TELECOM Digest OnLine - Sorted: Re: Spammers Jump on Latest MS Hole

Re: Spammers Jump on Latest MS Hole

Wed, 13 Sep 2006 22:13:35 -0400 wrote:

> Paul F. Roberts wrote:

>> Some of those fears were confirmed when reports surfaced, just days
>> after the Aug. 8 patch release, that computers infected with malicious
>> IRC 'bot' programs.

> Some questions about today's technology:
> What is a "bot" program, as opposed to other kinds of computer
> programs?

It is a slang term for a program that runs in the background and take
"orders" from somewhere else on the Internet. Short for robot. If you
have one, someone else controls your computer. Typically they let you
think you still have control and just use it to do their dirty work
without (they hope) you knowing what's going on. Like someone taking
your car each night from 1 am to 4 am to delivery drugs.

> What allows and causes a foreign unauthorized program to start
> execution on a computer where it doesn't belong? In other words, who
> presses the start button on a supposedly personal computer to run
> sabotage? I don't understand how some external person can gain
> control of my computer, as if my neighbor could drive my automobile
> from his kitchen window.

Your neighbor CAN get your keyless entry code from his kitchen window
with the right radio scanner widgets and then install things at night
that might cause your car to do all sorts of things.

Three main ways.

1. You are on the Internet without a router or with one but not behind
a NAT setup which means you are exposed to the outside world. There
are large number of computers probing EVERY address possible on the
Internet to see if you respond. In a perfect world your computer would
ignore these probes. But due to bugs in the various operating systems
it is possible to find a bug that allows data sent in the probe to
overwrite part of the OS and when that section of the OS is used the
injected code takes over. Typically at this point it a very small
program that calls home and downloads a larger program, hides it in
your disk, sets things up to run at startup, then idles in the
background waiting for "orders". And does all of this in a way such
that you don't notice it happening.

2. You visit a web site or read an email that does basically the same
as #1 but is based on bugs in your Internet browsing software. The web
site (or AD on the web site) or email contains HTML code that exploits
a bug and allows code to be inserted into your system.

3. Social engineering is where a pop up or email says click here and
you WIN, GET, etc ... a million, prize, etc... and what you are
clicking is a program (often disguised as a graphic) which install a
BOT on your computer.

>> were scanning the Internet for Windows systems that had the
>> MS06-040 vulnerability

> What allows a private computer to be scanned by external means (like
> Spock using his scanners on a planet far below) so that its internal
> software may be examined and manipulated?

Alluding to the above, if you are connected to the Internet without a
router doing NAT you're exposed. This protects you from the equivalent
of folks walking down the street ringing doorbells and seeing which
doors are not locked and people not home. The lock is being behind NAT
and/or having a fully patched system with no known exploits. But the
later is hard as the people looking for exploits to do bad do not
advertise them when they find them.

If you surf you may be exposed. The only way to stop this is to
disable java, activex, javascript, etc ... Which in todays web, makes
for a very restricted experience.

>> and then using publicly available code

> Who wrote such code?

Kids who were having fun seeing what they could do at first. But now
mostly thieves or folks paid by thieves to find such things. To be
blunt, they do it because there's money to be made and they don't have
a problem stealing for gain.

> Lastly, why do such vulnerabilities exist in the first place? I keep
> reading how the present Windows operating system is old; shouldn't all
> the necessary fixes be developed by now?

Modern OS's have 10s of millions of lines of code. People buy
features. They don't buy future security problems. All those systems
designed with security as the first gaol fell on the junk heap of
computing past and continue to do so. Well except for some very
special cases where market share and cost doesn't mater. But even the
NSA finds it cheaper to build totally isolated rooms, and I mean
totally, to run software on insecure systems than try and develop
custom things that are secure from the ground up. And they will likely
have holes also, just not as many. Maybe.

But the basic issue with Windows (and all OS's after a while) is that
it has to support old ancient programs plus new stuff and the code
base is a mess. You don't really fix code like this. You do you best
to apply what can be charitably called a permanent band aid. Been
there. Done that. Got the pay stubs. (Not for windows but this is an
issue that will not go away.)

> How much does it cost for companies to keep applying these patches
> every week?

LOT. Keeps me employed. Well not totally but is a PITA for me and I
mostly admin macs. But have to deal with enough windows systems that it
takes way too much time to deal with them. The windows systems that I
support are for very specialized systems and the people running them
have specific rules about what they can and cannot do.

What people do not realize is that an off the shelf Windows or Mac
system with MS Office, Email, web surfing, iTunes, etc... is a more
complicated system that their car or even the Apollo moon shots. It's
very hard to touch one piece in isolation. And folks will argue that
if design "right" this could all be avoided. To some degree they are
correct. But it will never be perfect, even when folks try
hard. Things are just too complicated for our minds or even our
management structures to control it all.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: David Thomas: "A Cell Phone For 86,000 Dollars!"
Go to Previous message: Anthony Bellanga: "Re: NYC Pennsylvania Station Pay Phone Usage"
May be in reply to: Paul F. Roberts: "Spammers Jump on Latest MS Hole"
Next in thread: Gordon Burditt: "Re: Spammers Jump on Latest MS Hole"
TELECOM Digest: Home Page