Botnets by Email

re: Botnets by Email

Dani Sarfati — Tue, 10 Apr 2007 03:28:14 GMT

Thanks for the read Mark,

I'm really excited about the UAC article that you're going to post in the June issue of technet magazine though! Can we get any previews at all?

re: Botnets by Email

Michael — Tue, 10 Apr 2007 04:32:47 GMT

Interesting as usual! Although it would have been more interesting had you actually discovered some activity.

re: Botnets by Email

Erwin Ried — Tue, 10 Apr 2007 06:35:29 GMT

Much people say that Windows is too unsecure, from my point of view the truth is that there is a lot of careless people and logically should have more careless people in Windows just for the amount of users

re: Botnets by Email

Kalyan — Tue, 10 Apr 2007 07:57:59 GMT

Thats an interesting article and interesting stuff. Now I want to playaround with Process Monitor.

re: Botnets by Email

Nick — Tue, 10 Apr 2007 09:17:32 GMT

Very interesting, glad to see you back with an article, I love em! :-)

I think much of the novice users just click away dialogs and click links because they don't read them, they don't think it can be a scam and if they do, they don't understand what it all means. It's too much for them.

Education is needed here!

re: Botnets by Email

RichS — Tue, 10 Apr 2007 11:17:21 GMT

Hi Mark, interesting read.

Could Outlook be updated so that if the displayed URL and the linked URL don't match, then Outlook could launch InternetExplorer in a "Safe" mode that is more protected ( and maybe also has a indicator that that particular session could be dangerous - e.g, a RED border ).

Unfortunately the ease of use of applications ( including Outlook ) make these types of attacks much more likely to occur, and much harder for non-tech savvy users to fall for.

Botnets by Email - BlueMountain greetings » Internet Security and Programming

Botnets by Email - BlueMountain greetings » Internet Security and Programming — Tue, 10 Apr 2007 12:59:05 GMT

PingBack from http://thanadon.com/news/botnets-by-email-bluemountain-greetings.html

re: Botnets by Email

Didier Stevens — Tue, 10 Apr 2007 17:02:57 GMT

I also got some of these "postcards", and they are crude malware. In fact, the executable is a WinRAR Self Extract Executable (SFX). When you run it, it unpacks the files and starts a script. You can see the WinRAR SFX icon in your screenshot.

re: Botnets by Email

Camus SoNiCo — Tue, 10 Apr 2007 17:07:23 GMT

Come on, man! What's happening to you? You used to post some great "research & internals" articles...

Now this?!

re: Botnets by Email

Rusty Campbell — Tue, 10 Apr 2007 17:25:50 GMT

Excellent! Very informative. And, I might add, gutsy.

An E-Mail-Bot Analysis

Roger's Security Blog — Tue, 10 Apr 2007 17:45:48 GMT

Well, we all know that we shall not click on links in mails and stuff like that. Marc Russinovich did

Hovering URL can't be trusted either

Anonymous — Tue, 10 Apr 2007 20:53:45 GMT

I just wonder why Mr. Russinovich isn't aware of the security vulnerabilities in the HTML renderer? There are various ways to even fool the hovering text and the status bar to point at any URL you like, whereas clicking on the URL takes you somewhere completely different. Classical examples are styled form buttons within a label tag, or links within a table, and you know, these have never been patched (not even on Vista).

Actually you should feel glad that you never clicked the Reply button, since this would allow the attacker to inject arbitrary HTML code into the reply window (including JavaScript and ActiveX being turned on there by default, yikes!).

One would think that Mark should know how to differ a serious mail client from a hardly RFC-conformant wannabe-mail-client ActiveX Rich Platform Client.

Mark Russinovich analiza un ataque de malware

Guillermo Taylor @ Microsoft — Wed, 11 Apr 2007 02:03:51 GMT

Pocas veces uno tiene la oportunidad de entender que tan vulnerables somos en este ciber-espacio. Y peor

Cosas Interesantes: 11/04/2007

Be Geek My Friend — Wed, 11 Apr 2007 09:37:36 GMT

Hoy en cosas interesantes: Diseñando cubos en SQL Server para usarlos en PivotTables de Excel 2007, Creador

re: Botnets by Email

wroot — Thu, 12 Apr 2007 10:41:45 GMT

that's why i don't use mail client with use of IE rendering. My client has its own renderer, so there are less chances it can be vulnerable.

re: Botnets by Email

Kevin — Fri, 13 Apr 2007 05:26:38 GMT

I was actually wondering... Since so many of these programs require administrator access anymore... Why isn't there a simple "Do not run this program as Administrator" option in the Compatibility section. It would at least make users a little more happy when a program has the requirement for Admin rights (Say an installer) and dumb it down a bit. That way, users could be (stupid) and run these types of programs NOT as administrators. >.>

Some of the Administrator rights should be up to the users, not the devs of the programs they make >.<

re: re: Botnets by Email

Janosch Ulmer — Fri, 13 Apr 2007 17:38:02 GMT

@wroot: Actually, Outlook2007 does not IE for rendering, as I understood it is the rendering engine from Word.

@Anonymous: "re: Hovering URL can't be trusted either "

Outlook IS a serious mail client - just because it is used by so many businesses. I think you did not get the message of what Mark was trying to do - he was just showing how an usual everyday-attack via Mail works and what a typical user would most likely sees - not to show what could be possible beneath this.

re: Botnets by Email

Anonymous — Sat, 14 Apr 2007 05:13:44 GMT

> Outlook IS a serious mail client - just

> because it is used by so many businesses.

Many people abusing it as a mail client doesn't make it one.

> how an usual everyday-attack via Mail works

> and what a typical user would most likely

> sees

No, he didn't. Everyday-attacks involve spoofing whereas the hover text will not show the real destination, and in fact one should wonder why the attacker didn't even install the malware without the user's consent (since there are so many unpatched vulnerabilities that Microsoft don't care for).

Sorry, but in the scenario Mark pointed out, you have already lost from the beginning, where untrustworthy content getting processed by Outlook.

2007.04.16 Daily Security Reading « Rodney Campbell’s Blog

2007.04.16 Daily Security Reading « Rodney Campbell’s Blog — Mon, 16 Apr 2007 04:15:32 GMT

PingBack from http://www.rc.au.net/blog/2007/04/16/20070416-daily-security-reading/

re: Botnets by Email

thumb — Wed, 18 Apr 2007 11:55:58 GMT

thanks Mark for this little enjoyable article

as some people said ,the point is user attention to the attack based on 'social engineering'. right?

anyway,Most of your works impressed me and i'm looking forward to reading your professional detailed articles.

Me prestas tu equipo? « El diario de Juanito

Me prestas tu equipo? « El diario de Juanito — Thu, 19 Apr 2007 00:00:19 GMT

PingBack from http://windowstips.wordpress.com/2007/04/18/me-prestas-tu-equipo/

re: Botnets by Email

Alexei — Sun, 29 Apr 2007 12:41:35 GMT

It's interesting to look into that bot program a little deeper. It seems like a generic bot. I downloaded a couple of those. The only difference between them was channels they connect to and users that can control them. I connected to some of those channels. On one of them there were about a hundred users with seemingly random names. Those are bots. Or in other words they are compromised machines that are just sitting there waiting to be taken control of. Users who can control them are usually channel admins. So you can immediately tell who the hackers are. They can control all the bots on the channel simulteneously with commands posted to the channel. This is some serious power that can be leveraged in many ways. For example, If programmed for a DDoS attack they can take down a moderate bandwidth site.

re: Botnets by Email

James — Sun, 06 May 2007 00:10:21 GMT

In a similar vein, I have a student's laptop beside me which is doing "novel" things; winlogon.exe has decided that opening a TCP connection to an Estonian webserver seems like a fun thing to do, and services.exe has gone into the spam business. Replacing the compromised winlogon.exe (booted from CD) doesn't help - something detects that at boot, restores the compromised version and reboots immediately - and of course all McAfee VirusScan can offer is attempting to delete winlogon.exe, which (fortunately?) fails every time.

It would make an interesting test of Windows Defender's capabilities - but, needless to say, the laptop was supplied with XP Home and has been upgraded to a copy of XP Pro which flunks validation.

I've submitted the compromised winlogon.exe itself to McAfee for analysis, but there are clearly other components involved; given the closing paragraph's reference to work in progress at MS, is this one already on radar, or is anyone interested in helping investigate? (There's a working address for me on the homepage linked, or use jas@spamcop.net.)

(Yes, I could just wipe the machine and reinstall - or could, given the copy of XP Home it shipped with - but like Mark, getting a proper understanding of what is being done and how is much more appealing to me!)

re: Botnets by Email

Alex — Tue, 08 May 2007 23:43:10 GMT

Wow goes to show how complicated spyware has gotten. I just don't know why someone would stay on the computer so long to make some spyware to hurt someone else's computer. It's rediculous. At least webhosters are doing some good to the world.

re: Botnets by Email

Eeyore — Wed, 16 May 2007 08:12:14 GMT

Seems like an extremely crude piece of malware.

Got to agree with Camus SoNiCo, writing about such a poorly constructed malware is a dissapointment.

I suspect you were hoping to infiltrate the irc channel and bring the botnet down from the inside out, pity it didn't work out like that.

re: Botnets by Email

Rowan — Sun, 20 May 2007 09:27:01 GMT

I've been seeing various forms of the postcard.jpg.exe attachments since late December. Mostly the victim of the onces I've has been postcard.com.

I have a unix account that has been the same since 1994. I use it as my whats new in spam hit list. Since I'm running shell mostly I use wget to download the usually RAR encoded self-extracting files to see what they want to do. Each attempt has varied between 700K to 1.5M, mIRC is popular. I've noticed that the accounts hosting the files are closed in a day. I would guess that the companies who write malware detectors are fairly quick after the ISP's involved or the ISP doesn't like the extra traffic of people who missed the various clues downloading a few hundred thousand copies of a 1mb file. The usually Eastern European website hosting the file is probably a hacked site or account and a cheap DNS entry at some bulk host.

As for a check on these files at download, the system should flag on anything with a double or more extension (.jpg.exe). Ditto for SCR, BAT, COM, and VBS links from email, all of which I have seen attempted.

The real solution to really end/reduce spam would be painful to implement at first, but would be a longer lasting solution. It would require properly configured mail servers (some people are laughing here). ESMTP (site1) already can check if the hostname(site2) provided in the HELO matches the IP (rDNS) of the host (site2) connecting to it. Most servers are configured to allow the connection even if the data doesn't match. This email data is sanitized by a mail filter right now.

What I would add to this is an extension to ESMTP which is a check by site2 back to site1 to see if site1 had initiated the original message, call it VerifiedESMTP. An additional check could be to if site1 is a listed MX server for the domain that it claims to sending mail from, which would allow the many virtual mail domains to continue without impact.

This of course won't stop all spam, it will cut down on Trojan Infected Home PC spam. Also by verifying that the sender is real before allowing the connect it will cut down on network traffic. It won't catch a "monkey in the middle attack" or some form of compromised router. It will take care of roughly 80 percent of the spam currently being sent.

re: Botnets by Email

HSANTOS — Wed, 30 May 2007 18:52:03 GMT

Mark, excuse me if I sound critical. There is really nothing here new to discover. The infamous CodeRed virus was 100% based on the idea that there will always exist a market of unsecured Windows machine. It took nearly 4-5 years before CodeRed propagation dwindled and stop spreading. Microsoft OSes simple need to stop spawning & running DATA as CODE! This *use* (and still is frankly) to be ENGINEERING TABOO, but in the name integration, Microsoft stepped over the line and didn't quite having the "engineering integrity" to cover its bases. While VISTA and "virtual sandboxes" might help, curing the problem is a based on a presumption that everyone will have the same system, same security - not going to happen.

There is only one solution - stop running DATA as CODE! Period. This isn't rocket science. We could of long ago added logic to run DATA as CODE in our electronic mail hosting servers and end-user mail readers, etc. But we from a engineering ethical standpoint we chose not to do so - MS stepped over the line and the world is suffering because of is.

MS is once again faced with the new and same engineering challenge of PINGING and REGULATING remote computers, in the name of "security" (wink wink).

But this is still an UNETHICAL practice and while MS might be the "GOOD GUY" doing this practice, opening pandora's box will lead to "Bad Guys" following and this will create even more remote networking chaos if this concept is allowed to continue to sneak and get around current US interstate commence and consumer privacy laws (UTICA).

I'm being critical because the SOLUTION has always been quite simple - STOP RUNNING DATA as CODE.

re: Botnets by Email

Jonathan Homer — Fri, 20 Jul 2007 17:42:10 GMT

Interesting that the program asks to open a firewall port. The problem with Microsoft's firewall is that you can add an entry with no user rights to the registry to give access to the port. The user would of have to wait for a reboot to use the port but that should in the majority of cases be within a day or a month or two for a server.

re: Botnets by Email

Dragomir Tenev — Sat, 11 Aug 2007 13:53:05 GMT

Spam and phishing is something very very bad. You are right that many programs detect such email spam letters, but there are still plenty of email providers that can not catch all the spam. I think that there is always a race between spammers and security managers. They both try to outsmart the other.

re: Botnets by Email

Commentcles — Mon, 04 Aug 2008 18:27:04 GMT

"HSANTOS: There is only one solution - stop running DATA as CODE!"

Are you referring to an executable data? Seriously? Did you read the article? Oh lordy...