German Spam
The recent spate of German Spam, and the announcement by the Australian Democrats about an anti-spyware bill are the main topics of discussion for this week's column. If readers have any requests or suggestions for further topics or areas of discussion, please send an email to info@beskerming.com.
The problem with having non-technical people managing and directing technical progress / capability, whether it is in a corporate setting or a government, is that the best intentioned concepts may be doomed to fail due to a lack of understanding of the technology. Recently, on May 12, Australian Democrats Senator Brian Greig submitted a bill to the Federal Parliament proposing that any entity that installed software on a user's computer without consent would face a fine of $10,000. The immediate issue is that the people and companies involved in spyware / adware / malware creation and distribution will ignore this if it becomes law, merely shifting their base of operations to countries outside of the reach of Australian law enforcement. The other, more critical, issue is the use of 'click through' EULAs with the installation of these applications, which then move the responsibility for the installation to the user and makes it a consenting installation, such as used by Gator and Bonzi Buddy, two nasty pieces of malicious software.
These licence agreements have yet to be tested in a court of law, and it is rare that users actually read through the content of these agreements, which can be quite restrictive or allow scary levels of access to the system by the company that developed the application. For example, the EULA associated with the Windows Operating System absolves Microsoft of any responsibility should the failure of their operating system cause major financial loss and damage to the user. Some EULAa even go so far as to exclude the use of the software in safety critical areas, claiming that it will be at the user's own risk if they choose to proceed with such an installation. A major issue with EULAs is that people just don't read them when they install software. This is sometimes the desired effect from the software companies, with the EULA attached to one piece of spyware being more than 5,000 words. PC Pitstop actually went as far as to offer money to users who read through one of their EULAs. It took more than 3,000 downloads before someone contacted them about the money. The lucky user was given a cheque for $1,000 USD.
The Democrats Anti-spyware bill is likely to be as successful as the Anti-spam laws in Australia and the USA, which have been seen to be completely ineffective in practical terms, that of reducing spam email traffic, despite a significant proportion of spam originating from the USA.
Of greater immediate concern to most users is the recent announcement of a major flaw with Microsoft Internet Explorer (MSIE), Outlook and several other miscellaneous titles (not named). Apparently the flaw exists with the default installation of these applications, and allows remote execution of code with minimal user interaction. Existing users of Internet Explorer and Outlook should already be very careful with their application usage habits, however this announcement should serve to reinforce that idea, and prompt those who haven't already done so to install a firewall and system monitoring software. Users should expect more information to be released in the coming weeks.
German language spam is not a common occurrence in most English speaking countries, but there has been a run of spam emails in German flooding inboxes over the last week, starting on 14 May. Although they don't usually deliver spam, the culprit was an email worm that spreads through Microsoft Windows based systems. The Sober email worm has been around for a while, and is now up to the 17th incarnation, identified as Sober.Q by various anti-virus vendors, and it was this version which released the German spam on the world. It was actually the 16th variant, Sober.P, which then downloaded the 17th which then spewed spam out across the internet. Oddly enough, the spam was not for any commercial product, but was timed to coincide with the 60th anniversary commemorations of the end of World War II in Europe. Many of the sites linked in the emails were classified as 'extreme right wing' and 'NeoNazi propoganda'. In addition to the anniversary, the German state with the greatest population will be holding an election on May 22, and some observers believe that the spam release may have been motivated by that occurrence.
The 7th variant of Sober, Sober.G, was released last June to coincide with the European Parliament elections, and also spammed related messages, so there is a precedent which also happens to use the same family of worm. Like the Sober.P - Sober.Q relationship, Sober.G downloaded Sober.H, which was the spamming variant. Technically, Sober.Q is not a worm or virus, but a spam engine. Some reports were even made that mobile phones and Blackberries (hand held email devices) were being spammed via SMS as a part of this attack, although it is likely that this was merely an email - SMS gateway sending on messages as it is supposed to, and not a direct SMS attack against devices that can not access email.
Like a lot of current email spread malware, the Sober family of worms uses forged headers when sending out messages, which means that the From: line in the email message is not who sent it. Forged headers hide the source of the message from the average user, and can make it look like it is from someone they know. A forged header also serves another purpose, as when anti-virus / anti-spam monitoring applications may bounce / auto-reply to infected messages. This then sends pointless emails to the unsuspecting victim who was set up as the From: line. In internet parlance, this is known as a 'Joe Job', and can cause a problem when over-zealous administrators, or frustrated users complain to / about the victim. There have been cases where ISPs have suspended accounts due to complaints received about a customer who was the victim of a 'Joe Job'. If you are the victim of a 'Joe Job', it doesn't necessarily mean that you have any malware on your system, although it couldn't hurt to check, anyway, and it can get annoying receiving abusive emails about being responsible for sending out viruses.
23 May 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.