Storm and the Future of Social Engineering

Albert writes "Storm shows several key characteristics, some new and advanced. It uses cunning social engineering techniques — such as tying spam campaigns to a current event or site of interest — as well as a blend of email and the Web to spread. It is highly coordinated, yet decentralized — and with Storm using the latest generation of P2P technology, it cannot be disabled by simply 'cutting off its head.' In addition, Storm is self-propagating — once infected, computers send out massive amounts of Storm spam to keep recruiting new nodes."

How is this news?

[Magada]

The worm's been around for the better part of a year now and these features are in it from the beginning.

This is simply an advertisment

[Silver Sloth]

This is just a puff piece for IronPort - nothing to see here, move along

Re:Self created problem?

[TrekkieGod]

However, the GUI installation tool only allows for installation by default into /Library. It is possible to override this at the command line, but it's not possible to create an installer that gives the user the option of installing into ~/Library, or does so by default.

I think there are a whole lot of things that Apple does wrong, but in this case, if you're trying to use the installer for something that doesn't need to write system-wide stuff, you're the one doing it wrong. The vast majority of applications don't use installers. You drag the thing to the applications folder, which doesn't ask you for your password (and the 'application' that "looks" like a single file is actually comprised of all the libraries it needs to run). Upon running the application, the application will then write stuff to your ~/Library folder.

Now, my beef with Apple's installer is that there's no easy way to uninstall anything that was installed with an installer. With the other stuff, I can just drag the application from the Applications folder into the trash, but if it requires an installer, you're essentially left to track down all the files and deleting them manually.

Re:Why. . ?

[kvezach]

They do, and write countermeasure papers like this one [usenix.org]. That paper is about how to break the communications network (basically flooding it) - the next step for the Storm authors is to switch to another peer-to-peer network that's more resilient, and then the investigators find another bug, and the arms race continues.

Ultimately, the only way to shortcut the race is to keep the code from being executed, on the assumption that people aren't going to want to have the bot on their computers. Unfortunately, this is going to require heavy retooling of security systems (to lower the chance that bugs can be exploitable, and to let users know exactly what the program they're trying to execute/install wants to do).

To get back from that digression, the big deal is that it uses peer-to-peer and that so many people have fallen for it. AV companies (and other reverse engineers) do look at the code, but they can only react, hence the arms race.

Re:A Little Education can bring calm after the sto

[deanoaz]

How are they supposed to know those symptoms aren't just Vista doing some kind of indexing or whatever on their computer?