Targeted Trojan Attacks Causing Concern

Bill Andad writes to point out a surprise trend emerging from the Virus Bulletin Conference 2006 in Montreal this week. From the article on Daniweb: "It is the smallest of Trojan attacks that are causing the biggest headache in the world of corporate security right now. By targeting individuals within individual companies with individually constructed infected messages, the new-age industrial spy is slipping under the security radar." News.com has more in-depth coverage.

The biggest danger are working business models

[chriss]

We've seen a change of purpose in virus/trojan creation over the last years, from being a cracker or script kiddy ego thing to being the base of obviously lucrative spam distribution via cracked machines. The malware market has become more sophisticated, e.g. today malware usually will not crash a machine or cause any noticeable problems for the user, because the prime target is to use the machine as long as possible. So malware behavior is driven by business needs.

Now any option to make money will attract someone, in the case of illegal business often organized crime, which operates very much like any other business, just without regulation and taxes. And one thing business usually does is looking for options to grow and extend into other markets.

The spam distribution business seems just fine right now, and with more people getting online there is still some growth potential, but filters and trained users will limit that market. So if you switch from targeting the masses to individuals and specific companies you gain two things:

1. Detection rate is much lower, since the development of anti malware tools today only works because the cost for the development is spread over a large number of users. Unless this can be somehow automated, effective protection will become very expensive and only affordable by larger business or people with sensitive data like the military.
2. The revenue per customer will increase, since industrial espionage, blackmailing, insider training and other neat things available to those with the right data are much more profitable than a percentage in Viagra sales.

So once again, this is not mainly a technical problem: As long as someone finds a way to make money with it, it will not go away, but only get worse. Your best option might be to make sure that your business model allows your data to simply be open, so stealing will not work. If you develop open source software, your source can not be stolen or destroyed. But make sure you have backups of your consulting customers list on separate media.

Re:

[frenetic3]

it does have a technical solution -- just don't let it run in the first place :) or more specifically, take the choice out of the (uninformed) end-user's hands and let the IT admin decide.

http://www.bit9.com/ [bit9.com]

lets you lock down PCs and stops anything new/unknown (from a network-wide perspective) from running without taking away admin rights.

so if someone gets snuck an evil email attachment, it would be identified by the software as new to the network and blocked at the kernel level before the OS executes it.

Re:

[Xross_Ied]

How do you deal with new exe or dll installed as part of Windows update, anti-virus update, etc?

e.g. IE7 will soon be released via Windows Update.

Re:

[frenetic3]

very carefully :)

on the server, you can mark certain updaters, users, directories and/or publishers as trusted, and all files that come from these trusted origins are locally approved on each desktop (while the rest of the system remains locked down.)

this way you don't have to maintain any enormous whitelists or blacklists or anything and you only have to look at what's new/unknown (the graylist.)

-fren

Re:

[Jah-Wren Ryel]

so if someone gets snuck an evil email attachment, it would be identified by the software as new to the network and blocked at the kernel level before the OS executes it. no signatures or AV needed.

So, how do you differentiate between:

1) Joe Corporte Peon receives mail with an attachment that is an evil ms-word document with rogue macros that cause stack overflows and make ms-word process do bad things
2) Joe Corporte Peon receives mail with an attachment that is an angelic ms-word document from a customer w

Re:

[frenetic3]

well, one way to look at it is in general a lot of shellcode relies on downloading/dumping an executable file somewhere and running it; this would be blocked (the new exe would drop, but you couldn't run it), even if you're able to blow up winword.exe. yeah you could cram a bunch of executable code into the document, fine, but then that code would have to modify something/overwrite a system file (which would get blocked), or write a new exe on the disk (blocked on attempted execute) if they wanted something

Re:

[Jah-Wren Ryel]

to the pedants: fine, you might be able to contrive some rube goldbergesque way to get past it, but today most most companies are getting screwed by trivial vulnerabilities. put another way, if you had an adversary that had the resources ($) and motive to craft a malformed document that was customized to be able to jump through all of the hoops needed (no overwriting system files or writing new exes), they could probably just pay off the secretary or janitor and/or physically break in and steal the info the

Industrial Espionage, not spam slaves

[msobkow]

I believe the article is talking about targetted industrial espionage, not spam slaves. Unless a target had control over a multi-gigabit backbone link, I can't see a spammer going to the effort of targetting specific machines, clusters, or users. In those cases there are admins monitoring traffic load and the spam would cause a surge in outoing SMTP/POP3 traffic and rapidly get traced. Companies with big pipes tend to have the infrastructure in place to monitor and maintain the hardware behind those pip

Re:

[RMH101]

Agreed. However, at most big companies, if you have an employee name, location, IT helpdesk number and maybe extension number of an individual, then you can get a password reset for that individual and away you go.
Social engineering's easy - if you work for a large company then think how easy it would be for a random individual to get a logon ID and password for the systems you run...

Any trojans cause concern

[celardore]

My work PC has been hit by trojans twice within a couple of weeks. I'm new there, so it looks bad anyway. Also, I'm as competent as most /. users, so I was shocked I got virused twice because I'm careful, especially at work. I'm an accountant so I don't have a say in the IT nor do I care to. My boss had to bring in external guys to fix the first virus, then the second one happened and he decided to reinstall everything anyway. Cost time and money.

Re:

[jlarocco]

I've never understood how people who claim to be "competent" get viruses, trojans, and other malware. I expect it from idiots who click on every free offer or flashy banner, but it's pretty funny to hear "competent" users say they got infected. What the hell do you people do?

Re:

[MichaelSmith]

I've never understood how people who claim to be "competent" get viruses, trojans, and other malware.

Chances are its another machine on his network spreading exploits around the place.

Re:

[SirTalon42]

Possibly one day while using the required IE to get information online, he was going to somesite.org, but accidentally typed someste.org which could infect the system through IE, and if they were sneaky could just forward you to somesite.org so you wouldn't even notice you went to a bad site.

Re:

[MichaelSmith]

Also, I'm as competent as most /. users, so I was shocked I got virused twice because I'm careful, especially at work.

Almost certainly another machine on your network is spreading the infection. You did something about it because you are on the lookout for these problems. I suggest you use your position to bypass the IT people. Go straight to the top and get the boss to knock some heads together in the IT department. This problem is more serious than the immediate issue on your PC.

Re:

[Jedi Alec]

I suggest you use your position to bypass the IT people.

Sounds like a great way to go about it, especially in a company where you just started. How about filing an incident report with IT, waiting for a while and THEN reporting it to your boss if it hasn't been fixed?

About time?

[caller9]

This is the obvious evolution in organized crime via hacking. If you could infect the marketing dept of several companies directly by doing a little old fashion PI work (or looking at the company directory), you will have access to both typically non-technical people and people that have access to what is about to be spun from a company. So do some "insider" trading on that.

Ask a legitimate question and get a response. You're now whitelisted. Send them a document related to your question that happens to carry your trojan. You can now, at least, impersonate them on the network/read their mail/send mail on their behalf.

It's a crappy way to develop a bot net but it's a good way to get very specific espionage capabilites.

Why hasn't this been exposed in the past, I'm sure it's been going on for quite some time.

Re:

[Yehooti]

The bad guys have found a hole in the system and are exploiting it. They know it'll take law-enforcement years to catch up, so they reign in the cash while they can. Meanwhile, national security is also taking a hit through our potential enemies using this very technique. I don't have a clue about how much our government is addressing this threat, but I do clearly see that whatever they are doing isn't enough.

Get Ubuntu

[Ice Wewe]

Really? I didn't notice.

Ubuntu, the ancient african for "couldn't install debian, but didn't want those damn trojans"

Re:Get Ubuntu

[QuantumG]

Also the african word for "many packages in our repository lack signatures but people install them anyway". Trojans are just as easy on linux as anywhere else.

Thank you for the plug, comrade

[NotQuiteReal]

I too, prefer the more robust Linux environment for my business.

Too many of my Window-Monkies call in sick. (rooted by competetors - damn users clicking "ok").

Once I have a Linux Mail-Bot, I can lock it down and know it is mine!

Don't worry, we run our all processes "nice"!

Re:Get Ubuntu

[grcumb]

Also the african word for "many packages in our repository lack signatures but people install them anyway". Trojans are just as easy on linux as anywhere else.

Bull:

• All Ubuntu .deb packages available by default come from known sources. Adding untrusted repositories requires root privileges and visual warnings.
• Installing software through apt-get (or synaptic or any of the other automated software installers) requires admin privileges.
• Even a malicious script that surreptitiously runs

  dpkg -i nasty-payload

  is going to have a very hard time affecting the integrity of the system, let alone hiding from the user.
• The default user mode is non-privileged. It's hard (though not impossible) for someone to run Ubuntu as root.

If you wanted to make the point that there are just as many attack vectors in Ubuntu as elsewhere, go ahead. But the mere presence of an avenue of attack doesn't magically make it easy. Implying that Ubuntu is not inherently harder to compromise than Windows is prima facie wrong.

Re:

[drsmithy]

*All Ubuntu .deb packages available by default come from known sources. Adding untrusted repositories requires root privileges and visual warnings.
* Installing software through apt-get (or synaptic or any of the other automated software installers) requires admin privileges.

Why do people think "requires admin privileges" is any sort of significant barrier on unmanaged, typically single-user systems ?

[...] is going to have a very hard time affecting the integrity of the system, let alone hiding from the

Because it is.

[khasim]

Why do people think "requires admin privileges" is any sort of significant barrier on unmanaged, typically single-user systems ?

Because it is. And I'm posting this from my home machine running Edgy.

The best place to hide is in full view. Or did you miss the whole definition and point of a 'trojan horse' ?

I think you missed the definition.

The code is not "in full view". It is hidden. That way, the user will run the code s/he THINKS is contained in that package, but the real code is something else.

It's trivia

Re:

[drsmithy]

Because it is.

No, it's not:

* Firstly, because the ignorant end user can trivially raise any program's privileges to root
* Secondly, because 99% of the things most malicious code wants to do, don't require root privileges in the first place

The code is not "in full view". It is hidden. That way, the user will run the code s/he THINKS is contained in that package, but the real code is something else.

Er, yes, my whole point. If you want to use to install your malware, you just dress it up in something t

Here, I'll demonstrate.

[khasim]

No, it's not:

* Firstly, because the ignorant end user can trivially raise any program's privileges to root
* Secondly, because 99% of the things most malicious code wants to do, don't require root privileges in the first place

The same "logic" can apply to an email telling the "ignorant end user" to buy a hammer and smash the hard drive.

The problem is getting them to do that.

That is the problem. The problem you have not addressed. The problem you have not addressed is how to get the "ignorant end user" to do

Re:

[drsmithy]

The same "logic" can apply to an email telling the "ignorant end user" to buy a hammer and smash the hard drive.

No, it can't, because the vast, vast majority of users understand that doing that would be A Bad Thing.

The sheer volume of software that relies on the "download and run it" capability just to exist, handily demonstrates the same does not apply there.

That is the problem. The problem you have not addressed. The problem you have not addressed is how to get the "ignorant end user" to do that.

Tha

Re:

[Tim C]

People run as admin under Windows because there's a lot of poorly-written software that requires it, and because it's easier. If and when the masses move to Linux, they will either run as root, or they will become used to providing their username and password everytime they install the cute little screensaver or buddy icon package they've found/their friend mailed them/etc.

Requiring admin privs is nothing but a speed bump until and unless the average end user is trained to not provide them willy-nilly. No O

Re:

[QuantumG]

meh, Ubuntu's use of sudo is worse than the traditional use of su. With su you're required to enter the root password every time whereas, with sudo, you're only required to enter the users password and only once for a given period of time. As such, a program that injects code into the user's shell can easily skip to root. I know, I've written code to do it. That's without taking advantage of any suid binaries or services running as root or kernel bugs to get root. Getting root from a trojan running on

Re:

[grcumb]

A trojan doesn't need root to copy confidential data from a user's home directory. It doesn't need root to open a socket and send that information back home. It doesn't need root to modify or delete important files. It doesn't need root to hijack mail programs and send emails as the targetted user.

The point is that a trojan needs root to install itself, as well as to remain undetected.

This obsession with root by people who think they understand security is troubling.

Not nearly as troubling as a straw-

Re:

[QuantumG]

Yes, but compared to getting a trojan into a security fix for Windows it's really easy to get one into Ubuntu, are you so blind that you can't admit that? The whole problem with "trusted sources" is that we shouldn't trust them because they can't provide us with any guarentees beyond "I did my best." We should be running every program with Least Privileged Access, but no-one does that, it's too much trouble. The Gimp shouldn't have access to my Open Office documents. My email program shouldn't have acce

Re:

[grcumb]

Yes, but compared to getting a trojan into a security fix for Windows it's really easy to get one into Ubuntu, are you so blind that you can't admit that?

Not at all. That's perfectly easy to admit, but completely irrelevant. The point is that all software, by default, comes from trusted sources in Ubuntu. All of it. That is not the case with Windows.

Re:

[QuantumG]

Here we go. You're again smoking the crack pipe. Most the stuff you use might come from people that you trust, but the vast majority of applications in the Ubuntu repository are just packages that people slapped together over the weekend ok? They don't security audit the code. They don't know it is safe. So maybe you're happy to trust them, but I'm not.

What are you talking about?

[khasim]

With su you're required to enter the root password every time whereas, with sudo, you're only required to enter the users password and only once for a given period of time.

What the fuck?

No, with "su", you're running as root until you type "exit". There is no time limit or command limit on "su".

As such, a program that injects code into the user's shell can easily skip to root.

What? How? Go ahead. Infect my computer. It's running Edgy so I'm sure there are lots of holes still in it.

Go ahead. Do it.

Oh, you can

Re:

[QuantumG]

You don't actually know what a trojan is do you? A trojan is a program that you want to run which contains code that does something I want to do. You run it, because you want to, the code does what I want, because I wrote it.

That cleared up, let me explain the sudo vs su thing. If you were do only ever use su, and use it sensibly, I wouldn't have much hope of getting root from a trojan. There are a couple of ways I could.. but they're pretty obvious and you'd most likely spot them. For example, when yo

Re:

[makomk]

Problem is, the program I dropped and appended to your su command will appear in the process list as the parent process of your shell. Blatantly obvious next time you do a ps.

Not necessarily. Simply fork() and then exec() the shell in the *parent* process. That way, the shell will have the same PID and parent as if it was launched directly. (The malicious process will then initially be a child of the new shell, but forking again and then calling _exit() from the parent process of that fork will soon fix

Re:

[Venik]

It is a well known fact that the biggest security flaw in Unix is the sysadmin. Years of typing su - root make you feel invincible :-)

Re:

[Eythian]

It's easy enough for a mirror to replace a legitimate package with a trojaned package. And if they offer a valid signature for that trojaned package, you likely won't even know it has been compromised. You'd have to compare the signature from the mirror with that of the main distribution point.

I think you misunderstand how the signatures work. If a mirror replaced a legit package with a trojaned one, they would either have to have it unsigned, or have it signed with a key that isn't one of the ubuntu relea

Re:

[Rick17JJ]

In Linux, email attachments aren't nearly as much of a problem. My understanding is that, with most Linux email programs, clicking an email attachment does not result in something running without asking the user first. Furthermore, the .exe attachments and active-X stuff won't run even if the user does give permission. I recently received a message with a .exe attachment and had no idea how make Windows-only stuff like that run or open. If something did somehow run the program most likely would not be r

Re:

[QuantumG]

The whole point of a trojan is that the user wants to run it. If they want to run it, it doesn't matter how hard it is to run. Even if they have to download and install wine before they can run an exe attachment, they'll do it. Now you might say that is a stupid argument, because no-one is going to write a trojan exe expecting that it might be run on linux under wine and do something useful (to them) in that situation.. but remember that we're supposed to be talking about "targeted trojen attacks" here..

Re:

[Rick17JJ]

One of the articles said the typical attachment is "a Microsoft Office file that exploits a yet-to-be-patched vulnerability." A Linux user who receives a Microsoft Word file would open it with something like Open Office Writer, AbiWord, KOffice or TextMaker. In rare cases he or she might use some version of Microsoft Word that is running under the Codeweaver's Crossover Office [codeweavers.com] version of Wine. I wonder how the use of an alternative office application running under the alternative operating system would a

Re:

[matts-reign]

Writing a trojan is just as easy in linux. I myself wrote one (Really, a remote access script) in perl. It took the greater part of 5 minutes, and its done in perl. I could easily stick it into any of many perl scripts that you get from the ubuntu repositories automatically. If I was targetting you specifically, I could break into your net connection upstream and mess with some DNS requests, or one of many other methods.

Re:

[gbobeck]

Ubuntu, the ancient african for "couldn't install debian, but didn't want those damn trojans"

And I always thought ubuntu was the ancient african word for "Wanted Linux, but refuse to RTFM in order to install Gentoo."

Headline & summary avoid the culprit: WINDOWS

[toby]

When will you start mentioning WINDOWS where appropriate? This problem is created and perpetuated by junk from MS.

Re:The lax windows and win32 app security model...

[QuantumG]

none of this relevant to trojans. A trojan is, by definition, something the user wants to run. The fact that most linux users don't run untrusted programs in a "jail" is much the same as the fact that most windows users don't do that either. It's sad, but it's a user education problem, and we're typically not good at solving those. Ubuntu users are encouraged to use "sudo" instead of "su" to run programs as root. sudo allows a permitted user to execute a command as the superuser or another user, but how many people actually use sudo to execute a command as anyone but root? sudo -u nobody ./random-email-attachment who does that? no-one.

Re:

[Jah-Wren Ryel]

but how many people actually use sudo to execute a command as anyone but root? sudo -u nobody ./random-email-attachment who does that? no-one.

Because it isn't easy.

If this were an itch I was prepared to scratch, I would look into creating a static image of a virtual-machine that could be used just for running questionable stuff. Then I would look at putting hooks into programs like thunderbird that would make it automagically invoke the VM for attachments.

Beyond the integration into regularly used applicat

Re:

[QuantumG]

All in all, I like to sum it up as such: neither the security model of unix, nor the *cough* security model of Windows were designed for a under-educated user running untrusted applications. These security models are all about multiple users and the educated discretionary granting of permissions between those users. The Windows security model goes a little further than the unix security model in that it has things to say about sharing those permissions over networks, and there are Mandatory Access Contro

Re:

[Tim C]

the OS is so crippled at the 'normal user' level that most applications fail to install correctly.

Unlike with Linux, where all applications fail to install as normal users? Oh sure, you can (usually) compile from source and install to ~/bin, but then you can get Windows apps (such as Eclipse) that you just unzip and drop into whatever folder you choose.

I am not aware of any system-wide installation service (eg rpm, deb, msi, etc) that doesn't require admin privs.

Are application developers largely concerned

Re:Headline & summary avoid the culprit: WINDO

[Beryllium Sphere(tm)]

Linux doesn't by itself save you from cross-platform vectors. Flash on Linux has had exploitable problems. PDF viewers for Linux have had buffer overflows and (2003)If a victim clicks on a malicious hyperlink, an attacker could execute arbitrary shell commands with the victim's privileges. [ciac.org] Linux makes it harder to run executable machine code by mistake but that covers only part of the perimeter.

I don't like to see people hurt by using Windows, and also don't like to see people hurt by overconfidence.

Re:Headline & summary avoid the culprit: WINDO

[RAMMS+EIN]

Although Windows indeed has a crappy security track record, there is absolutely no reason to believe Linux and a lot of the software that people run on it is any better. The reason: you can't compare the security of one system with that of another, because you cannot rule out bias in the test. At best, you can make an educated guess.

And, last I checked, GNU/Linux distros didn't very much protect against social engineering and trojans.

The new face of corporatre crime

[skrew]

This is a disturbing trend; in the anonymous information age, trust is the only way to guarantee security. Prediction: anticipate alot more 'orwellian' security implementations, retina, fingerprint etc. to ensure traceable DNA identification of infiltrators from within organization who spread virii or covert trojan operations. This is why Open Source is the future, in a closed source project/organization, only those who have the knowledge can perceive compromisation, but with Open Source software the world

Not all that surprising

[Jarjarthejedi]

Is it surprising at all that Social Engineering is the best way to get a virus in? I'm actually surprised this is even an article, of course the main problem companies are going to have is their employees clicking things they shouldn't...

Re:

[rabidcitizen]

It seems to me that what the article points out is that we are moving beyond the phone call impersonation to get a password (Mitnick style) to more sophisticated exploitations of trust relationships and social engineering attacks. We are looking at attacks that can get by many power users - am I going to take the time to question requests and attachments from any of the 20,000+ identities I have in my client datatbase and address book whose requests I must handle same business day and who I must assume are

Re:

[flyingfsck]

Hmm, it *is* possible to lock a WinXP Pro machine to the point that malware won't install itself, but it is damn difficult to do so. Here is a link:
http://www.microsoft.com/technet/security/prodtech /windowsserver2003/ccc/default.mspx [microsoft.com]

The cost of researching a victim seems high ...

[__aadkms7016]

As a business proposition, the cost of researching a victim seems high in lots of ways -- it's not work for a dummy, it takes time, and the hits have to pay for all of the misses. At the very least, it has to use "mass customization" to succeed -- software that customizes a con to a victim in non-trivial ways. But yet if they go that route, it becomes easier to fight it with conventional spam and phishing tools, because software can spot the "mass" part.

Wait for it...

[chill]

I'm waiting for Vista to be release, with the uber-secure WGA. Some nice, innocuous little virus will be written that doesn't steal files, doesn't open a backdoor, and doesn't delete anything. This virus will screw up your WGA hash, and one fine spring day a few million PCs will report that they are pirated copies and start locking people out of their own software.

That sound you will hear is a thousand Microsoft tech-support reps all crying out at once.

Re:

[MrNaz]

You mean like "A million WGA clients suddenly cry out in terror and were suddenly http 503'd." ?

Recent Trojans - Very good social Engineering

[Anonymous Coward]

I work in the IT Security group for a Top 10 financial institution here in the US. Most of the social engineering attacks we see are quite clumsy, make me roll my eyes when I see them, and groan when I hear of people actually falling for them. However, a new wave bit not only us, but at least 5 other Top 10 institutions in our field.

The social engineering portion was an emailed message, aimed to several high-level executives and other senior techincal staff by name. Messages were sent to us in perfectly gramatical non-stilted English. The plain text message was "personalized" (no skill there, but it did add to the overall credibility.) The messages came in with a reasonable subject line: "Request for Interview re: Recent Security Incidents".

The actual email stated something to the effect that the sender was a journalist looking for comment on a newly published article in a trade magazine alledging a security breach at our institution. The "sender" invited the recipient to contact him (by telephone) to comment on the story for a follow-up. He ended the message by including the URL (but not a clickable link) to the original article making the allegations.

Well, that did it. A number of users, wishing to read the allegations cut and paste the URL. As you might guess, the site itself had been hi-jacked, so the broswer was quickly re-directed to another site, explotited the most recent unpatched IE vulnerability and infected the user's PC with a key logger. The only reason this got caught quickly was that in some cases the user's IE session crashed, giving a hint that something might have happened. THe other giveaway was tha in addition to the key logger, something else got loaded with more obvious side-effects.

Of course, in retrospect it was pretty obvious, and in telling the story, it seems like S.E., but I had to admit it would have fooled me if I had been the first to recieve the message. (Probably would not have been infected due to my use of low privilidges, but I would have followed the URL). It passed the sniff test: Standard American English, a reference (and URL) to a trade magazine specific to my industry and field (Banking & IT), it included a phone number (of course a fake), and was in the exact tone you would expect from a legit journalist --- nothing loud or sensational, just a message that an allegation has been raised, would you care to respond.

My lesson: a little more empathy for the non-professionals who get bitten by other social engineering attacks. Yes, they SHOULD know better, but if I (in all modesty) could be fooled, what chance does my unsophisticated, trusting Granny have?

Re:

[bconway]

Well, that did it. A number of users, wishing to read the allegations cut and paste the URL. As you might guess, the site itself had been hi-jacked, so the broswer was quickly re-directed to another site, explotited the most recent unpatched IE vulnerability and infected the user's PC with a key logger. The only reason this got caught quickly was that in some cases the user's IE session crashed, giving a hint that something might have happened.

Wow, those are some decent execs. Ours would just try the URL 3

blame the end users ..

[rs232]

"A number of users .. cut and paste the URL .. the broswer was quickly re-directed .. and infected the user's PC with a key logger"

Why don't you advise the high-level executives to use a browser that don't install malware just by typing in a URL. The same goes for your Granny.

Recent Trojans - Very good social Engineering (Score:5, Interesting)

Re:

[Sloppy]

Of course, in retrospect it was pretty obvious, and in telling the story, it seems like S.E., but I had to admit it would have fooled me if I had been the first to recieve the message.

It would fool me too, I guess, until I got to the part where the compromised site told me to type "su" followed by my root password, and then told me to install a key-logger after that.

In your situation, the user's error wasn't just that they got SEed. Their main problem is that they were running a web browser that has a

LULZ

[Jessta]

LULZ
oh, indeed. The main reason your anti-virus software is pointless.
If a piece of malicious software is well known enough for your anti-virus company to know about it, then a patch for the issue will be out very soon. Anti-virus software will only protect you from script kiddies and not someone that actually would have a good reason to steal your data. i.e your competition.

They did it to Valve

[inviolet]

It was a targeted Trojan that got into Valve and stole the source-code to Half-Life 2, right off the project lead's workstation. IIRC, it arrived via a bug in Outlook's message-preview facility.

Learing trojan detectors

[S3D]

There were anti-viruses in the past, which wern't relying on the virus signature only, but were trying to detect new, unknown viruses too. Dr. Web was the one, but it seems they dropped this feature later (or at least not advertising it any more). Probaly it was not cost-effective than. Seems the time have come to revive this approach again. Of cause it's not easy, require very sofisticated statistical learning, bayesian networks [wikipedia.org] or neural networks [wikipedia.org], may be even genetic algorithms [wikipedia.org] and very good understanding

virus companies talk up scare ..

[rs232]

Virus companies talk up scare, again. Why don't business users use a computer that don't get 'viruses'.

step 1. stop running as admin

[dioscaido]

If you do, these email or IM bombs will not be able to root the system, or open firewall ports. At most the user's folder is busted, and once deleted and restored the machine is clean.

Lots of corps do this even with Win2k/XP.

Tailored SPAM

[LinuxLuver]

In recent weeks I've seen a growing amount of spam with subjects that appear to be constructed with my interests in mind. At first I dismissed them, but there are now so many I am beginning to wonder if the spammers haven't been monitoring my e-mail or browsing history to help them construct subjects they know I'm more likely to notice / read.

One simple rule - no executable attachments

[yuna49]

I'm really puzzled why anyone continues to accept mail with executable attachments of any kind.

When I first started fighting viruses and spam for my clients, the very first thing we did was block executable files at the mail server. This was in 1997 and required nothing more than a simple /etc/procmailrc file that scanned the message body for executable attachments.

Nowadays, of course, we have much more full-featured software like MailScanner to handle this. This isn't really rocket science, folks. 99+%