Category: Computer Security

Posted on
by

Via The War on Spam and The Spam Weblog:

Hackers hijack federal computers. Apparently the DOJ discovered, during their crackdown on cybercrime, that hundreds of Department of Defense and Senate computers had been turned into zombies.

Nice.

Can we really be sure they were only used to send spam? After all, zombies are generally the result of viruses, worms or trojans that install backdoors, so that the attacker can run anything on the system. Setting up a distributed and disguised spam-sending network just happens to be the most profitable application right now, but you can bet there are a lot of people out there who would love to take over — or just look through — US military computers.

I don’t know about you, but I find this really disturbing.

“Would you like to play a game?”

Posted on
by

When I worked at a computer lab in college, the main security focus was preventing lab visitors from screwing around too much with the computers. We just ran Windows NT and locked it down as hard as possible. The worst network-based threat I remember facing was WinNuke, and that was just as likely to be another lab tech. Some of the early email viruses started circulating while I was there, but since it was a public lab, we didn’t provide any email programs; people would telnet into the mail server and use Pine. (This was pre-Hotmail, too.)

In my wired-for-ethernet campus housing, however, all bets were off. I watched people remotely controlling each others’ computers as pranks, or discovering hackers had gotten onto their systems from halfway across the planet, and figured it was safer to use Linux most of the time. This actually got me in trouble with the network admin at one point, who decided I must be running a server and shut off my port. It did at least teach me to disable services that were turned on by default, though I saw no indication that anything on there was actually being abused.*

Firewalled

Then there were firewalled environments. Still back in college, we rigged up my parents’ house for a home network. My brother put together a Linux box to dial into the Internet and act as a gateway, and effectively everything inside the network was safe from direct attacks. No point in internal firewalls, and since everyone was savvy enough to avoid the really nasty stuff (which was easier at the time), virus scanners were only a precaution, rather than a necessity.

For the past few years I’ve mainly worked with Continue reading

Posted on
by

By way of Justin Mason and the SpamAssassin mailing list comes this post about writing add-ons for Outlook.

Seth Goodman writes of Outlook’s contact list:

This feature was apparently added for the convenience of virus writers, who it appears were one of the key groups that set the design requirements for this product

Ronald F. Guilmette replies:

So if I want source code for a software tool that can extract addresses from a personal Outlook address book, I guess that I should just go out and hire a virus writer! Hummm. I would have no problem with that. At least this would give them some honest work for a change… keeping them off the streets and out of trouble for a short while.

So now, where does one post a ‘HELP WANTED’ ad for a virus writer?

Posted on
by

A new virus has been running around today, hiding in files like price08.zip, new_price.zip, etc. We got a call from a customer asking what this [Defanged] notice was all about, at which point I looked at the logs and found a lot more instances. By the time our virus definitions were updated to recognize it (currently ClamAV identifies it as Trojan.JS.RunMe. Edit: McAfee and F-Secure identify it as a new Bagle variant – either W32/Bagle.aq@MM or Bagle.al), about 45 copies had made it through virus scanning but were caught by MIMEDefang, which found the attachment suspicious anyway.

The moral of this part of the story: relying on virus signatures isn’t enough. By the time Norton, McAfee, F-Secure, ClamAV, etc. has identified a signature and your scanner has grabbed the updated files, it’s too late. Some copies have gotten through.

The next part is kind of interesting: This virus is clearly harvesting addresses from the web or from browser caches, because we’re seeing hits to our spamtraps. The really weird part: half of those hits claim to be from our other spamtraps!

But it is kind of odd for a new outbreak to hit the day I read this article: Security expert Q&A: The virus writers are winning.

Posted on
by

More “You sent a virus!” garbage going around. It’s gotten to the point where I don’t even look at most delivery failure notices, which means I could easily miss errors about mail I really did send.

I got ticked off enough this time that I wrote back to the return address on the warning, matching the tone and structure of their message as closely as possible:

An invalid virus notice was found in an Email message you sent. Your Email scanner recognized a virus as W32/MyDoom-O but did not take into account the fact that this virus always uses a fake sender address.

Please update your virus scanner or contact your IT support personnel as soon as possible as you are sending bogus virus warnings to third parties whose systems are not infected with the virus. This runs the risk of causing unnecessary concern among the less tech-savvy (and extra calls to tech support about the nonexistant virus they fear they have). I would recommend reading up on the phrase “crying wolf” as well.