OT - elaborate Windows malware scam

Ben Scott dragonhawk at gmail.com
Sun Aug 24 18:12:27 EDT 2008 

On Sat, Aug 23, 2008 at 9:34 PM, Michael ODonnell
<michael.odonnell at comcast.net> wrote:
>   http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/print.html

  Most of that is not new; crap like that has been going on for
*years*.  I remember malware disguised as popup blockers for Windows
9X.  Most malware these days is delivered via Trojan Horse -- it
tricks the operator into deliberately and willingly installing it.

  About the only thing I saw mention of which was new (to me) was the
graying of the web page background to imitate Vista UAC.  That was a
nice touch.  UAC might have actually accomplished something if
Microsoft has preserved a Trusted Path to the UAC dialog, i.e., made
the default be to require [CTRL]+[ALT]+[DEL] on UAC dialog activation.
 I understand that's still an option, but it's not on by default.  The
three-finger salute cannot be intercepted by usermode code, so a web
page would be unable to act the same way as UAC would have.  That
might have been noticed by some people.  Alas, no -- UAC can be
trivially mimiced by visual appearance alone.

  But then, I suspect many people would still have fallen for it.
It's a HHOS "joke" that many people would still run a mass-emailed
worm with the attachment filename of
"FOR_GODS_SAKE_DONT_FUCKING_RUN_THIS.EXE".

  When asking users to verify establish the veracity of quarantined
attachments, I often find it very difficult to communicate the concept
to someone that email is not be trusted.  They see a name they
recognize in the "From" field, and immediately lower their guard to
zero.  Getting them to actually consider the content of the message is
challenging.

  And before all us Linux fans start feeling too superior, a great
deal of malware these days is used to turn end-user computers into
spam cannon zombies.  You don't need root privileges to make outbound
TCP connections to port 25.  If modern Linux had the user population
that 'doze does instead, I expect we've have plenty of compromised
Linux boxes running spam cannons under unprivileged user accounts.

  There's no software patch for human gullibility.

-- Ben

More information about the gnhlug-discuss mailing list