Friday, November 17, 2006
What happens when bad software gets on your computer?
Have you ever seen the movie "Risky Business"? Bad software invites its friends over, starts illegal businesses in your computer, and generally makes your life miserable.
Let's take a look at a particular piece of malware, one that's in the news because it's responsible for the recent sudden upsurge in spam. As usual everyone's given it a different name, but the most common is "Spamthru".
It all starts when you run software from a source you don't know and trust. Maybe it's just a small program that goes out on the Internet to download and run the latest, freshest, copy of a large program that does bad things, in this case Spamthru.
Spamthru changes your Windows setup to ensure that it runs on startup. It uses several ways of doing that, including one or two that I'd never heard of.
Then it installs and runs an antivirus program. "What?!", you say. It's like the bread mold that secretes penicillin to kill off its competitors. Spamthru is trying to make sure it doesn't get slowed down by all the other malicious software on your Windows machine.
Some malware tries to shut down your own antivirus software or at least make it impossible for you to update it. Spamthru does the latter.
Then it listens for orders from the humans who control it. The whole point of this was to take control of your computer. In the old days (like a year or two ago), a program like Spamthru would log in to a chat room and wait for its human master to type in commands. Spamthru instead uses a clever distributed command and control system that will keep on working even if law enforcement or responsible ISPs shut down a server or two.
The orders it can understand and obey include "update yourself", and the big ones: "get a template for a spam message and a list of victims" and "send out spam". That's where they make their money. The criminals who caused this whole problem rent out use of the 70,000 personal computers they control to spammers. It does a hideously good job. It adds random elements to the spam to confuse spam filters. It sends the meat of the spam as a picture, which is hard for filters to read, and it randomizes the size of the picture and adds a few random dots to it so that filters can't just learn to block a particular image.
Do you still want to take a chance on installing software from random strangers?
Joe Stewart's technical analysis of Spamthru
|
Let's take a look at a particular piece of malware, one that's in the news because it's responsible for the recent sudden upsurge in spam. As usual everyone's given it a different name, but the most common is "Spamthru".
It all starts when you run software from a source you don't know and trust. Maybe it's just a small program that goes out on the Internet to download and run the latest, freshest, copy of a large program that does bad things, in this case Spamthru.
Spamthru changes your Windows setup to ensure that it runs on startup. It uses several ways of doing that, including one or two that I'd never heard of.
Then it installs and runs an antivirus program. "What?!", you say. It's like the bread mold that secretes penicillin to kill off its competitors. Spamthru is trying to make sure it doesn't get slowed down by all the other malicious software on your Windows machine.
Some malware tries to shut down your own antivirus software or at least make it impossible for you to update it. Spamthru does the latter.
Then it listens for orders from the humans who control it. The whole point of this was to take control of your computer. In the old days (like a year or two ago), a program like Spamthru would log in to a chat room and wait for its human master to type in commands. Spamthru instead uses a clever distributed command and control system that will keep on working even if law enforcement or responsible ISPs shut down a server or two.
The orders it can understand and obey include "update yourself", and the big ones: "get a template for a spam message and a list of victims" and "send out spam". That's where they make their money. The criminals who caused this whole problem rent out use of the 70,000 personal computers they control to spammers. It does a hideously good job. It adds random elements to the spam to confuse spam filters. It sends the meat of the spam as a picture, which is hard for filters to read, and it randomizes the size of the picture and adds a few random dots to it so that filters can't just learn to block a particular image.
Do you still want to take a chance on installing software from random strangers?
Joe Stewart's technical analysis of Spamthru
# posted by Frederick @ 6:09 PM Email to a friend:
Haloscan: they provide trackback