August 24, 2003

Initial Worm Injection - A creative approach

Ever wonder just how a worm begins propagating? Somewhere, somehow it starts with a single click.

The Washington Post ran an article showing how the latest strain of the SoBig virus was launched on a porn newsgroup. Quite an effective attack vector if you ask me. One of the reasons I stay away from newsgroups is the insane cess-pool that has grown as the Internet has commercialized. With so many lonely admins clicking feverously on every post to see the next great pr0n shot, no wonder it propagated like mad.

Lesson to be learned? (besides the fact you shouldn't be visiting such cess-pools!) Never open an untrusted attachment without first realizing the implications, have it scanned, and run your environment with least privileges. Actually, you should always do that anyways.

Trust, but Verify

Posted by SilverStr at August 24, 2003 08:39 AM
Comments

I love porn as much as the next guy, but I sure as hell wouldn't surf it from something like outlook, which will happily execute whatever the hell it comes across. Pan (pan.rebelbase.com) is a linux newsreader and possibly the best newsreader I've used. Agent (forteinc.com) is good, and I assume that it works in the same way, happily showing say, image files, but prompting to save/execute non-image files (ie: rars/pars, etc).

Userfriendly has a great thread on people clicking on executables :)

Posted by: Arcterex at August 25, 2003 09:26 AM

Agent doesn't display anything unless you specifically ask it to. When you want to view/execute any attachment it has you answer a second confirmation before passing it along.

Posted by: Bear at August 26, 2003 04:55 PM