Largest Hacking Scam in Canadian History 211
vieux schnock writes "Police raided several homes across Quebec on Wednesday and arrested 16 people in their investigation, which they say uncovered the largest hacking scam in Canadian history. (...) The hackers collaborated online to attack and take control of as many as one million computers around the world that were not equipped with anti-virus software or firewalls."
Re:Really? (Score:5, Interesting)
There are no safe file types. All files can be viewed as programs meant to run in a specialized virtual machine (the program which is used to open them). For example, a PNG file is a program which, when run, will compute an array of bytes (the image pixels). The same goes to PDF. In this view, since all files are programs, it is in principle possible that any of them could contain code which can result in unexpected behavior of the virtual machine executing them.
Of course some file types are easier to compromize than others, either due to sheer complexity or ambiguity of the specification or because they are Turing complete. However, it is impossible to guarantee that every viewer for any file type is free of defects. Anyone still remember ANSI codes for DOS, which could be embedded to text to change color but also to set macros to keyboard keys when the file was viewed ? And of course SQL injection attacks are based on formatting a text string so it will cause unexpected results, not to mention causing a buffer overflow with an overlong string.
I repeat: there are no safe file types. They all have a potential to contain malicious code, because there is no such thing as data which is not also a program. From a certain point of view, GIMP is simply a very specialized compiler...
Re:Spot the key words (Score:3, Interesting)
Except that a good botnet doesn't have to have machines talking to each other. Each compromised machine just needs to find a few others to get its orders from, who gets its orders from someone higher in the chain, etc.
There doesn't have to be communications back to the server.
For spamming, each machine gets a list of a bunch of usernames from a peer who shares its list, and gets other addresses from other peers. That's why you can end up with multiple copies of the same spam in your inbox - the spammers don't care if you get 1000 copies of the same email. And the spambots don't bother marking off an email as sent to a specific address and tell everyone, they just run through their own lists.
This way, the only real communication happens top down, fire-and-forget method. If someone buys 1,000,000 emails, spammer can send out more just to ensure that 1,000,000 people got it. But since they're scammers, it doesn't matter if it went to 10,000 people 100 times.
Re:Really? (Score:5, Interesting)
It can be. For example:
'; ROLLBACK; UPDATE users SET admin = true WHERE username = 'ultranova'; 'If the virtual machine which handles the username field of Slashdot login form naively passed this string to the database layer without specifically quoting it, this text string would make my account an admin account; well, actually, since I haven't studied Slashdcode, it propably wouldn't, but the point still stands: even text is not an inherently safe data format in all circumstances.
The virtual machine in this case would be whatever program receives the input. And yes, the text you type is indeed a program being executed by that machine; each time it receives a keypress from you, that keypress instructs it to do something, right ? Even if that something is merely to output the letter (altought a text editor would also store the input internally, of course). And that is what a program is: a list of instructions.
It isn't.
The "$45 million" profit claim is highly unlikely (Score:4, Interesting)
Most of the large-scale botnet scams I've heard of don't yield anywhere near that kind of money. The botnet operators maybe pull down $3-10,000 a month renting out the botnets. Even large-scale identify theft rings are reaching for anything like $45 million.
Unless these guys were targeting rich people, I don't see it. And since most of the alleged compromised computers were in South America, I doubt they hit a lot of rich people.
Re:Really? (Score:3, Interesting)
Yes, I'd believe those numbers.