Massive Spam Shot of "Storm Trojan"

jcatcw writes "Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through email. 'Expect this to grow much larger,' a Postini spokesman said; 'It should top out at 60 million messages within the next 24 hours.' It's the largest attack in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. The spam carries a ZIP file attachment posing as a patch with subjects such as Worm Alert!, Worm Detected, Spyware Detected!, or Virus Activity Detected."

yep...

[Churla]

My AVG seems to have quarantined a couple of these yesterday.

Nope

[winkydink]

I'm not seeing any statistically significant increase in either what's being blocked or what's being accepted by any of the MTA's I manage. Also, Trend Micro's spam stats [trendmicro.com] don't show any major jump in activity either.

I have seen a couple of copies of the spam itself, but nothing major.

Re:

[TFGeditor]

"I'm not seeing any statistically significant increase in either what's being blocked or what's being accepted by any of the MTA's I manage. Also, Trend Micro's spam stats don't show any major jump in activity either."

I hope you are right, because I have had an epiphany and am now one of those who decry the "clueless users/lusers" responsible for letting their machines become infected and recruited into botnets.

I used to have sympathy for them, but as botnets proliferate and my mail servers get pounded even

Re:

[winkydink]

Rumor has it that Postini is close to filing their S1 (i.e., getting ready to go public). Coincidence? Hmmm....

Re:Nope

[Ilgaz]

I choose to report my spam instead of ignoring so believe or not, I saw a single Canadian IP spamming (sending that worm) to 3 different mailboxes which has nothing to do with eachother. I even added to spamcop.net report comment "Please take care of this IP" and added the kaspersky virus ID. Guess what happened in return? A kind "thank you we took care of it" from Canadian ISP? No, 2 more spams from same IP! :)

I have checked the senderbase.org entry and it says like 3500% volume increase over 1 day from that IP!

Still, as old timer I feel uncomfortable posting the IP on web whether it is spammer/worm infected or not. I mean that worm really took off, perhaps the owner of botnet finally accepted the price offered by mob,mafia whatever using it. Yet again, no worries, Clam detects even without opening that password protected zipped junk.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Another day in the world of near-monoculture.

[grub]

Microsoft is to computers what Philip Morris is to lungs.
Woo, a new quote! :))

Re:

[grub]

s/what/as/g

Re:

[pestario]

s/g//

Re:

[fourchannel]

I like how you phrased that. I might start thinking about my initial, and subsequently, frustrating, maddening, and tremor causing =P plunge into Linux symbolic to quiting cigarettes cold turkey -- A real bitch until you get about six weeks into it. By then you've learned enough and kept your sanity mostly intact to keep your bearings away from cigarettes/microsoft.

And yes, Linux has been known to cause anxiety and tremors in people at times. =D

Re:

[Hoi Polloi]

Microsoft is to viruses/trojans as Europe was to the Black Plague

Re:Another day in the world of near-monoculture.

[baryon351]

After all these years of malware on Windows systems, I think it's high time someone took Microsoft to court and at least charged them with contributory negligence. After the Mellissa virus, they can't claim that they don't know the hazard.

Who said it's Windows malware?

(yeah, OK, I was trying to be funny...)

Re:

[baryon351]

I hadn't read the computerworld article before posting the above comment. Sadly, now I have, I notice it doesn't mention which OS the trojan runs on.

If I weren't so tired atm I'd have something deep and witty to say about that, but all I can do is shake my head.

Re:Another day in the world of near-monoculture.

[SomeoneGotMyNick]

I notice it doesn't mention which OS the trojan runs on.

**** COMMODORE 64 BASIC V2.0 ****

Re:

[powerlord]

You mean there is more then one OS? You must mean XP and Vista, right? ;)

(posted from Linux, by way of a tunneled session from OSX)

Re:

[SomeoneGotMyNick]

You mean there is more then one OS? You must mean XP and Vista, right?

Only if you run Winders [ncbuy.com]

Re:

[Opportunist]

Probability and experience say it. And I usually listen to those guys.

Re:

[gvc]

Who said it's Windows malware?

Um, the payload is a .exe file. [symantec.com]

I thought I'd be a smart-ass and show you that it didn't run on Linux. But, damn! I have Wine installed.

./News.exe Could not stat /mnt/cdrom (No such file or directory), ignoring drive D:
err:win32:PE_fixup_imports No implementation for lz32.dll.2(LZCloseFile) imported from F:\News.exe, setting to 0xdeadbeef
wine: Unhandled exception, starting debugger...

Re:Another day in the world of near-monoculture.

[MightyYar]

Oh, come on. I am FAAAR from a MS apologist, but this trojan is not really something that they can (or should) prevent! This worm is not exploiting any flaw in MS's programs that I am aware of, it is simply social engineering. Unless you make Windows prevent a user from running arbitrary code, I don't know how you'd fix this.

If anyone should be sued, it should be the ISPs who allow zombies to sit there on their network. I don't like lawsuits, and would prefer to see some government incentive used to compel ISPs to remove the zombies.

Re:

[jimstapleton]

Very true...

The biggest security risk is shared by all operating systems and hardware setups because it's not part of the computer.

It's the lump of carbon, water, and other trace elements/compounds between the keyboard and the chair.

Re:

[secolactico]

The problem is, they are not the only ones who get it.

The poor schmucks with an email who receive the spam are the ones who get it, as well as the poor schmucks who administer an e-mail system that now has to contend with the extra load.

Re:

[blueZhift]

Shutting down zombies would definitely slow this stuff down. I know that in the past at least, some universities would cut off network access for computers that were apparently compromised. I don't know if this is the case at the majority of schools though. Sadly, it probably will take legislation to force ISPs to cut off zombies from their networks. I don't know why they don't do this already. Do these zombies help their bottom line, or is it less costly to keep them on the network to avoid fielding custom

Re:

[MightyYar]

Since almost every computer that I work on for a friend/family member has been compromised, I'd say that they would have a huge support nightmare if they started cutting folks off. I was thinking that something like a tax break for ISPs with this policy would be in order. Or the government could do the quasi-unfunded mandate thing and just refuse to do business with ISPs or their subsidiaries that don't have such a policy in place. If they were really aggressive they could also require that those ISPs not d

Too much privilege!

[spaceyhackerlady]

Oh, come on. I am FAAAR from a MS apologist, but this trojan is not really something that they can (or should) prevent! This worm is not exploiting any flaw in MS's programs that I am aware of, it is simply social engineering. Unless you make Windows prevent a user from running arbitrary code, I don't know how you'd fix this.

Actually, there is a technical flaw, not just a human engineering one. The system allows users to install software, with global system implications, with no confirmation. My Mac confirms such things with me, and seems to get it right. My Linux box won't let me touch the global system configuration at all unless I su to root.

This has always been the problem. I recognize that there is incompetent Windows software out there that won't run without Administrator privileges, but that's another issue. If you really need privilege to do something (like change your password), others systems have ways of temporarily elevating privilege. Like suid on Unix.

...laura

Re:

[MightyYar]

True, though they have improved this in Vista.

But I don't think that there is anything about making a spam-zombie that couldn't be done as a normal user. I think that this trojan would still work if applied to Mac or Linux users of the same cluelessness level (though that might be harder to find). Further, in most Mac installations, and many Linux installations, the main user of the system is aware of the root password and will happily plug it in when prompted. On the Mac this happens almost every time you

Re:

[Feanturi]

My Mac confirms such things with me,

That's great, so when you're doing something that you feel really needs to be done, such as protecting your computer from the nasty botnet it is reportedly a part of, or your email will be cut off, you'll click through those prompts to get that patch in. Well maybe not you personally, but you and I are not the common masses.

Vista has the "Cancel or Allow" thingy going now. Do they need to extend it, would that really help?

"Hmm I need to run this patch like the email says,

computer IQ test?

[Bill, Shooter of Bul]

That is absolutely true. I guess the only real solution I can think of is require some sort of computer IQ test, instead of cancel or allow.

Are you sure you want to do this?

"YES"

OK what is the end result of this computation 15 XOR 24 ?

" UM 17?"

No, please call your son to ask permission to perform this operation.

Re:

[alphamugwump]

All right. You did it. I finally snapped. Here goes my karma.

Why the fuck do people keep bashing the UAC? What the fuck is wrong with finally having a real "sudo" in windows? Instead of having to run as administrator all the time, you can now escalate when you want to. Microsoft finally adds better security, and all the whiners come out of the woodwork.

This sort of shit reminds me of my uncle, who thinks he's a computer person:

"I really miss windows 98. It was a simple, no-frills operating system."
"It didn'

Re:

[Sancho]

Asking the user for permission to perform administrative actions is good. Asking them 2-3 times per perceived action is bad.

One of the problems I had with early revisions of UAC (I haven't had the pleasure of trying out Vista's final version much) is that it couldn't figure out what the user was trying to do and anticipate it. When creating a new file, I first was asked if I was sure I wanted to create it, then I was asked if I was sure that I wanted to rename it. Hey Vista! It's a NEW FILE! I probably

Re:

[Mister Whirly]

"If you really need privilege to do something (like change your password), others systems have ways of temporarily elevating privilege. Like suid on Unix."

You mean like right-cliking a program and selecting "Run As" in XP, executing the program with different permissions? Yeah, I sure wish that already existing feature existed too...

Re:

[The Great Pretender]

So if I nail the easy chick at the end of the bar and contract AIDs that's my parents problem right! For not giving me the common sense to not have sex with easy chicks found in bars. It's not my problem for not being smart enough to leave the package alone or use a prophylactic.

(Yes I know this is Slashdot and that I'm living in my own little fantasy land with this analogy)

Re:

[MindStalker]

You could make the argument that as viruses have been around for a long time MS had a reason from the start to build it right.

Lets say there was no laws governing seat belts. And theoretically after seat belts where already in wide use among the new.. flying cars that a few people drove. Fly Systems finally invents the flying cars for the average Joe. It really takes off and now almost everyone has a Fly System car, but Fly Systems REFUSES to sell cars with seat belts, despite a market demand. Sure you can

Escusing Bad Engineering

[EXTomar]

Oh, come on. I am FAAAR from a MS apologist, but this trojan is not really something that they can (or should) prevent! This worm is not exploiting any flaw in MS's programs that I am aware of, it is simply social engineering. Unless you make Windows prevent a user from running arbitrary code, I don't know how you'd fix this.

The thing is Microsoft shouldn't make Windows do these destructive things so readily in the first place. This comes about by bad engineering and worse its passed off as "bad users".

Eve

Re:

[cdipierr]

This is a flawed analogy. A more accurate one would be "You shouldn't allow the user to empty the oil, it should only be allowed by authorized Ford service agents." That's basically what the folks who are blaming MS want.

Re:

[pkulak]

It's not the zip attachment in this one email that's the issue, it's the huge Windows bot-net. And I don't think they were formed with social engineering.

Re:

[MightyYar]

Agreed, but the compromised machines that are not socially compromised are mostly unpatched boxes. Unless you think that people will suddenly start patching/upgrading their computers, there is little reason to expect a MS solution to work. It would be like trying to eliminate the common cold through hand-washing.

Re:

[DRAGONWEEZEL]

HERE HERE!

I am sick and tired of paying for my cable modem and router to recieve crap packets, and making my router discard them. It's like junkmail on a HUGE scale. (except that the bits are tiny....)

Seriously though, I have a few clients who REFUSE to get a router / firewall. They insist that since it (the internet)works, they don't need it. Even after telling them that benefits for them (and me), even w/ charging them $0.00 to install the damned thing. People have wierd mentalities sometimes.

I gener

Re:

[99BottlesOfBeerInMyF]

but this trojan is not really something that they can (or should) prevent! This worm is not exploiting any flaw in MS's programs that I am aware of, it is simply social engineering.

The flaw in Windows is that it does not provide for an open signing framework that warns users when running unsigned, uncertified code. Further, the flaw in Windows is that it does not restrict such code to a sandbox by default and it does not inform the user of what the software is doing when run. Double clicking software should not be a black box where that implies the software has privileges to do anything it wants.

Unless you make Windows prevent a user from running arbitrary code, I don't know how you'd fix this.

You apply ACLs to all software, with more restrictive ACLs for software that is uncer

Re:

[Mister Whirly]

"In cases where it is a Windows flaw - sure, that's MS fault. But here it looks like people are flaming them just for their success."

No, not on Slashdot! The horror! And this whole time I though Slashdot was the pillar of unbiased, informed opinions based purely on fact!

Oh yeah, and something about being new here...

But you have to ask yourself...

[pallmall1]

...can you run it on Linux?

Re:

[MightyYar]

I could see where that would help if the fact that it were an executable was obscured, but in this case the user is PURPOSELY running an executable. They'd take one glance at the message, say, "No shit," and click "Allow".

Besides, Outlook DOES warn you when you try to launch an executable! I just tried to launch VNC, and it says, "WARNING! This file may contain a virus that can be harmful to your computer. You must save this file to disk before it can be opened. It is important to be VERY certain that this

Re:

[mcpkaaos]

By that logic, should Slashdot be sued by sites that suffer the Slashdot Effect? It is a form of DoS, after all, and Slashdot are obviously aware when it occurs yet do little (mirrors after the fact) or nothing (no mirror at all) to prevent it.

Re:

[Ajehals]

By definition web sites solicit visitors to visit them, people come and look at information that has been made available for that purpose, i.e. a web site is supposed to be visited by people. So the slashdot effect is a by-product of legitimate use, something that the web site owner intended, but beyond the scale that was expected. Dealing with bulk email contaminated with dodgy code sent from compromised PC's running malicious software isn't a valid comparison.

Email from this kind of attack is generated ei

Re:

[Opportunist]

How is MS responsible for what the user of their system does? Would you drag GM to court if someone used their cars in a terror attack?

I do agree with you that MS should be held responsible for remote exploits and buffer overflows, where the user does nothing and still gets infected. That's a flaw of the system. This (and about 99% of current malware) user user stupidity to infect a system.

Personally, I'd hold a user of a system responsible for what he does with it. If you are stupid enough to click on ever

Re:

[Hoi Polloi]

Personal responsiblity is all well and good until a problem becomes so pervasive that not only does it harm the "fools" but innocent bystanders as well. I have to deal with spam and phishing because of all of the comprimised machines out there. Obviously leaving it to the users hasn't worked and the solution requires an escalation.

People aren't allowed to own howitzers either even though many of us could be trusted to only fire them at government approved proving grounds.

Re:

[Opportunist]

So the solution is to outlaw computers that run what the user wants them to run? If you want to push that, you will have at the very least one enemy.

The solution is responsibility. Take cars. If people would use cars the way the use computers, a mass accident with hundreds of people killed wouldn't be worth a story. It would be everyday life.

If you could not kill people but only do "material" damage, I'd hand you that howitzer. Why not? But you are responsible for it if you fire it within city limits and ca

Re:

[Hoi Polloi]

Who said outlaw? I'd say restrict until you could prove your system was safe to connect to the net (and stayed that way). I don't know about all states in the US but mine requires annual inspections to keep a car on the road. The results of someone having a major failure on the road are too great to allow even if the person is too poor to fix it. So don't allow someone to connect to the net unless they have the latest service pack, etc.

I find your acceptance of material damage odd. You'd have to proble

Re:

[Opportunist]

Taking responsibilty includes paying for damages.

Yes, that can cost a ton. But I'm pretty sure some insurance companies would jump onto that quickly, maybe with a similar bonus system they use here for cars (if you go without an accident for years, you pay a whole lot less than people who have one every other week).

But personally, I'd already be happy with the responsibility clause. Yes, inspections would be nice (and would certainly be loved by the local dealers who could definitly need the additional inco

Re:

[Opportunist]

That's why I said MS should be held responsible for flaws in their system that allows remote exploits like the RPC exploit that was quite popular before SP2 for XP.

What we're talking here is a guy coming up to you, telling you your car is unsafe and that he needs the car keys to drive it around the block to check if it is in danger and to fix it in his garage. Who should be responsible for that, GM or the cluebrick that hands over his keys?

Re:

[Mister Whirly]

Lawsuits - the solution to and cause of all life's problems....

(with apologies to Homer Simpson, and beer)

Re:

[Opportunist]

Yes, that's a prime example for liability on the side of MS. Thanks for the link.

It's not in MSs liability when someone is executing code. Should MS keep you from executing what you see fit?

Personally, I prefer "free" systems (not as in beer, as in F/OSS) that allow me to run the software I deem "right" for my system. It's not for the system maker to dictate what I may run and what I may not run. This in turn means, though, that I have to take responsibility for my actions. I have to make sure that the prog

Re:

[Hoi Polloi]

"what ol' uncle Ben always said to Peter Parker."

The rice guy knew Spider Man(tm)? Cool!

Re:

[Opportunist]

Ouch.

But sure. Think about it and it makes sense. Since the rice doesn't stick together, where do you think Spidey got the stuff needed to stick to the houses, hmm?

One mystery solved. If I could just find out now where all the caffeine in decaf goes, I'd be ... well, read your sig and you know what I'd be. :)

Re:

[Deagol]

From the links above: "The company issued an emergency patch on April 3 for a dangerous animated cursor flaw, but it typically doesn't stray from its regular patch schedule."

Laughed my ass off after reading that one! WTF, MS?

Re:

[Feanturi]

Not that I wish to defend MS, but I'll offer a bad car analogy anyhow. GM makes no attempt to prevent me from playing a live version of GTA with my car. So if I feel like being a plague on society by such an action, I guess GM is to blame for enabling this activity, right? I mean, they know people can go crazy behind the wheel, but have they made any effort to implement sensors that can determine that I'm a flipped-out lunatic and disable the vehicle? No, they have not, this clearly is negligence on their p

Re:

[stonecypher]

Contributory negligence requires that there be a clear and well understood alternative. You can't charge a company with contributory negligence unless you have a better answer. So, unless you have a bunch of diffs for XP, sit down and quit whining. Believe it or not, they're actually doing an excellent job, considering the enormous size of windows and the value of a compromise. I'd tell you to compare it against defects in other applications, except I have no doubt you'd have no idea where to start.

Funn

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Jessta]

You still couldn't sue microsoft.
Microsoft would say it was the responability of the administrators of the systems that are DOS'ing you and they are right.

No car company in the world has been able to sell a car that prevents me from driving like an idiot and killing people even though it's obvious that this is a hazard.

Re:

[dave562]

Hello,

I am interested in buying your product. However, I can't talk to you because we've never been in communication before and you have no idea who I am. I guess I'm going to have to go buy your competitor's product because I can actually communicate with them without having to jump through a bunch of hoops first.

Wow, good thing

[Grashnak]

Good thing I installed that anti virus program that unexpectedly emails me attachments to protect me. Otherwise I'd be in trouble!

Inoculation

[dremel]

A good campaign of email virus inoculation should do the trick. Start a series of spam which looks exactly like a virus, but just puts up a "If this were a virus, you'd have just infected yourself!" message, thus training users to just don't open it!

Possibly add a link or button (perhaps labeled "Click Me!") which puts up a follow-up message for the especially thick user: "For heaven's sake, you're just making it worse. Quit clicking these things!"

I've Gotten It Several Times...

[saudadelinux]

My officemate got it as the Britney / Paris porn thing twice this week. But she wasn't interested. I got it once. I wasn't interested. I've gotten the "Spyware detected!" with the zip file attached three times: twice at work, and once on my Yahoo! account.

I work at Department of Agriculture, so I'm surprised they didn't install themselves ;-)

Re:

[powerlord]

My officemate got it as the Britney / Paris porn thing twice this week.

Gee ... I've gotten it once. Didn't seem to like trying to run under OSX though.

I got one, I got one!!!

[sobolwolf]

This was an image file so I typed it out to so maybe a nice person with mod points will redeem my terrible Karma... -- Dear Customer, Our Robot has detected an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of worm which does not have offical patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. We had archived the patch becouse the worm can modify unpacked exe files. you should open the archive file, enter the password and run the patch immediately. Password: ugh11 Customer Support Center Robot __________ NOD32 2120 (20070316) Information __________ This message was checked by NOD32 antivirus system. patch-95150.zip - is OK patch-95150.zip > ZIP > patch-95150.exe - error - password-protected file http://www.eset.com/ [eset.com]

Re:

[0100010001010011]

At least my spammers are well read. The text that accompanied one of my image spams is as follows:

'Aye, you do indeed,' said Gimli, looking them up and down over the top of his cup. 'Why, your hair is twice as thick and curly as when we parted; and I would swear that you have both grown somewhat, if that is possible for hobbits of your age. This Treebeard at any rate has not starved you.'

I saw one of these yesterday

[jsewell]

The msg body was a GIF containing text telling me there had been virus activity from my IP and I should run this "patch" to fix it. The "patch" was a zip file they said they had to send as a zip so my "comprimised virus scanner" wouldn't reject it. If I didn't run the patch, my internet access woudld be cut off. All I had to do was unzip and run the patch and all my problems would be solved. HA!

We all had a chuckle at how stupid someone would be to actually do that - then we realized grandma probably would, not knowning any better. All the more reason to get grandma off windows and onto at least a Mac, if not Linux.

waaaait just one second...

[ScentCone]

All the more reason to get grandma off windows and onto at least a Mac, if not Linux.

Out of curiosity... since this is a completely social hack, and is just a means to trick somebody into opening up a compressed file and running the included executable... why would a Mac or Linux user be immune? Cannot Mac and Linux users also run executable programs from their desktops? You're confusing the ability to run a program of your choice with the means by which someone is fooling you into thinking you should choose to run it, right?

Re:

[Rob the Bold]

Out of curiosity... since this is a completely social hack, and is just a means to trick somebody into opening up a compressed file and running the included executable... why would a Mac or Linux user be immune? Cannot Mac and Linux users also run executable programs from their desktops? You're confusing the ability to run a program of your choice with the means by which someone is fooling you into thinking you should choose to run it, right?

Sure, you could write a trojan targeted toward those OSs. And y

Re:

[Skeezix]

Right, it couldn't destroy the entire operating system in Linux or a Mac, perhaps, but it could delete all of Grandma's photos, documents, email, bookmarks, and so on. Which is probably what she'd really care about.

Re:

[Dachannien]

But there's no money to be made by deleting Grandma's photos of the grandkids, and money is what malware authors are all about these days.

Re:

[dr.badass]

Right, it couldn't destroy the entire operating system in Linux or a Mac, perhaps, but it could delete all of Grandma's photos, documents, email, bookmarks, and so on. Which is probably what she'd really care about.


It's also the thing that malware writers care the least about. They tend to be more interested in creating botnets or routing spam than deleting grandma's photos. Windows is a much better target for these aims.

Re:

[Kuciwalker]

If people thinks it's a critical security update, why would they be surprised that it requires admin privileges? They've already jumped through a dozen hoops to get to the point of running the program, so I don't see why this (a logical requirement) would faze them.

Re:waaaait just one second...

[adolf]

And you could presumably trick users w/o regard to the OS they use. But it's far more likely that the windows user is logged in with full Admin privileges.

But it doesn't matter.

The trojan/worm need not be an administrator to trash a user's computer, even with Linux. Let's use Ubuntu as an example. It can still send mail and propagate just fine as a regular user. It can also trash that user's documents and files (which are likely to be the only important data on the machine). It can use a crontab entry to start a daemon on a high-numbered port, which will run without user interaction, or without them even being logged in. That daemon won't be root, but it will still be capable of being a very proficient zombie.

After that, for good measure, it can just run gksudo and simply ask the user for root permission. Ubuntu users are absolutely content to enter their own password into gksudo whenever prompted, especially when performing updates and patches (as this claims to be). So, the trojan will readily then gain root and be free to run completely amock. Trashing or rooting the OS is the obvious next step, but it's probably not even needed after all of the damage and infiltration already accomplished as a regular user.

Seriously - just because it's not Windows does not mean that it's secure. As long as people are able to run arbitrary programs on their own computers, these types of things will continue to be a problem...no matter what kind of computer it is, and no matter if it has root/administrator priveledges or not.

Re:

[pallmall1]

Wow, you mean Ubuntu can do all this with one click and a password (from TFA):

... installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers... the malware bundled with the spam is self-replicating, so it's able to sniff out e-mail addresses on infected PCs and send copies of itself to those recipients... The spam blast also includes a host of randomization and antidetection features, other researchers said.

Re:

[pkulak]

I was going to reply that a compromised user account couldn't be set up as a bot-net, but now that I think about it, you don't need admin privileges to open up port 25 and start spewing out a million messages an hour, do you? So really, what's to stop this from happening in Mac OS or Linux?

Re:

[iabervon]

If Grandma is running Linux, she's probably aware that her grandson takes care of all that sort of stuff. If it's a Mac, she knows that Apple takes care of everything.

Re:

[_xeno_]

Executables are frequently distributed inside compressed archives (eg, ZIP files) in order to prevent email filters from automatically removing them as "dangerous file types." There are ZIP extensions and TAR natively includes UNIX privileges, so there'd be no need to chmod +x malware, as the decompression utility would do it automatically.

To the best of my knowledge, none of these formats will set the setuid bit, though, so from there you'd either need to get the user to run it as root (sudo malware) or,

Re:I saw one of these yesterday

[cdrguru]

Wrong - Linux and Mac are completely vulnerable to this type of attack. You go to install something that you were told to do so and it prompts for the root password. The user then types it in and the machine is wide open.

Don't think that would happen? You must be dealing with a better class of users than exist in the wild. Of course it would happen, and happen at such a frequency that it would be just another massive exploit.

Windows is targeted because of market penetration. Why bother with less than 5% when you can get 95% in a single effort?

Re:

[Anonymous Coward]

Since she started using a Mac.

Just another...

[Billosaur]

...trap for the unsophisticated Web user. I mean, if you get an email from someone you don't know telling you to update your anti-virus, wouldn't you think that's a little suspicious?

I don't get much spam, because I really don't let my email address float out in the wild, so this kind of thing never bother me. But it just makes me wonder when someone is going to take some initiative and try to build a better system, to minimize the human element as much as possible.

New "Sledgehammer" virus

[jfengel]

WARNING! Your computer is infected with a virus. This virus could be transmitted to you, and you will die within 24 hours.

Please forward this email to everybody you know, then smash your computer with a sledgehammer. NOTE: you must forward the email BEFORE smashing the computer, not after.

###

I swear to God I think people would actually do that. What the hell can the operating system do if people are willing to save a zip file, type in the password, and then run the contents?

Maybe Microsoft should refuse

Re:

[svendsen]

Agreed. You can not make a system to prevent users from shooting themselves in the fool. I mean I can drive my car into a tree, how dare it let me do that!

Re:

[Opportunist]

Yup, they will. The promise or threat just has to be big enough.

Imagine the promise that this tool is gonna remove all WGA troubles for now and ever. Think people would refuse to burn it to CD, log in as admin, give it all rights and permissions, reboot 10 times and hand over every kind of password they have, including those for EBay, Amazon and their bank account?

Re:

[kiddailey]

I've actually already seen spams/chain mails that do say such a thing. In fact, there's web site(s) out there with "information" on the virus:

http://www.cyberflu.com/ [cyberflu.com]

From the site:

"The National Center for Virus Control has issued a Threat Level 5 warning about a new internet virus that can be transmitted from computers to humans, resulting in flu-like symptoms. Unlike traditional viruses that are spread by email or software downloads, this "CyberFlu" virus is transmitted to your PC when you browse a web pa

Re:

[kiddailey]

And yes, I realize that's a prank site, but it was a good example :)

Hmmm....

[abb3w]

I swear to God I think people would actually do that.

Then it would seem spreading such a virus hoax might help this sort of problem. Users stupid enough to fall for it would immediately lose their internet access.

Re:

[Hoi Polloi]

I think the world would be better off if it was rephrased:

"Please forward this email to everybody you know, then duct tape a plastic bag over your head. Make sure the seal around your neck is air tight. NOTE: you must forward the email BEFORE putting on the bag, not after."

Simple problem

[cdrguru]

If the any computer is not properly administered, it will be compromised by users that don't know any better. They can't possibly be aware of the differences between Microsoft automatically applying updates and other such "software updates" that might be required.

One sort of computer doesn't need to be administered any more than your toaster or TV needs to be administered. If the programming cannot be changed by the user in any way and all it does is read email and browse the web. Period. Maybe play some music sometimes. Ideally, such a device has its programming in ROM (not flash) and cannot be changed in any way. No instructions are ever put on R/W memory, ever. Completely and utterly secure the way your toaster is. How many people have found exploits for a toaster?

Windows is perfectly secure when it is properly set up and administered. The problem is that you can't install software on such a computer and you can run all sorts of fun applications. Gee, isn't that too bad. One solution is to require every user to either (a) switch to a appliance that cannot be compromised, (b) pay the ISP to administer their computer or (c) pass a test to be qualified to have a general-purpose computer connected to the Internet. And yes, the test should be similar to the FCC license for HAM radio: long, incredibly detailed and most people can't pass it without lots of work.

The operating system cannot be made secure from users adding software if they are supposed to add software. But users aren't qualified to add software to their computers and if they are allowed to do so, they will add things that will eventually destroy the ability to use the Internet.

exam

[baomike]

>

unless you know something about electronics/radio

le customers

[rmadmin]

I've had a handfull of customers email me on this one yesterday and today.

"This is the same as the last 'patch' email I told you we never send, delete it"

maybe the problem...

[darkvizier]

...is that malware has better installation instructions than any of our other software. When people see documentation, it's like a dream come true!

Ah... disillusionment. :-)

Mail server filters

[TheBracket]

We have a set of filters in place that scan every incoming message (for viruses, spam, etc.). It looks like in the last 24 hours or so we've blocked a few thousand of these. They seem to be coming from all over the place, with a variety of subject lines. We block any IP that sends us malicious messages more than twice in an hour (the block stays up for 24 hours, I think), so the 2-3,000 we've blocked could be a drop in the ocean - or may not be. That's still a lot more than we get for most incidents like this.

A day in the life of a spam filter

[gvc]

If the CEAS Live Challenge [slashdot.org] had occurred over the last 24 hours, participants would've had to deal with several copies of this virus. Note how it morphed from news headlines to greeting card lines over the course of the day.

USA Missle Strike: Iran War just have started attach="News.exe"
Israel Just Have Started World War III attach="Video.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Click Here.exe"
USA Missle Strike: Iran War just have started attach="News.exe"
USA Just Have Started World War III attach="Read More.exe"
Iran Just Have Started World War III attach="Movie.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Click Me.exe"
Missle Strike: The USA kills more then 10000 Iranian citizens attach="Video.exe"
USA Just Have Started World War III attach="News.exe"
I Love You Because attach="flash postcard.exe"
You're In My Thoughts attach="postcard.exe"
You're In My Thoughts attach="flash postcard.exe"
Love Remains attach="Love Card.exe"
Inside My Heart attach="greeting card.exe"
A Kiss So Gentle attach="Postcard.exe"

Trojan is so US centric

[TechyImmigrant]

It may be a Storm Trojan in the USA, however in the UK it would be called a Storm Durex. Either are good for penetration.

Re:

[Opportunist]

About 70% of current malware runs on Vista, so I'd give it a good chance.

If it's important to you, I'll check on Monday.

Re:

[cdrguru]

Except the fool users that already unpacked and executed the file will then just type in the appropriate password when required in order to apply the patch.

There is no chance of this not succeeding with people that have no business being responsible for administering a computer.

Re:

[Intron]

Postini is probably now wondering about the gigantic DDOS attack on their web server.

I use mimedefang, which filters .exe by default, but allows .zip. Hard to block this one since they can just change the password to change its signature.

Re:

[jfengel]

Exactly. It also prevents the anti-virus from scanning the contents of the zip file. The "the password is:" bit acts like a CAPTCHA; it takes a human being to recognize where the password is in the text.

(It seems to me that it would be worth the trouble for a virus scanner to try every word in the file as a password, and then scan the results.)

High risk file types

[iago-vL]

Are you sure you got all the high-risk file types? Here's one or two you should avoid:

.ade .adp .app .asp .bas .bat .cer .chm .cmd .com .cpl .crt .csh .exe .fxp .hlp .hta .inf .ins .isp .its .js .jse .ksh .lnk .mad .maf .mag .mam .maq .mar .mas .mat .mau .mav .maw .mda .mdb .mde .mdt .mdw .mdz .msc .msi .msp .mst .ops .pcd .pif .prf .prg .pst .reg .scf .scr .sct .shb .shs .tmp .url .vb .vbe .vbs .vsmacros .vss .vst .vsw .ws .wsc .wsf .wsh

Source: http://support.microsoft.com/kb/925330/en-us [microsoft.com]

Re:It scares me to death!

[Mister Whirly]

"Once someone smart had said : There's no patch for stupidity"

Sure there is [wikipedia.org]