Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« A New Low in Phisher Stupidity | Main | My Private Battle with Blog Spammers »

March 20, 2007

How Botnets Spread

Imagine receiving what seems to be an innocent email or instant message like the following:

From: Anton <Lorna@[removed].net>
Subject: look into future


just look at this :)



Plain text, no fancy HTML tricks. Just a friendly lure and a simple URL (if you were Korean, you'd readily notice the domain being a popular web hosting site). It might be a joke, or something cute, or funny.


If you were an Internet Explorer user on Windows, that click would be the last action you performed on your PC while it was still under your total control.

That potentially friendly, cute, funny web page ends up displaying nothing but a "404 Not Found" message. But it's no error message. Instead, it is the only visible text on a page that has already run two invisible scripts. The first script (in JavaScript) assembled the page that displays the 404 message. Also on that assembled page is yet another script (in VBScript) that attempted to load a Trojan into your computer—one that allows remote control of your computer for things like spamming, further Trojan propagation, logging your password keystrokes to financial institution web sites, grabbing all email addresses stored on your computer, attacks on other computers...the list goes on and on.

By doing all of the Trojan loading via VBScript, the malware propagator is self-selecting users of Internet Explorer in Windows. Other browsers and operating systems do not execute VBScript in web pages. But that's not to say that a future attempt will exploit an unpatched security hole in any other browser or OS.

It is the simple email messages like this one that make it imperative to train the world's email users to be suspicious of literally every email and instant message arriving at their machines. Spam filters have a hard time identifying such messages as spam. Malware distribution sites like these can be set up in seconds on free hosting services around the world—making it difficult for every bad URL to be captured by services that attempt to pre-warn users about potentially bad pages.

How long will ISPs and corporate email server administrators (and their management) continue to ignore the "last mile" of defense—the user?

Posted on March 20, 2007 at 12:05 PM