Get Smart about Business Spending
Botnet worm in DOS attacks could wipe data out on infected PCs
The denial-of-service attacks against Web sites in the U.S. and South Korea that started last weekend may have stopped for now, but code on the infected bots was set to wipe data on Friday, security experts said.
There were no immediate reports of any of the compromised PCs in the botnet having files deleted, but that doesn't mean it wasn't happening or won't in the future, said Gerry Egan, a product manager in Symantec's Security Technology Response group. (Click here for Larry Magid's related podcast with Symantec expert.)
There are only about 50,000 infected PCs around the world being used in the attacks, which is relatively small compared to the millions that were infected with Conficker, he said.
The attacks started over the July 4 weekend launching distributed DOS attacks on dozens of government and commercial sites in the U.S. and South Korea. The attacks, which resurged during the week at least twice, affected sites including the White House, the Federal Trade Commission, the Secret Service, and The Washington Post.
One of the files dropped on infected PCs is programmed to wipe out files on the PC, including a master boot record, which will render the system inoperable when the PC is rebooted, Symantec said. "Basically, your system is in trouble if this executes," Egan said.
Botnet expert Joe Stewart of SecureWorks told The Washington Post that he tested the self-destruct Trojan and found it capable of erasing the hard drive on an infected system, but that that function wasn't being triggered. He speculated that either there is a bug in the code or that the feature is set to activate at a later date.
Researchers are finding that the botnets launching the attacks are infected with several types of malware. The MyDoom worm is being used to spread infections between computers via e-mail, Symantec and other antivirus vendors have reported.
A dropper program called W32.Dozer that contains the other components is sent by W32.Mytob!gen to e-mail addresses it gathers from the compromised computer, the Symantec Response Blog says. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the system.
The Dozer Trojan serves as a backdoor and connects to IPs through certain ports, allowing it to update itself and to receive instructions on sites to attack, according to Symantec. It's unclear if the DOS attacks will happen again because the infected PCs can receive new instructions at any time, Egan said.
"There is nothing new or novel in the technology," he said. Judging by the high-profile sites attacked it's likely the attackers are just trying to get attention, he added.
South Korea officials told reporters on Friday that the DOS attacks used 86 IP addresses in 16 countries, including South Korea, the U.S., Japan, and Guatemala, but not North Korea, according to an Associated Press report.
For more information listen to CNET blogger Larry Magid's podcast on the subject.
This graphic shows how the different malware components on the denial of service botnets interact.
(Credit: Symantec)
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
In all fairness, good luck, and I hope y'all were smart enough to save off your real important stuff to an external or (pref in this case) optical disk...
The malware is also detected by virtually every single anti-virus software, and can be completely cleaned by numerous free tools (including the Microsoft's malicious software removal tool).
If you refuse to apply patches for 5 years, refuse to run any anti-virus software, and refuse to run free detection and removal tools, then I guess you shouldn't be too surprised if your data gets wiped.
Yes, the Mac users running Windows under BootCamp or Parallels may be infected on that side.
Do you really think OS X is invincible? Then how come it has been pwned 3 years in a row at CanSecWest? Why is there a PoC drive-by download online for the Mac right now? http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html
Just FYI, there have been malware for Intel Mac in the wild since February of 2006. And thousands of Macs have been detected in iBotnet, launching DDoS attacks (just like the PCs mentioned in this particular article). If the zombies were all Parallels or BootCamp partitions, and if the iBotnet worm was actually written for Windows, then the OS detected would be Windows. DUH!!!
I'm sorry, but if it weren't bad enough that your knowledge of computers is waaaaay out of date, I'm afraid your thinker is broken as well. How's that foot taste?
There is nothing in Mac OS that makes it magically able to distinguish a malicious program from a benign program and block it. If there were, and if it were 100% effective as is the magical OS in your half-baked imagination, then it would be by definition an antivirus or IDS, and a holy grail at that; Symantec and McAfee would have long since taken interest in such a thing. And don't forget, McAfee VirusScan was originally launched in 1987 to detect and remove Mac viruses, not Windows viruses.
Apple fell first, and it looks like they could finish right back where they started, as attacks against Vista and Windows 7 are failing. Also, more and more AV vendors are implementing browser protection into their products, making even XP a rapidly shrinking target (we also have solutions such as GeSWall and Invincible Windows). Eventually, the only thing remote hackers can access will be your platform. And hardly anyone runs AV on their Mac, thanks to people like you continually propagating the meme.
No, he said that the Mac users may be infected if they have Windows running in Parallels or BootCamp.
"This malware exploited a bug Microsoft patched way back in 2004 (!)"
...which must be a real consolation to those who were rebuilding their machines from original media (in turn leaving their machines open to infection for hours on end until their downloads from http://update.microsoft.com finally caught up... assuming they bothered to sit through all the reboots and such).
Simply saying 'oh, it's been patched' is far too simplistic an answer.
>>>>I really don't equate that to getting your Mac infected; that's just Windows getting infected. However, you seem to be suggesting that the Mac has no inherent vulnerabilities of its own. I'm sorry, but security researchers wouldn't agree with you. There used to be a PoC for the blind in faith such as yourself, here: http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html
Unfortunately, the applet is no longer there. However, this doesn't change the fact that OS X has been hacked three times at CanSecWest, three years in a row, all through Safari on the second day; no one has been able to do that to Vista. One guy managed with an Adobe Flash exploit on the third day, but had quite a bit of difficulty doing it. In a foolish statement below, you attempt to claim that OS X is a million times more difficult to attack. Sorry, but I know better.
You have no defense other than a silly authentication mechanism, which is no more impressive than a limited user account in XP. And hackers were able to circumvent that with SQL Slammer and Stack Bot three years ago, and more recently with Mebroot, Conficker, and others. Don't confuse obscurity with inherent security.
Microsoft. Your frustration. Our fault.
Thousands of OSX users are part of a botnet and don't know it and probably never will.
oooooh! don't look under your bed - there's a monster in there!
hint: detecting most malware on a *nix box is actually a lot easier than you think due to the openness of the underlying architecture. It's far harder to hide something in a typical *nix box than it is in a typical Windows registry.
Now if you really want to hide something, and hide it from any OS, you slip it in under a real thin type 2 hypervisor and bury the works into the boot partition... but that would require something a bit more local than the Internet to pull off.
Tell that to an average user
@The_happy_switcher
FUD machine? No
I can back my claims up.
http://www.macworld.co.uk/business/news/index.cfm?newsid=25756
This requires a great deal of help from the user, too, as mentioned in your link: "While this is likely to re-ignite any discussion regarding security on Mac OS X, we would repeat that you are extremely unlikely to be infected with the iServices trojan, and that the only way to have become infected is to have obtained an illegal copy of iWork '09 or Photoshop CS4 (typically through a peer-to-peer Web site), downloaded it, and installed it entering your administrator password."
In short, stupid is as stupid does.
Yeah, the ones also running Boot Camp or Parallels where the malware resides.
And the only way to install a trojan or virus on vista is giving consent through UAC.
Both OS's require stupid users to infect them so why are we fighting over this?
Considering that the only things which came out for OSX so far required the user to actively try to infect his machine? What's to tell? (Seriously... downloading a "codec" at a shady pr0n site? Even the barely functional among us can figure out that you just don't do something stupid like that).
Until Charlie Miller shows up at my house with a geek stick, there's absolutely nothing at this time that could infect my Macs without my knowledge and consent... same goes for the typical user.
Recent OS X exploits included rigged PDF, tiff and GIF files. All that's needed for a successful exploit is to visit a web page containing a rigged media file and it's game over.
E.g.: http://www.securityfocus.com/bid/34965
Wow, you are truly naive. Never mind the fact that the worm in discussion here is in fact a Trojan, and not an exploit. Never mind the fact that Vista SP1 protects the MBR. You are throwing all of your stock in status quo and its effect on the choices made by criminals. I've said it before, if Windows XP's market share falls low enough that Russian and Chinese bot herders feel a serious constraint on accessible resources; then there are PoCs, bulletins of remotely exploitable vulnerabilities, and blogs talking about how easily existing Trojans could be turned into highly effective drive-by exploits with just a little modification out there.
Drive-by downloads have not been around all that long; there was a time when it was all about trickery (BTW, a precious PowerPoint slideshow from one of your friends with a little extra something embedded in the code is not as obvious as a "codec" on a p0rn site). There is a first time for everything; only a fool says, "it'll NEVER happen to me." When remote exploits for the Mac cross that fine line between PoC and ItW (which is infinitely easier on Mac OS than on Vista or Windows 7, even with UAC turned completely off), I see you as being among the very first in trouble. As I've never seen any mention from you on what you will do when the time comes, you appear to be helplessly dependent on others. And most alarmingly, those upon whom you are depending are your enemies!
Security researchers agree unanimously that Mac OS is the very most vulnerable operating system on the market today. Authentication only stops your kid cousin from infecting your system with a Trojan in an installer package, it will not stop scripts from leveraging the permissions of an existing parent program to make subtle changes. Sorry to bust your bubble, but the "Macs don't get viruses" bandwagon is nothing more than a meme. Don't confuse obscurity with inherent security.
Now, criminals know how to attack XP and older versions of Windows remotely, and anti-MS zealots are calling it complacency and irresponsibility on the part of MS. Not to turn this into a political discussion, but we have a lot of Republicans blaming Obama for the economic crisis he has inherited, as if he should be able to make a speeding freight train stop on a dime (LOL), and instantaneously clean up Bush's catastrophic mess.
Vista is not by any means the most celebrated operating system Microsoft has ever written, but at least it has addressed the pandemic of drive-by downloads with noteworthy assertion. Vista users are able to wind down in the eye of a hurricane, thanks to the efforts of trained systems engineers at the yet ever maligned Big Red.
If Mac OS is targeted in the wild before Apple can make adequate preparations, it will make headlines. And try as the howling zealots may, in desperation to drown out reality and comfort themselves through repetitious chants of denial, they will be able to perpetuate the invincibility meme no longer. They will have no choice but to install security software, or throw up their hands a second time and migrate back to Windows.
Don't flatter yourself; in case you missed it, this is not a drive-by download. Vista users are as secure as you are, as long as they use AV (AV can keep up with e-mail Trojans), avoid opening e-mail messages from strangers, and avoid installing "codecs" on p0rn sites (of which Mac and Linux users need to beware as well). I use XP myself, but because I know how to lock it down, I'm in better shape still.
Windows is never secure. Nice try comparing it to Mac or Linux but you literally FAILING!
Keep patching your Windows every Tuesday. Make sure update your Anti-Spywear & Virus programs you have installed lol
>>>>Say WHAT?! Show me an ItW drive-by download that affects Vista. Just so you are aware, Vista (and the upcoming Windows 7) has a lot more than a silly authentication mechanism, which is no more impressive than a limited user account in XP. Vista has DEP and ASLR, soon to be joined by Safe Unlinking in Windows 7.
I have used various methods to secure XP against remote attacks (one of the easiest being GeSWall), but discovered a simple solution in NTFS itself in early 2007, and have stuck with it ever since. All I had to do was disable write-access to system32 (the kernel) for the account I use; attacks bounce right off me.
Correct me if I'm wrong, but all you have to my knowledge is authentication. Well, so does OS X. And if Unix-based OS X can be pwned remotely without the user keying in a password, then so could a Unix-based Debian distro, methinks. I'm sorry if it hurts you to think of Windows as being secure, but it's reality.
Fortunately for you, the last time I saw a figure for ItW Linux malware, there were only about 800 samples. And nobody at CanSecWest even cares to bother with Linux, as it's just not relevant. I don't foresee any Linux distro gaining significant ground in the near future, so your obscurity advantage isn't going anywhere.
If a superficial sense of security is enough for you, enjoy. Personally, I like knowing what I can do to protect myself even in the line of fire. I also like knowing that, when I upgrade to Windows 7, it will have the same genuine security that Vista has now.
its only a matter of time before you are pwn't by a script kiddie
if you want to be safe, try unplugging the yellow cable running from the back of your computer from the wall, format, reinstall and then you will be safe
With the problems continuously encountered by Windows users around the world, people keep asking to themselves if windows is a virus. In response to the high demand for an answer to that question a study was done and concluded the following.
1. Viruses replicate quickly.
Windows does this.
2. Viruses use up valuable system resources, slowing down the system as they do so.
Windows does this.
3. Viruses will, from time to time, trash your hard disk.
Windows does this.
4. Viruses are usually carried, unkown to the user, along with valuable programs and systems.
Windows does that too.
5. Viruses will occasionally make the user suspect their system is too slow (see 2) and the user will buy new hardware.
Same with Windows, yet again.
Maybe Windows really is a virus.
Nope! There is a difference!
Viruses are well supported by their authors, are frequently updated, and tend to become more sophisticated as they mature. So there its is, Windows is not a virus!
Get your head out of your BUTT, and realize that ANY OS will have attacks waged against it..... more if it is a VERY POPULAR OS like WIndows XP, Vista and 7 are.
No, it does NOT dilute my point except in the minds of those idiots and braindeads out there who think "Without civility, you have no point!' Yeah, tell the Repukians that, the Democrats that, etc.
There is a time for civility.... and a time for being blunt. THIS IS A TIME FOR BEING BLUNT! (sing that stuff in caps with me!)
Also, the personal attack ("drooling idiot") in your second clause doesn't help your counterargument, even if it is sound.
one wonders if the owners of these two computers are aware that their cheap-ware has been taken over by viruses and post here without their knowledge. In other words both aSirius & Lerianis are botnets. That's the only possible explanation, otherwise one might think that these posters are simply two uncouth, impecunious, low social status window fanboys.
now win-bots, which is which?
What happens if you fanboys don't meet your troll quota? Do your Apple masters whip you or disown you?
That's the blunt bottom line: the only time I have ever gotten a virus that Norton didn't automatically remove was when I was stupid enough to download a codec pack to watch some porn (which I should have KNOWN I should not have had to do with the K-Lite thing I have on my system) and has gotten slammed with a virus.
People are just going to have to realize that YOU HAVE TO TAKE SOME PROACTIVE PROTECTION. That means living with a little bit of 'slowdown' because of security software on your machine (and really, I haven't seen ANY difference on my PC's before and after installing security products, except when they are from McAfee).
RT
www.anonymize.tk
Apple fans are laughing at MS fans at this moment and they think they're invincible. Who know if their machines are already infected and more are coming.
OSX and Linux are only 'virus-proof' now because they are still also-ran OS's, that have too little marketshare to attack. 15 to 20% is the 'sweet spot' according to security researchers for when an OS becomes 'hacker-worthy' and attacks start to ramp up, unless you are talking about business PC's.
As for the conference where they claim OS X was pwned, the guy who did it had a year to prep for it, and they had to relax the rules before he got in.
The second year they relaxed the rules beforehand and he prepared for three months.
But Steve Ballmer was pleased, and that's all that counts. Pathetic trolls can't accept that OS X is better. And that's all it takes. Better. Not invulnerable. Nothing is invulnerable. But OS X is not threatened in any serious way at this point. Only people who downloaded and installed illegal versions of iLife 09 and Photoshop CS4 had compromised computers. And they had to do it to themselves. It could not happen without them doing something stupid to begin with.
Poor little trolls having a fit in mom's basement.
Really now?
http://www.macworld.co.uk/business/news/index.cfm?newsid=25756
did you even read his comment ?
the said trojan requires you to download a pirated copy of iWork of a torrent site
mount it and install after typing your password
are you seriously comparing this one trojan to the millions of windows exploits ?
Eventually you get to the point where you've tried to help people who choose to have this sort of problem so much, and failed so miserably, that to save your own sanity you have to just give up. The people who suffer from Windows malware and won't escape their abusive environment have only themselves to blame. "It will be different this time," or "I know how to handle it now" are just the sort of things that make a normal compassionate geek just shake their heads with a loss for words.
I don't want to join the clueless blame-the-victim crowd with their assertions that if only people had pursued an IS postdoc they would be aware of the proper methods for "securing" their laptops, their networks, their applications and their files. That's not my point at all - given the level of broken nature of this environment, there's really nothing you could do to make it good. Eventually the malware authors get the better of even the best IT staff. It's not your fault that your stuff got destroyed the first few times.
But eventually you've got to grow up and take ownership of the fact that you're entitled to better than this. You don't have to have this problem. Other people choose not to have the Windows Malware problem, and they're doing just fine.
Get a clue.
OSX iBotnet proves this.
is that all you have ?
after 9 yrs of OSX you cling on to single trojan
that requires you download and install pirated copies of software that comes free with most macs
the fact that people even talk about such a insignificant threat shows you how secure OSX is !
is it immune no, will never be , but it beats the heck out of windows anyday of the week !
In the wild? meh. as long as there are non compliant users, or users not updating XP, then Windows will have exploitable problems. However witness the decline in attacks on Windows and the incresse against OSX and a trend is starting to emerge. A trend ole Jobsy is starting to lose sleep over. Oh well at least Apple machines are pretty....LMFAO
- by SirCommonSense July 17, 2009 6:45 AM PDT
- Someone should challenge santuccie's incorrect claims, but since no-one else seems willing to do it, I will.
- Reply to this comment
-
(85 Comments)SANTUCCIE, answer me this:
1) Do you realize, that by default, in Windows XP and higher, limited users do NOT have write access to Windows\System32, and what you are doing to deny write access is absolutely and utterly pointless? Editing the permissions so that any one or all limited user accounts has a specific Deny write permission to System32 does not change anything, since limited user accounts by default have no Allow write permission to System32. Windows file permissions work like this: if you have "Allow" on some permission like "Write Data", then you can write. If you have "Deny" on write, then you can't write. If you have neither Allow or Deny, then you can't write. The latter is the case with the default permissions. Limited users have no Allow write set in the permissions for System32, but don't have a Deny write either, because it would be pointless.
2) Neither Conficker/Downadup nor Mebroot/Torpig/Sinowal use any privilege escalation techniques at all. If you think they do, prove it. And then be sure to forward your proof to the thousands of professional security analysts in the world that have analyzed the source code of both malwares and found no sign of the malwares attempting to escalate privileges.