Faux-CNN Spam Blitz Delivers Malicious Flash 213
CWmike writes "More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that's part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today. The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day's Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected and that tells users they needed to update to a fake newer edition, which delivers a Trojan horse — identified by multiple names, including Cbeplay.a — that 'phones home' to a malicious server to grab and install additional malware."
Re:WINDOWS ONLY. (Score:2, Insightful)
Instead of a nickel, how about giving that kid a CDR of a better OS?
Lawsuit? (Score:5, Insightful)
Too bad nobody is ever going to find the folks responsible for this. Pretty much any email that even has the letters "cnn" in it will go in the trash now. Do you think any email of a forwarded story from the CNN site would possibly get through today? Next week? It wouldn't surprise me if CNN.com ad rates took a nosedive because of this as well. Who wants to go to "the spammer" web site?
This is the sort of extremely bad PR that CNN would be well within their rights to sue the pants off of whoever started this nonsense. Unfortunately, it probably originated somewhere that doesn't care about US companies, US laws or what people think about spam. Also, how exactly would you prove where it came from?
Hope someone is getting paid real good for this. I don't think this can put CNN out of business, but it is certainly going to hurt real bad.
Re:snooze (Score:5, Insightful)
It's not a Windows problem, per se; the fact that it installs malware on Windows computers is functionally irrelevant.
PEBKAC- Problem Exists Between Keyboard and Chair.
There's absolutely no reason such a functionally identical attack would not work against any operating system you care to name, or even a theoretically perfect operating system were one to be invented.
Programs the user executes run in the user's security context. If you can trick the user, you can do whatever the user can do, or in this case, install malicious software.
Lessons Learned (Score:4, Insightful)
Re:WINDOWS ONLY. (Score:3, Insightful)
Of course you can also run Windows and avoid doing unsafe, stupid things. That usually works.
Since I'm on a 3270 terminal to an OS/390 box the size of your house right now, here's your nickel back, and a check for $50.
Re:Lawsuit? (Score:5, Insightful)
Considering how difficult and expensive it is to track down, indict and convict spammers and malware peddlers (not to mention they later tend to escape and commit suicide), I doubt CNN has the time or energy to do this.
You're never going to fix people's stupidity, which is ultimately the root of the problem.
Re:snooze (Score:4, Insightful)
It's hard to write a trojan that runs on multiple operating systems. They would need to write multiplatform trojans, and for now only Windows has the dominance to ensure profitability.
Not that it isn't possible; Adobe after all has Flash for both Mac and Windows PCs.
Must be a slow day at slashdot... (Score:3, Insightful)
A trojan-horse application is being delivered by email, masquerading as content from a major corporation.
This is news? We're supposed to be surprised?
Re:snooze (Score:5, Insightful)
Of course that's true in general (Java, perhaps?) but that's not really the issue, although it is an argument for systems diversity in general as opposed to any kind of monoculture.
The issue is that users are stupid. They will remain stupid regardless of what kind of operating system you plunk them in front of, and for my money I'd much rather Microsoft (or antivirus vendors or whomever else) spend their time working to fix actual holes- security flaws that can be exploited without exploiting the vulnerability of the user's stupidity.
Because, to be honest, the security flaw that is the user's intelligence or lack thereof is not something that Microsoft can, or should, fix.
Re:WINDOWS ONLY. (Score:4, Insightful)
Is it really? I've owned many Windows computers over the past 20 years and I've never had any problems with security. Well, there was that one floppy in the early 90s I accidentally booted off of...
There's 8 Windows boxes here on my den right now. Three servers, two laptops and three workstations. None of them are pwned, rooted, infected, trojaned or otherwise compromised. And they've never been. None of my Server 2003 colo boxes have ever been compromised either. I'm curious, what do you find difficult about securing Windows?
Re:WINDOWS ONLY. (Score:2, Insightful)
If someone saying something like that turns you off of Linux, you can expect to hear a lot more of that from people who don't want you to use Linux.
What in the world some jackass' trite comment has to do with your being "turned on" to Linux is beyond me. Either Linux is potentially valuable to you or it isn't. And the GP didn't even mention Linux.
Stop giving other people so much power over your behavior. You are responsible for your behavior, even if you let other people do your thinking for you.
"I wanted to use Linux but some jackass made a trite comment not even directed at me, so it's his fault I don't like Linux." What would you think about someone who made a statement like that?
Re:snooze (Score:3, Insightful)
Sure you could. Some of us do that right now- I have a VM running with a bare-bones Windows XP installation for IE and Firefox.
But this suffers problems. Namely, that if anything from the sandbox can't get out and harm the main system, you... can't get anything out of the sandbox.
The problem, as I said, is that programs run in the user's security context. It's perfectly possible to limit the capability of userland applications, but this does little good from a user's perspective; the user's data also resides in userland, and is the valuable part of the system. They don't really care if the kernel is still working if all their data is hosed.
Ultimately, as long as the user can access their data, so can a hostile program, so long as the user is willing to run it.
The only way to prevent this, essentially, is to prohibit anything from being deleted or modified- just write a new copy of whatever data you change, and write a transactional flag that stats that deleted data has had the 'deleted' attribute applied to it. Basically, an end-to-end journal of all file operations. And that'd be an enormous storage problem. Perhaps it is a solution in a handful of cases- if you can lock all the system files so they can't be written or modified and then ensure the user's data is never deleted or modified, only added to... maybe that's the solution. But it's not one I'd want to run at home, certainly.
Nope. Package Management Stops This. (Score:1, Insightful)
Attacks like this don't work outside of Winblows. The problem is that users have been conditioned to needing a never ending series of non free "upgrades" from untrusted sites to do what they want. I can download Gnash all day from Ubuntu and never find a trojan. Not even Apple users have the same problem. Users of other OS have been conditioned to get their software from a place they can trust. Free software users have learned not to trust non free software like Flash itself.
Re:WINDOWS ONLY. (Score:5, Insightful)
MyDoom, which holds the record [cnn.com] for fastest-spreading worm ever, did so through email and required significant user action.
Statistically, there are about as many of those as there are normal desktop computer users for the platform, since most of these attacks rely on social engineering (as opposed to actual vulnerabilities) to succeed. So the lack of malware for your platform is not due to its inherent superiority, but to the size of its installed base. Windows may have more attack vectors than Linux or OS X, but that doesn't mean that they can be avoided with $0.05 worth of simple common sense.
No, that's why I asked you the question. It's not at all. If it were, those 100K machine botnets would have 100 million zombies instead, and that's not the case, is it? Or do you figure the malware vendors are just not interested in a potential pool of that size? By most measures there's about a billion computers in the planet running some version of Windows.
Oh, sure. But there's no need to be quippy about it. That happened almost 20 years ago, and it was the first and last time any of my systems were compromised. I guess I'm a good learner.
And by the way, "superior ability" is not needed at all. Just patch your boxes and don't download or run stuff from untrusted sources. That should take care of about 99.99% of all your problems. And that's true of any OS.
Re:SELinux (Score:3, Insightful)
But who sets the application's security context? The user, of course.
(You might argue the administrator sets the security context of the application, and that would be correct; but in this case, the administrator and the user are one and the same.
I realize there exists a separate paradigm where you have a competent administrator sitting on top of an incompetent user and basically 'screening' what happens- in that case, indeed, the 'user' we are referring to is competent and therefore able to provide the security context as appropriate.)
Re:Nope. Package Management Stops This. (Score:4, Insightful)
So where do Apple users get their Flash updates from then?
Re:Lessons Learned (Score:3, Insightful)
Dude, spamassassin didn't recognize that message as spam.
DNS_FROM_OPENWHOIS, HELO_DYNAMIC_DHCP, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_PBL,RCVD_IN_XBL, and RDNS_NONE are origin checks, not message checks. (Well, the helo isn't technically, but forging it would be worse than correctly stating the dynamic IP.)
According to the message checks, that message scored BAYES_50=0.001 and HTML_MESSAGE=0.001 using standard spamassassin checks, and SARE_MONEYTERMS=0.681 from the very nice SAREs checks that smart mail admin install. That is almost certainly not enough to mark it as spam. And the 'money terms' probably triggered by sheer chance, considering this thing is scraping CNN.com for headlines. Other messages sent by this thing probably wouldn't trip over that.
The reason it was blocked was that it came from an IP that was current blacklisted for spamming and was clearly a dynamic IP, not that spamassassin recognized the message. Any mail from that IP would have been blocked. Spamassassin actually fell down pretty badly on the content analysis.
Re:Lessons Learned (Score:3, Insightful)
The majority of your spam ranking scores depend on some third party real time blacklisting services. My mail servers pass about a quarter of a billion mails daily, we end up on these blacklists quite frequently from ass hats whom manage the variety of 3rd party blacklists regularly accept falsified headers as proof of origin and they accept heuristic results from filtering appliances (I'm looking right at you barracuda) which can't tell the difference between high volume non-spam forwards and real spam. If you weight your spam filter to use that much blacklist input then there is a strong possibility that you are black holing tons of mail from large ISPs and/or causing all sorts of upstream queuing problems and delivery delays for users at your domain. Hopefully your servers only tag up the headers and don't actively do reputation blocking or any other such non-sense... Let your users make the final decision.
Re:Lessons Learned (Score:3, Insightful)
No - it is phishing - the social engineering kind, and it has nothing to do with the security of Adobe Flash. It just fools the user into thinking he is going to download a new Flash player, but he ends up with a virus. I suppose you didn't RTFA.