Storm Botnet Is Behind Two New Attacks 226
We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.
Comment removed (Score:5, Insightful)
Re:Ha! (Score:2, Insightful)
Re:Ha! (Score:5, Insightful)
We've found solutions; don't use shoddy software. The problem is all of the people who haven't switched yet.
Re:Ha! (Score:3, Insightful)
This happened with XP SP2, and it happens again with Vista.
Most Linux users seem to understand that it is unwise to surf while logged in as root, but at the same time they setup the Windows systems at their friends homes to do so, because "it would be too much of a hassle to use separate accounts for admin and working".
As long as the situation remains like this, there is little Microsoft can do.
But of course, the whole idea that userfriendlyness is more important than security is out of their hat.
Re:Ha! (Score:5, Insightful)
OK, since you used the word "keeps building", I assume this is about more like Vista than Windows 95.
But if a trojan in Vista asks you to elevate its privilegies (due to UAC) to run administrative tasks such as installing itself in the system, and the user clicks yes, what should happen instead? This would be equivalent to a Linux user getting an email telling he needs to run some shady software under root privilegies, and the user saying "yes please, do that now".
Arggg! (Score:4, Insightful)
~Not AC cause I don't value my karma~
Re:250k to 10M bots? (Score:2, Insightful)
On the other end, 10 million could possibly take out a entire ISP, and I'm talking about a backbone ISP too. THAT'S terrifying stuff.
Re:Arggg! (Score:5, Insightful)
Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there (and not supported anymore, thanks MS!)
Re:How does the infection spread? (Score:4, Insightful)
Many naive users would really want to see the e-card their friend has sent (even though it is never mentioned who that friend may be) so they click the link.
The next page explains they have to load some software. Not to unusual in the naive user's world. They visit websites all the time that tell them that they have to update their flash plugin, a codec, an active-x component, or whatever. They already click away those pop-ups that warn them before they have actually read them.
Besides, the first page explains that they have to click OK and go through the installation or they will not be able to see the card. Who would want to turn down their friend and not view an e-card sent to them?
So the trojan is downloaded and installed. No problem, because they are logged in as an administrator. Who sets up their system to use separate accounts for admin and use? Maybe 1% of users try that.
So, the naive user very easily gets infected. Mainly because in the past they have seen so many useless pop-ups warning them about potentially harmful things that others have told them they should click away (like getting a warning when you delete something). A pop-up no longer is an alerting event that requires attention, it is just a stupid window that gets in the way of your "internet experience".
Furthermore, most users are not prepared to think about security or to take extra steps to secure their systems (like using a separate account for software installation and system maintenance).
Re:Ha! (Score:4, Insightful)
Let's say that Windows was magically replaced by (say) Ubuntu installs tomorrow, all over the world, with the best known default configuration in terms of being secure. Within a day you'd have exploits, and rapidly growing botnets.
Ideally, *you* would then be ranting about the morons who wrote the kernel, the idiots who did the filtering and mail clients, the jerks who designed the network protocols, and the nincompoops who can't rub two curly braces together without creating a security hole.
Or you could do some research and realize that this stuff is just bloody hard to get right. By anyone. By people who have been doing this their entire careers.
Look, the security holes are *already there* on other platforms. Why aren't you ranting about them?
Meh.
Re:Ha! (Score:1, Insightful)
Re:Ha! (Score:3, Insightful)
But the user is not a technical system. When you deal with users, you need to follow good user interface guidelines, not just technical, binary thinking. That's where MS - despite their money, years of experience, own research center and all - still produced a total failure. UAC is one of the worst abominations of user interface design ever. You can give an entire presentation on its shortcomings.
Re:Ha! (Score:0, Insightful)
Re:Ha! (Score:5, Insightful)
You mean it is the evil linux haxors that deliberately sabotage poor Microsoft?
That is hilarious.
Even worse: it's the good-natured Linux users who try to find a balance between Joe User's wants and needs on the one hand, and their own patience and free time on the other.
I tried. I really tried securing my ex-gf's family computer. I opened accounts for everyone. I only left admin privileges on one account. Set everything up.
Everybody just used the admin account again. Not even the fact that each could have their own desktop didn't entice them to use their own accounts; instead, they had one desktop full of five people's crud.
Re:Ha! (Score:5, Insightful)
As long as the situation remains like this, there is little Microsoft can do.
(BTW, if you're writing a GUI application for Linux, maybe you should think about taking similar steps. We cannot preach to others if our own house is not in order.)
Re:How does the infection spread? (Score:4, Insightful)
Oh, and also because most of those warnings are really not useful for the user. They shove the responsibility on the one person least suited to actually make the call. "Hey, loser, W32kdrv.dll wants to access 0xf4a50cb to do CrypicThing() which could result in Lengthytechnobabblethatsoundsverymuchlikethenonse
Re:Arggg! (Score:1, Insightful)
For example, let us assume that Windows and Operating system Y have equal market share at 45% each. OSY comes with most services disabled, Windows comes with most services enabled, which consequently increases the number of attack vectors. Which OS would you target?
So while you raise an important point about popularity, security practices as the designer, OS, and client levels are also at fault.
Idiot-proofing the ultimate tool (Score:5, Insightful)
You know, I can go and buy a microwave oven and plug it safely into a standardized outlet and not electrocute myself or blow up my house. I can even buy a propane tank and fire up my grill without risking my life too much. I can buy a modern automobile and feel confident that if I drive it into a tree at 30 MPH or roll it over, I still have a reasonable chance of surviving. Most things have built-in standardized safety features and/or safe failure modes (within reason).
These things I can buy are all tools, some with licensing or age restrictions attached, but all more-or-less idiot-proofed. The razor blades I bought recently to scrape paint off my windows even warned me that they were "razor sharp". Well duh.
But the most sophisticated, most powerful, most versatile, general purpose tool we humans have yet invented, the networked personal computer, has been sold to and is used by millions of people without any training whatsoever and without any warnings outside of what one might pick up from the "Dangers in Cyberspace" fluff segment on the local news.
People are using computers more and more to organize all of their critical financial information. A single security breach can have catastrophic, real consequences, if for example your identity is stolen and your credit is ruined after your bank accounts are drained overnight.
All you have to do is click on one really bad link. Sometimes, not even that.
This is just another example of how technology is changing human society in completely unpredictable ways. Back in the 80's, you might have worried about a virus wiping out your word processing file. Today, typing your username and password on an untrusted machine, even just once, can compromise your entire life, and ruin your future.
Re:Ha! (Score:2, Insightful)
Does Storm Only Attack Windows? (Score:5, Insightful)
Re:Windows is inherently less secure (Score:3, Insightful)
1a. Back in the old "classic" Mac era the Mac went through a period where it was the prime target for attacks, despite it having a fraction of the market, simply because it had such a huge surface area to attack.
1b. Apple responded to many exploits (for example, in autorun CDs and floppies) by removing dangerous capabilities.
1c. Similarly, UNIX systems usually don't come with the "r" suite enabled or often even installed any more.
2. The problems I listed have not been fixed or even addressed by Microsoft.
2a. Windows is still vulnerable to autorun attacks in CDs and USB keys.
2b. Windows still comes with dangerous components like SMS.
3. http://archives.neohapsis.com/archives/fulldisclo
Comment removed (Score:5, Insightful)
Re:Idiot-proofing the ultimate tool (Score:5, Insightful)
Extrapolating that I'm guessing that in a couple of decades the "I don't know what my computer does, so it's not my problem" defense is going to be as acceptable as "of course I ran over your daughter, I cannot drive a car at all".
Re:Ha! (Score:5, Insightful)
Staroffice 3.x was a brilliant example. When you ran its setup as root it automatically went into global per-machine setup mode, while running it as Joe Average User made it run a workstation setup. In fact Office 6.x for Windows 95/NT behaved in a similar manner as well. If you ran it from a network install it behaved differently when run as admin vs when run as an average user.
I have no idea why developers stopped doing that. IMO, that was the right behaviour.
Re:I had a 500% increase in Spam on Tuesday Last W (Score:2, Insightful)
B.S. (Score:5, Insightful)
Ok, I call Bullshit.
1. Microsoft DID come out with this "more secure" OS. Like it or not, Vista is a major improvement. But it gets SLAMMED by the average
This is a tangent, but still to the point: MSFT is dammed if they do, dammed if they don't.
2. Linux/OSX/Whatever isn't perfect. BY FAR. Right now, the reward is SO GREAT for hacking on windows boxes. You only have to scale a 6 foot fence to gain access to multi-millions of users. In, say, linux, or OSX you have to scale a 9 foot fence to gain access to a fraction of that. Right now, cracking Windows just makes sense for crackers. But you (and others) seem to think that botnets would just go away forever if only Microsoft gets their act together. That's insane. People are getting RICH off botnets. You think they're just going to stop because the game got a bit tougher? No way... As the reward factor of Windows diffuses down to the level of the other mainstream OS's, you'll see they'll get attacked more, too.
3. Microsoft isn't going anywhere. This is the nature of the game, people! So sitting around here talking about "When everyone switches" or whatever is just silly. It's childish. You think you're part of the solution b/c you run an alternative OS? You're not. If you want to be part of the solution, start thinking about how to defeat these people in a way that doesn't involve bashing Windows.
Your approach is a LOT like saying "Terrorism won't be a problem once everyone switches to Christianity."
Re:Ha! (Score:2, Insightful)