Security:
News ToolsReg Shops |
The Register » Security » Comments on ‘Mass compromise powers massive drive-by download attack’Invasion of the password snatchersPublished Thursday 13th March 2008 12:10 GMT
FFSBy Andy Turner
Posted Thursday 13th March 2008 12:41 GMT
Malware is fast overtaking spam as an absolute pain in the arse. People should be shot for this kind of thing. @ Andy TurnerBy Rob
Posted Thursday 13th March 2008 13:37 GMT
"Malware is fast overtaking spam as an absolute pain in the arse. People should be shot for this kind of thing." If it's any consolation, in China there's a good chance that they will be. ISTR that the usual protocol involves sending their families a bill for the bullet... Play the shame gameBy Del Merritt
Posted Thursday 13th March 2008 13:46 GMT
So where's the list of sites affected? All that is spread is FUD if you don't make clear who/what to avoid. If a truly "major" site was infected, it's important for its visitors to know. Of course, all of the references at McAfee's Avert Labs appear to point to ActiveX - not a problem for this Linux fanboy - but unfortunately I have friends and relatives using Winblows, and if there's a reasonable chance that one of these 10,000 sites is on their list of regulars, I'd like to forewarn them appropriately. Spam = Malware = SpamBy Hugh Fiske
Posted Thursday 13th March 2008 13:50 GMT
They're inextricably linked and often come from the same gangs. Firefox + Noscript should prevent most malware redirection attempts, we need to spread the word. Paris? Already being spread. Trusted websites?? didnt know they excisted.By Robbie
Posted Thursday 13th March 2008 14:00 GMT
again they target "Trusted" websites.. maybe people should stop using the term "trusted website" and use something like "seems to work so far" Paris because even she knowns beter. Shooting bastards...By Trygve Henriksen
Posted Thursday 13th March 2008 14:12 GMT
Yes, we should start shooting malware creators and other low-life. And we should start by shooting those who run 'bulletproof hosting' services. They're the easiest of the low-life to be found) Without those servers, it would be very difficult for Pill-peddlers and other low-life to set up shop, and without shops, why bother to send out SPAM? The same goes for Malware. Many of them also need a 'discreet' hosting service. And if they can't get hosting for their files... There's also the 'Dynamic DNS' services. This is sometimes used to poing idiots(those who read spam) to 'shops' hosted on compromised servers or PCs. These services are really meant for 'low volume' usage(someone accessing his PC from the office, a 'home-brewed' game server or that sort), so it should be possible for them to 'switch off' the translation of a particular server name if the activity suddenly peaks... Why don't they? An unfortunate new trendBy Andy Enderby
Posted Thursday 13th March 2008 14:18 GMT
There seems to be a trend of attacking web communities developing right now. I traced the miscreants responsible for an attack on two communities I deal with as a punter back to sites allied to the RBN (Russian Business Network), and am of the opinion that this is far from unique. After all, the returns are potentially far higher - the perps know the central themes in the community fora and can target scams more accurately. More return, less work. Trusted Websites ? That's an oxymoron isn't it ? In the case above though, I was one of the few that got away without getting compromised. RE: Play the shame gameBy ImaGnuber
Posted Thursday 13th March 2008 15:33 GMT
"So where's the list of sites affected? All that is spread is FUD if you don't make clear who/what to avoid." Exactly. Warnings without names are pointless noise. Please don't waste our time. Linux? Maybe, maybe notBy Anonymous Coward
Posted Thursday 13th March 2008 15:55 GMT
As a "Linux Fanboi", I'd have to say that currently Linux users have some protection from this---but although I believe *nix is generally more secure, if it had anywhere near the popularity that Windows has with end-users, I'm sure there would be many more exploits. Right now its comparative rarity and the lack of total interoperability between different flavors of Linux makes it more secure. For everyone, I'd personally recommend Firefox and a script blocker like "NoScript" IE's headed in the right direction, but the annoying and worthless popups that you have to click through to get anything to work causes them to undermine their own usefulness---after a while, people will blindly just 'click it' when IE "cries wolf", or lower their security settings out of annoyance when they get a bland and uninformative warning every time they try to do something. I recently installed the beta of XP SP3 on one of my Windows boxes, and the generic warning to the effect of: "this contains a potential security risk" when doing something as innocuous as copying files across the network is useless and maddening... China Domain?By Biton Walstra
Posted Thursday 13th March 2008 16:22 GMT
And where is the pointing China Domain? If we got this info we can block out going traffic to it... Surely PhormBy Anonymous Coward
Posted Thursday 13th March 2008 16:31 GMT
Would have protected us. With this wonderful antiphishing service of theirs. firfox + noscript ...By vincent himpe
Posted Thursday 13th March 2008 17:39 GMT
SImply run Opera. Problem solved. A Modest ProposalBy Morely Dotes
Posted Thursday 13th March 2008 17:45 GMT
OK, *another* Modest Proposal: Both US and UK Special Operations teams need lots of training in order to stay sharp for real warfare. I suggest those teams be assigned to identify all members of the RBN, hunt them down, and capture, or if capture is not practical, kill them. And I really am serious. Wipe out the RBN and you'll eliminate a huge volume of spam, and make it possible for Joe Sixpack to pay his mortgage (because he didn't stupidly get fleeced by an RBN spammer). Once the RBN is down, move on to the next-largest spam/malware gang. Lather, rinse, repeat. The heart icon, because that's what I want: The warm, still-beating hearts of the RBN members ripped from their chests on live Webcam. Only IE seems to be affected.By John Rotomano
Posted Thursday 13th March 2008 19:31 GMT
From original report by McAfee Avert Labs, it seems that only users running Internet Explorer wold be affected, since the exploits us Active Xcontrols that are not implemented in Mozzilla browsers. The attack involves injection of script into valid web page to include a reference to a malicious .JS file which loads an HTML file that attempts to exploit vulnerabilities such as: * MS06-014 * RealPlayer (ActiveX Control) * Baofeng Storm (ActiveX Control) * Xunlei Thunder DapPlayer (ActiveX Control) * Ourgame GLWorld GlobalLink Chat (ActiveX Control). So you should be safe if you use any non-microsoft browser (like Firefox, or any mozzilla browser). And the servers?By Olivier
Posted Thursday 13th March 2008 22:57 GMT
The "vulnerable" servers are likely to be ( again ) LAMP servers. If this could make the penguins shut up a bit.. The last infection of this kind was based on a linux kernel rootkit .. Double hit for MicrosoftBy Anonymous Coward
Posted Friday 14th March 2008 00:16 GMT
Not only are the exploits used to infect users all in IE but all the infected sites are using ASP. So both their client and server software is vulnerable ... terrific. I'm surprised Microsoft doesn't just move into the malware and virus business full time! They are missing out, everyone is exploiting the potential to make money from their software and they aren't taking their cut? To all calling for death to the scumBy Steve Roper
Posted Friday 14th March 2008 01:19 GMT
I'm very pleased to see my recent campaigns to institute public execution of these filth seem to be gaining support! My preferred method is mass public hanging; it's more spectacular and dramatic than shooting. :D So, all together now... 1... 2... 3... Ch-klick... HOCK! OOOORRRRAAAAAYYYYYYY!! Why do ISP not just block this serverBy Anonymous Coward
Posted Friday 14th March 2008 02:28 GMT
End Done Fin Is Noscript really a panacea?By Tony W
Posted Friday 14th March 2008 09:14 GMT
So many sites rely on scripts that I have scripting allowed on many of the sites I visit. Then if the evil script is hosted by the site I am visiting, Noscript won't help. We shouldn't use the phrase "Trusted site"By Dr Patrick J R Harkin
Posted Friday 14th March 2008 09:29 GMT
If your PC is connected to the Real Internet (as opposed to the Happy La La Internet some people seem to think is out there) it should be hardened against malware so that if you ever click on an inappropriate link in Google you don't get hosed. You can't reliably avoid "untrusted sites"; you need to be prepared for the day you accidentally end up on one. If you need me, I'll be in the basement, stockpiling canned food and dried goods. Yes, NoScript is effective in this case tooBy Giorgio Maone
Posted Friday 14th March 2008 09:55 GMT
@Tony W: in all these attacks the malicious scripts, even if embedded in "trusted" pages, are actually loaded from sites you're very unlikely to have ever heard of, hosted in obscure Chinese servers. When you allow the "trusted" page to execute JavaScript, NoScript still prevents 3rd party scripts from loading unless you explicitly allow them too one site by one: hence yes, NoScript is an effective protection in this case as well. The period for commenting on this story has finished |
|
Top 20 stories • All The Week’s Headlines • Archive • Search