 8% publish their own blog. The survey also reveals that more women than men are bloggers, with 20% of American women who have visited blogs having their own versus 14% of men.

And 2% of worms!

And I thought Trojans [trojancondoms.com] were supposed to prevent infections. Hah.

lol

[thatskinnyguy (1129515)]

You say "asshats making worms". I say "people creating job security for us IT guys". Sad that its come to this.

Google does not terminate spammers.

[by Anonymous Coward]

72.14.207.191 (blogger.com) is listed in the Spamhaus SBL for their inability or unwillingness to terminate spamvertised blogspot sites. This has been an issue for months.

"Thousands upon thousands of *.blogspot.com pages, all spammed and used to re-direct to other spammer landing pages"

I blocked .blogspot.com referrers a few days ago

[innocent_white_lamb (151825)]

A couple of days ago, I got tired of the formmail spam that my users were receiving from their "contact me here" webpages. After reviewing my logs, I made .htaccess files on my webserver:
 
order allow,deny
deny from 206.51.229.
deny from 206.51.233.
allow from all
  RewriteEngine on
RewriteCond %{HTTP_REFERER} blogspot\.com [NC]
RewriteRule .* - [F]
 
This has cut the formmail spam that I receive down to zero ever since I set it up.
 
The deny from lines take care of some guy who downloads the html submit form and posts spam from "Darksites.com", and the Rewrite denies access from all .blogspot.com referrers. I still see a few dozen hits every day from all of these, but they are all 403 now so I'm happy.
 
Here is a single example from a few minutes ago:
 
72.47.89.233 --[30/Aug/2007:22:28:22 -0600] "GET / HTTP/1.0" 403 3931 "http://hydrocodone--4t1.blogspot.com" "Opera/9.0 (Macintosh; PPC Mac OS X; U; en)"

class action

[v1 (525388)]

too bad it's not possible to file a class action suit against all the retarts that keep getting their machines infected ("but I just, well you know, HAD to click it to see what it was..") making the other 30% of the internet suffer.

Re:

[saxoholic (992773)]

I disagree. I don't think that's incompetence. It's an honest admission that more investigating is needed to determine the way these blogs are being infected. Would you prefer them to make up an incorrect hypothesis as to how they're doing this?

Re:They have no idea?

[by Anonymous Coward]

The guy saying "I have no idea" isn't an employee of Google/Blogger, he's just the guy on the outside saying he doesn't know how.

I'm on the outside also, but can tell you how. Blogger has a mail2 feature where you can post to an email address that you make up, and keep secret. Like a password. With users who makeup easy mail2 addresses (then don't monitor or abandon their blogs), and millions of emails being sent by the Storm BotNet, not hard to figure out how they are getting posted. Eventually the botnet hits them, just like they do with regular email addresses, and they get posted to the blog.

And also note, the summary is misleading somewhat. The actual files that do the "infection" aren't hosted on Blogger at all. The same thing that is getting sent to peoples emails are being posted to blogs that leave their mail2 address open and easy. So you still have to fall for the click here to get infected...

This has been going on for awhile. I first saw it at least 2 months ago. It may be increasing, but not new.

Re:Ballmer's Revenge?

[dedazo (737510)]

Oh, they know it's a M$ born disease

That's quite the glib statement, considering that worm requires so much user action (or inaction, depending on how you look at it) to infect a Windows box, it's not even funny.

How many years do you think it will take before some court proves this was intentional?

Are you serious?

Oh, wait a minute... *slaps head* "Erris" is twitter's sockpuppet [slashdot.org] account, which he uses to shill his own posts.

I thought this looked familar.

What "so much user action"?

[khasim (1285)]

That's quite the glib statement, considering that worm requires so much user action (or inaction, depending on how you look at it) to infect a Windows box, it's not even funny.

Here are the steps to infect a Windows box.

#1. Receive email with link to infection site.
#2. Click on link to infection site.
#3. There is no step #3. You're probably infected already.

Sure, in some circumstances they'll have to download a .exe to actually get infected. If they've maintained their patches. But the people who would be do

Re:

[PopeRatzo (965947)]

Don't be discouraged. You have every opportunity to promote Microsoft here, my friend. Every community seems like a mono culture when they're not buying what you're selling.

When people realize how user-friendly and fast and efficient and shiny Vista is, they'll come around and realize that it really is such an improvement over Windows XP and certainly reflects the quality improvement you'd expect from the biggest company in the world spending seven years working on it, just to make those of us who use compu

Re:

[weicco (645927)]

Yes, you obviously don't get it. From TFA:

Storm is often referred to as a worm, but it's technically a Trojan. It relies on social engineering, with a tempting message and link, and it's all about expanding spam and the underlying botnet behind it, notes Joe Stewart, senior security researcher for SecureWorks.

Now tell me how MS or any other software vendor should fix their stupid users.

Re:

[mgblst (80109)]

Now tell me how MS or any other software vendor should fix their stupid users.

Some sort of electric shock, sent through the keyboard or mouse, should do the trick!!

Re:

[Sancho (17056)]

Your subject was on-topic, but your rant wasn't, and it didn't really belong here. The days of Windows insecurity are really coming to an end. Microsoft screwed up a few years ago, and they learned from it. Kudos to them.

But the monoculture is still an issue, because Windows still has something like 90% market penetration. Although Microsoft caused this (to a degree), I can't say that it's something to blame on them. Without requiring the user to read some documents (and take a quiz after), there's not

Re:

[fyoder (857358)]

...and it's ALL JUST ONE COMPANY'S FAULT!

"We could blame Microsoft for creating crappy operating systems, but if people wanted to pay us billions for our shit, which of us would not rejoice in every bowel movement?"

Damn the nephews for all spam [backofthebook.ca]

Re:

[wordsnyc (956034)]

we don't need no stinking badgers.

Re:

[Nullav (1053766)]

Mushroom.

Re:

[owlnation (858981)]

A snake!!!

Re:

[Goaway (82658)]

+1, As Poetic As Slashdot Will Ever Get