Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security

When Malware Authors Combine Efforts 306

Posted by CmdrTaco from the you-don't-like-your-data-anyway dept.
An anonymous reader writes "Spammers, Hackers and virus writers are all teaming up according to some russian security researchers. This means that they reckon that weaknesses will be exploited in a matter of hours of being announced, rather thant the weeks and months that we're seeing now. Scary stuff."
This discussion has been archived. No new comments can be posted.

When Malware Authors Combine Efforts More

When Malware Authors Combine Efforts

Comments Filter:

  • And just yesterday (Score:5, Interesting)

    by Anonymous Coward on Thursday December 09, 2004 @01:41PM (#11044406)
    They couldn't get along [slashdot.org]!
    • New virus and malware combination causes duplicate articles, news at 11:00!
    • I think I can reconcile this:
      There will be a few groups who work in strategic alliances. The very scary part about this will be the "power" behind some of the malware campaigns. I think CoreWars, running on every windowz box that isn't hardened really is going to happen.
      This should prove to be interesting, especially when governments step in with the non-judiciary non-legislative branches because a real security leak is caused by one of these programs. Think a pissed off NSA (not a politicking one) of th
  • the exploits we've already seen?

    Further, if I'm wrong, doesn't this announcement generate (or risk generating) more momentum in the "malware conglomerate" that's being reported?

  • Public disclosure... (Score:5, Interesting)

    by PincheGab ( 640283 ) * on Thursday December 09, 2004 @01:43PM (#11044421)
    So where does this place public disclosure advocates? Are people going to demand that makers of affected software have a 24/7 programming staff ready to plug leaks just so weakenesses can de disclosed immedately? In light of this even I would favor not publicly disclosing weaknesses immediately!

    • Re:Public disclosure... (Score:5, Insightful)

      by techsoldaten ( 309296 ) * on Thursday December 09, 2004 @01:52PM (#11044539) Journal
      You know what? Business needs remain the same regardless of how fast hackers are writing exploits. Few companies, Microsoft included, could afford to have a 24x7 staff of patch writers for all of the applications they have deployed.

      This is the greatest argument for open source software I have ever seen. A proprietary model of development is going to get creamed as people take advantage of their limited resources and exploit the woo wang out of their apps. FOSS apps, on the other hand, potentially have hundreds of thousands of people ready to go worldwide at any given moment to correct problems as they happen.

      M

      • Re:Public disclosure... (Score:2, Interesting)

        by SeaFox ( 739806 )
        You know what? Business needs remain the same regardless of how fast hackers are writing exploits. Few companies, Microsoft included, could afford to have a 24x7 staff of patch writers for all of the applications they have deployed.

        Well, maybe if they tested the software better and built it more secure from the start they wouldn't need a 24x7 staff of patchers.

        Haha. But that would imply the product is being driven by developers and engineers, not marketting people.

      • Re:Public disclosure... (Score:4, Insightful)

        by dankney ( 631226 ) on Thursday December 09, 2004 @02:36PM (#11045004) Homepage
        I would disagree completely -- this is an argument against open source. The exploits are expected to come out within hours of disclosure, not hours of discovery.



        Closed-source software has the ability to write the patch before disclosing the vulnerability.



        I believe in open source 100%, I just think that this argument falls against, not for OSS.

        • as long as it is the software company itself who finds the virus...
        • I don't know if any software has the ability to write a patch, as you state, but I think I see your meaning.

          The one problem with this idea is that the incentive for the company to patch the vulnerability has to come from within. Market forces are only beginning to force Microsoft into a position where they MUST fix the gaping holes in their products. I don't know if a smaller company (let's use Real Media for the sake of argument) would have a similar imperative.

          I trust public disclosure for exactly that
        • I know this has been stated MANY times before in various ways, but if "closed source" truly is effective in preventing malware/hacks/virii simply because the source isn't available for anyone's inspection - then why do we see all the security flaws popping up with IIS? Meanwhile Apache has comparable market-share and usage world-wide on the net as a web server, and it is considered far more secure?

          By the same token, Linux and BSD have been chosen as the platform many commercial firewall/router products are

      • Re:Public disclosure... (Score:3, Interesting)

        by DaHat ( 247651 )
        Just because you can get a patch out faster in the OSS world doesn't mean you should. It's pretty easy to open up a block of code and fix a bug (provided you know what it is, where it is and how to fix it), it's the testing to make sure that your fix didn't break anything else and that your system still works exactly like before (other than the fixed bug of course) is the time consuming part.

        Does Microsoft spend weeks doing regression and unit testing? I do not know, however making the assumption that a pa
    • No, but this certainly favors Open Source - as severe exploits are typically fixed far faster in open source projects than they are in closed source projects.

      Also - it's better to know there is a chance you could hit with an exploit, and take steps such as a backup, or closing down a firewall port, etc., then to be caught by an exploit with your pants down. If there's a possibility my machine could get 0wned, I want to know about immediately so I can keep an eye out for it if nothing else.

    • Re:Public disclosure... (Score:4, Insightful)

      by _Sprocket_ ( 42527 ) on Thursday December 09, 2004 @01:53PM (#11044557)


      In light of this even I would favor not publicly disclosing weaknesses immediately!

      How does this change anything? This situation already exists and has existed for years. There has always been an element of pay-to-attack behavior as well as gathering resources via mass shotgunned attacks. And, in fact, spammers have been taping in to this environment for a while.
      • Not saying I believe everything the article suggests, but the way it COULD change everything is that now there may be a large profit motive for a large number of people to produce zero-day or even zero-hour exploits. It's one thing when hobbyists hackers think it's nifty to write an exploit to prove their leetness; it's something else entirely when a corporate entity writes exploits for profit.

        I think you're right in that this isn't really a qualitatively new thing, but the quantity of pay-to-attack may in
    • RFP has a fairly respected document on public disclosure methods. The idea is basically that public disclosure happens only when there is no vendor response or when vendor response irresponsibly wanes. I agree that immediate public disclosure is not the right approach to take.

      http://www.wiretrip.net/rfp/policy.html [wiretrip.net]
      -Paul
    • I think you underestimate how many companies are told they have vulnerable software rather than find it themselves. Http-equiv from malware.com finds tons of stuff and the Samba team used to submit a number of vulnerabilites they found in Microsoft's implementation. And all the time vulnerabilities are disclosed, sometimes the company is told before hand and if they don't act quickly enough then they are disclosed publicly, otherwise the company may find out at the same time you do. Regardless, if some thri

    • Re:Public disclosure... (Score:2, Interesting)

      by jrl ( 4989 )
      The flip-side to your argument is that many of the exploits are found by "bad guys" before they are rediscovered by "good guys".

      By definition, the "bad guys" don't typically believe in disclosure as it takes away another one of their 0day toys.

      By disclosing weaknesses immediately you allow information owners to take precautions to protect their infrastructure, even if that means making the resource unavailable until a patch is provided by the vendor.

      It is naive to believe that only "good guys" find probl

    • So where does this place public disclosure advocates? Are people going to demand that makers of affected software have a 24/7 programming staff ready to plug leaks just so weakenesses can de disclosed immedately?

      IMHO, this makes little or no difference. How many of the viruses and trojans in recent years have been created before a patch was available? Not Blaster or Sasser. I'm sure there are some in this category, but I can't think of any.

      Once a patch is released, most businesses will do their own

    • From TFA...
      "This is why vulnerabilities are so important," said Kaspersky. "We are against anyone who publishes vulnerabilities because it gives hackers a tool."

      Wouldn't it be more important to be against anyone who creates vulnerabilities rather than those who inform us about them so we can patch or even shut off services if necessary?

  • How many times do I have to tell you? (Score:5, Funny)

    by Anonymous Coward on Thursday December 09, 2004 @01:43PM (#11044424)
    Get a firewall, block all inbound and outbound traffic, unplug your ethernet cable and shut off your computer. It's that easy to protect yourself.

  • Uhm.. You know those russian security experts (Score:5, Insightful)

    by Phixxr ( 794883 ) on Thursday December 09, 2004 @01:43PM (#11044425)
    Is it just me, or does it seem that every story that lists the source as a "Russian Security Expert" is generally a load of crap?

    -Phixxr
  • to lock down your enterprise with a File surveillence and security tool like i:scan [dciseries.com]... know what's happening before the user does...

  • Many shallow eyes... (Score:3, Interesting)

    by Onimaru ( 773331 ) on Thursday December 09, 2004 @01:44PM (#11044437)

    ...make deep bugs deeper. FOSS philosophy applied to viruses. Yikes.

  • No big deal (Score:4, Funny)

    by MrRuslan ( 767128 ) on Thursday December 09, 2004 @01:45PM (#11044456)
    this wont have an effect on computer litirate people who know how to protect themselves ...and for those who dont know things wont change much ether....some people still have blaster on there box..they dont know or wanna know how to take care of there box

  • Groups of Attackers (Score:3, Informative)

    by teiresias ( 101481 ) on Thursday December 09, 2004 @01:45PM (#11044460)
    I don't think more people cooperating will really find new exploits, they will simply explore the ones they have already found. So, instead of an exploit coming out and than a derivative coming out a couple weeks later, we will see four or five derivates in quick succession of the original exploit.

    Also, what "new" cooperation tools are malware writers using to communicate with each other? I'm fairly sure that IRC, Instant Messaging, VoIP, Bulletin Boards, and e-mail have all been standard communcation tools for these people. Maybe the groups now have more members.
    • Every time a new exploit travels around the internet, there are posts here saying things like "it's a good thing there was that bug ..." or "it's a good thing they used a relatively inefficient search for new hosts ..." or "it's a good thing it failed to disguise itself in this way ..."

      If there's a movement towards greater code reuse, sharing of ideas, and debugging help among the people creating these exploits, we won't just see a speed difference -- we'll see a quality difference. We've been relying on s

  • Organized Crime? (Score:5, Interesting)

    by jellomizer ( 103300 ) * on Thursday December 09, 2004 @01:46PM (#11044469)
    Isn't this the same as orginized crime. So a bunch of internet thugs orginize to advertise more stuff, because they realized it will be more effective if they worked togeth. Will this rise the cost of protection money to use the internet?

  • I'll from the head! (Score:5, Funny)

    by identity0 ( 77976 ) on Thursday December 09, 2004 @01:46PM (#11044470) Journal
    Hacker: I'll form the head!

    Scammer: I'll form the heart!

    Pornographer: I'll form the right hand!

    Spammer: I'll form the crotch!

    All: Together, we are - ASSHOLETRON!

    (catchy theme music here)

  • No surprise- (Score:5, Interesting)

    by IWantMoreSpamPlease ( 571972 ) on Thursday December 09, 2004 @01:48PM (#11044487) Homepage Journal
    Used to be (way back in 2003 or so) AdAware was all you needed (and Norton AV or a workalike)

    But now, man some of the things I've seen are really nasty!

    You wipe 'em out, they come back, they hide from searches, morph into other programs, I've even seen one (I shit you not, I've been in IT for 10+ years, never seen anything like this one!) that was active even when the infected drive was placed as a slave on another machine, it started right up and infected the new PC.

    This goes way beyond simple syware, these people are teaming up and it's just the beginning.
    • Adware's a big component of this, especially the new VX2/ABetterInternet strain.

      It's no real surprise, then, that large corporations and their ad dollars are behind a lot of this.

    • Re:No surprise- (Score:4, Funny)

      by gregfortune ( 313889 ) on Thursday December 09, 2004 @04:31PM (#11046299)
      I've even seen one that was active even when the infected drive was placed as a slave on another machine

      Dude, don't click on them *again*...

  • serve yourself and save (Score:3, Interesting)

    by to_kallon ( 778547 ) on Thursday December 09, 2004 @01:48PM (#11044497)
    "They work in groups that exchange information with other groups on forums and Web sites."
    erhmm....
    ianase (i am not a security expert) but wouldn't that statement apply to, hmmmm....., oh i don't know.....THE INTERNET?? seriously, a broad, vague, statement like that suggests to me that this is mostly overreaction on the part of a group who could experience significant gains IF their statements were true.
    fud? imho, yes.

  • Security Through Obscurity (Score:3, Interesting)

    by TrollBridge ( 550878 ) on Thursday December 09, 2004 @01:49PM (#11044509) Homepage Journal
    "This means that they reckon that weaknesses will be exploited in a matter of hours of being announced, rather thant the weeks and months that we're seeing now."

    Kinda makes you think twice about publicly announcing vulnerabilities in your software before you have time to fix them, does it not?

    • A good portion of the time, hackers and such learn about the exploits by reverse-engineering patches and updates. The problem isn't 'security through obscurity' so as just that most users are too lazy to patch their computers when a new update comes out.

  • This war can't be won ... (Score:3, Insightful)

    by smoyer ( 108342 ) <smoyer64@gHORSEmail.com minus herbivore> on Thursday December 09, 2004 @01:50PM (#11044522)
    The problem with detecting and deleting viruses, trojans, etc. is that you will never get ahead. At such time as a zero-day exploit is known to a hacker, they can create their malware of choice to exploit it. A skilled hacker may have an exploit ready in 6-12 hours.

    Once done, they have a certain population size (vulnerable hosts) that can be almost instantly assaulted.

    On the white-hat side, once the malware is noticed, it may take months to patch the initial security hole and even longer to patch the entire population of vulnerable hosts.

    This is why vulnerability announcements are so important, the software that survives in the future will be the one with the shortest vulnerability to patch cycle. The others will die off ... only the strong survive!

    • Which is probably where Open Source software will eventually win. I remember a Mozilla/Firefox exploit that was patched in an hour... Compare that to the 6 months it took Microsoft to issue a few "simple" patches to Internet Explorer.
      I think that to defeat these groups the easiest way is to use the least vulnerable software, which for an x86 platform right now seems to be OpenSource software.
      Didn't apache have a bug that was fixed in less than 30 minutes after the flaw was discovered?
      How many corporations c
    • may take months to patch the initial security hole

      This is the Windows way. Linux security fixes usually take a few hours up to a few days for services (ssh, apache, Bind, ntp). Also, if you use nonstandard ports for anything else and install active intrusion detection software then hackers won't get past the initial port scan.

      Oh, and web browsers are inherently complex. I put a proxy in front of mine with ClamAV to innoculate any pages sent to the browser, just in case there is an exploit.

      I will be v
      • This is the Windows way. Linux security fixes usually take a few hours up to a few days for services (ssh, apache, Bind, ntp).

        That's great for simple products like Firefox, but what about when the product that has the security hole needs a fundamental change in its behavior? And if that product is used by every Fortune 500 company now you'll need to do compatibility testing to make sure that the product fix doesn't b0rk the dozens of other interoperable software which has been built on top of it.

        Securit

  • focus change (Score:4, Insightful)

    by derxob ( 835539 ) on Thursday December 09, 2004 @01:50PM (#11044523)
    Back in the day virus writers main intent or goal was to piss off users and to create the next 'big' virus. Now a days, it's all about the money. Those same virus writers are now focusing their attention on the same aspects of before, infecting and disrupting a users system, but when money is involved, the stakes get higher, and things become a lot more dangerous.

    However, this article is pleading that we should *not* be publishing vulnerabilities, "because it gives hackers a tool", and I disagree with this. Publishing vulnerabilities is a way to alert the public of exploits that are present. What we need to do is make the publishing of vulnerabilities more popular than it is so that the general public is aware of problems and alerted on how to fix them.

    • Re:focus change (Score:3, Interesting)

      by MinutiaeMan ( 681498 )
      I see a major problem with this, at least in some circumstances. If businesses start issuing too many warnings about vulnerabilities, at least some users might become "desensitized" to the urgent need to upgrade. Heck, already too many users don't bother upgrading until there's a big bad virus or worm out there threatening everyone.

      Of course, by the same token, if businesses start issuing more warnings (cough*MICROSOFT*cough*) then maybe more people will realize that their software of choice is a piece

  • Another group of people is obviously conspiring to take over. I wonder if this is all related to the "Vast Right-Wing Conspiracy"? Or was that the "Conspiracy of the Liberal Elite"?

  • Microsoft should.... (Score:4, Funny)

    by Himring ( 646324 ) on Thursday December 09, 2004 @01:53PM (#11044555) Homepage Journal
    Microsoft should use the business model that's brought them where they are today, create a "virus" department in Redmond and beat these guys at their own game.

    I can see it now: Active Virus (TM)

    1. Make OS.
    2. Build-in holes.
    3. Release patches.
    4. Create virus.
    5. Still profit!

  • Et tu, Slashdot? (Score:5, Insightful)

    by menkhaura ( 103150 ) <espinafre@gmail.com> on Thursday December 09, 2004 @01:55PM (#11044571) Homepage Journal
    Mistaking hacker for cracker is acceptable on the general media, where people aren't very aware of such subtleties. But on Slashdot? C'mon, I know Slashdot is crawling with Windows users, wannabes and such, but this is getting offhand!
    • Slashdot is crawling with Windows users, wannabes and such...

      w00t, we have wannabes?!

      I feel cool now!
    • Because a cracker is a black-hat form of hacker, but one can be a hacker without being a cracker?

      Cracker is a more accurate definition, and certainly this otherwise paints a bad name for hackers. But realistically, given the use of hackers to describe such users perhaps a better name for white-hat hackers would be appropriate...
    • Mistaking hacker for cracker is acceptable on the general media, where people aren't very aware of such subtleties. But on Slashdot?

      I know this won't be very popular, but maybe it's time the "hacker" community accepted that like many other english words, it can mean multiple things. Geeze, already it can refer to someone who is bad at golf, or someone who enjoys chopping at wood, why not someone who "hacks" into computers?

      Maybe i'm silly but I'd rather trust the Oxford English Dictionary on something

  • Move along, nothing to see here (Score:3, Informative)

    by worktheweb ( 219135 ) on Thursday December 09, 2004 @01:57PM (#11044593)
    These are the same guys who were predicting an "Internet Meltdown" a little while back -- I'd take their prognostications with a grain of salt ...

    http://it.slashdot.org/article.pl?sid=04/08/25/1 53 3213&tid=172&tid=95&tid=1

  • Latest Kapersky news (Score:3, Insightful)

    by flibuste ( 523578 ) on Thursday December 09, 2004 @02:00PM (#11044627)
    Last time I heard about Kapersky labs, we were supposed to have an internet doom day. I'm still waiting for it, yet Kapersky is still blowing whistles.

    How can you trust such a non-trustable source anywany?

    • How can you trust such a non-trustable source anywany?

      As soon as you figure that out, give me a call. If I could understand why so many people continue placing their trust in individuals or institutions that seem to exist only to abuse that trust, I'd finally be able to understand why the political system in my country works as well as it does.

  • !News (Score:2)

    by oexeo ( 816786 )
    This will probably get modded troll, but please hear me out:

    Damn it /.! Please check the definition of news:

    News
    - Information about recent events or happenings, especially as reported by newspapers, periodicals, radio, or television.
    - A presentation of such information, as in a newspaper or on a newscast.
    - New information of any kind: The requirement was news to him.

    This is not news! It's simply common sense that certain classes of people are going to conspire and associate with each other to some degree
  • We all keep our PCs secure.. or should do. Then we make money off it, by fixing the PC's belong to who don't...

    It's win-win for us. Lose-lose for the newbies.

  • P-1 CUR ALLOC=8,058,044,651 CALL GREGORY

  • open a can of whoop-ass (Score:3, Interesting)

    by TheSHAD0W ( 258774 ) on Thursday December 09, 2004 @02:10PM (#11044737) Homepage
    This circumstance does have some advantages; by tying themselves together financially they open the possibility for one to be traced from the other.

    It also opens the participants to criminal conspiracy charges. Can you say RICO, motherf***er?

  • Very dangerous meme... (Score:3, Insightful)

    by CODiNE ( 27417 ) on Thursday December 09, 2004 @02:15PM (#11044773) Homepage
    "This is why vulnerabilities are so important," said Kaspersky. "We are against anyone who publishes vulnerabilities because it gives hackers a tool."

    This pushes security discussion underground, but doesn't stop the bad guys, just leaves the administrators vulnerable and unaware. Very easy to spread this sort of propaganda however... hopefully it doesn't lead to laws being passed.
  • If the attackers are getting that organized, they presumably can find their own vulnerabilities, instead of relying on published ones like the script kiddies.

  • Jabberwocky! (Score:5, Insightful)

    by jaypifer ( 64463 ) on Thursday December 09, 2004 @02:25PM (#11044898)
    "This is why vulnerabilities are so important," said Kaspersky. "We are against anyone who publishes vulnerabilities because it gives hackers a tool."
    And this is why most people are against security by obscurity. Kaspersky is confused. The tired phrase of "If guns are outlawed, only outlaws will have guns." applies even more pertinently to software vulnerabilities.

    By the time someone with enough motivation (read funding) to write an article on a vulnerability does so, the bad guys have already written exploits. Why? For the same reason...they get paid!

    The published articles allow the moderately tech savvy user to protect themself. Additionally, it forces the software makers' hand to close the vulnerability faster than if they had no pressure at all. Ultimately, this is our only way of shaming large companies into creating proper software and delaying the releases until they've created a more hardened product.

    Yes, hanging out the dirty laundry of vulnerabilities makes it easy for the junior hackers to create something out of nothing, but I'd rather we all know about the problems at the same time than a few sophisticated spam hackers knowing about the problems for an indefinite amount of time.

  • By joining up, the malware author does exactly the opposite of what he needs to do to stay anonymous. It is easier to catch someone who communicates with colleagues about the very thing which he needs to keep private. By conversing about virii/trojans/etc, it is far easier for law-enforcers to monitor and hunt down these cybermischiefs and bring them to justice, Bill Gates's feet, a /. horde, etc.
  • Maybe it's just me, but it sure seems that a lot of the "doom and gloom" virus warnings come out of Kapersky.

    Wasn't it just 6 months ago or so that they were warning of a big attack day from the script kiddies out there (Was a... Friday, or a Saturday it was supposed to happen - Can't recall which off-hand). It never happened, but you wouldn't have believed that from their press release.

    Don't get me wrong... Kapersky's not the only one who feels that there's greater cooperation between the various vir
  • I guess people would be much more secure if they switched to Linux and configured a good SELinux policy. One that prevented webbrowsers and e-mail clients from modifying binary files like shared libraries and applications.It could also prevent files that was downloaded by webbrowsers or e-mail clients to be executed by root. Make sure that only approved applications that really needs it are allowed to open sockets or connect to the internet. That would make life very difficult to most virus developers.

    Toda
  • Instead of chasing down the lone cracker who created the GreatNewVirus, authorities can now pley members against each other in order to infiltrate a group. They can offer rewards for ratting out other members, or bribe them with reduced charges/punishment in exchange for squealing. This is a good thing.

  • "This is why vulnerabilities are so important," said Kaspersky. "We are against anyone who publishes vulnerabilities because it gives hackers a tool."

    That's right keep them secret, keep them safe. So only the crackers and the uber-geeky know. And the little hairy foot developer can carry the exploit to mount doom before the evil minions of 50R0|\|666 get their hands on it.

    How will we know what ports to block, what mutex to push via GPO, and what tools to use to prevent these attacks if we don't know abo

  • pattern, anyone? (Score:2, Interesting)

    by majest!k ( 836921 )
    i just read the article. i couldnt help but notice a striking resemblance with the agendas of Kaspersky and our very own Bush administration...

    1) spread fear, its good for business.
    2) create some fucked up 'axis of evil' shit to help further #1. ("Virus writers are combining their efforts with hackers and spammers to launch Swiss Army knife-like malware attacks on users")
    3) throw in some fuzzy math for effect. ("The company said that it was seeing 200 new viruses a day.")
    4) take a random stab at preven

  • Protocols will have to get more resilient (Score:3, Informative)

    by Dr. Manhattan ( 29720 ) <sorceror171@nOspAM.gmail.com> on Thursday December 09, 2004 @04:18PM (#11046191) Homepage
    I'm too scared to have my ssh server exposed to the raw net. Things like port knocking and so forth help, but suffer from reliability and resource problems. I created an authentication protocol that's correct by inspection [homeunix.org] and utterly immune to any attack short of actually finding out the secret key.

    In these days of 0-day exploits, I just can't take the chance that someone will find a hole in ssh and create a Warhol-worm before I can install a patch. I sleep better now...

  • Use an e-mail alias. If your e-mail address is, for example foobar@someserver.com, create an alias for that mail account called, say, foo.bar@someserver.com, and use that e-mail address on public forums, registrations and web pages. When the spam gets to be too much, just cancel the alias and create another one.

Slashdot Top Deals

The difference between reality and unreality is that reality has so little to recommend it. -- Allan Sherman

Close