Celebrity spam gang whips up a storm

"Marshal recommends PC users do not open executable files"

Perhaps stronger measures than recommendations are needed.

"Do not open executable files." Slap!

"Ow!"

"Do not open executable files." Slap!

"Ow!"

"Do not open executable files." Slap!

"Ow!"

"Do not open executable files." Slap!

"Ow!"

"Do not open executable files." Slap!

"Ow!"

"Do not open executable files." Slap!

"Ow!"

ignorance is bliss

Stupidity and naivity are certainly both drivers here but more importantly, your average user is totally unaware of the problem.

Nobody wants a compromised PC and almost everyone would take the appropriate steps if they know about it - but it's pretty near impossible to get the simple answers required from the literature of the "security" software vendors.

Here's a simple question from a typical user:

"I am running AVG anti virus and Zonealarms - both up to date - is there any way that my PC could be comrpomised and actively pumping spam without my knowledge?"

Answers on a postcard please....

Erm....

"Anybody with the privilege to run infected software on unprotected machines deserves to have their Internet cut to protect the Internet and the more responsible users of it."

When you install Windows XP, you're automagically given the status of Computer Administrator. It might seem trivial to us IT types to go and swap the account type, but to someone who's just about capable of sending a few emails, using the basics of Word and Excel, surfing the web for pr0n and watching funny videos on youtube/facebook etc (ie the vast vast majority of Windows users) it's above their level of understanding.

The problem is that when they click a dodgy link to an infected site, they don't realise that they're installing stuff. This is one thing that Vista addressed with the UAC prompts... And everyone complained that it was intrusive and turned it off (although how this is different from having to enter your su password with sudo in Linux I don't know)

It's very simple for people like us who deal with IT and these issues on a weekly/daily/hourly basis to say "Don't click this, don't press that and for God's sake don't type this" but for your average homeuser who has AVG and ZoneAlarm installed and still can't work out why their computer's grinding to a halt it's no good.

We need education - and this needs to stem from both the classrooms (I've worked in a school as IT Support and when the IT Teachers can't figure out to plug the USB printer back in to get it to work there's obviously issues) and from industry (get all your staff who use the internet on SOME sort of IT Training course)

Perhaps el Reg or someone could do a beginners guide to protecting your PC that we can forward to all our family and friends and maybe claw back some of our evenings and weekends. Something in the vein of Idiots Guide or something... I would - but I'm not a technical writer with a sense of humour ;-)

(And yeah, I know Ubuntu is *almost* ready for the average home user... *almost* but it's not quite there yet... And I just take offence at Macs for personal and historic reasons... ;-))

Too good to be true?

You'd think that being sent nude pictures of your favorite celebrity by "John_ax323dz@ups.net" would be enough to make people go "Hmm, do I know this John person? No? Why are they sending me pr0n? I think I'll not open this message." Especially since the subject lines are all "F/R/E/E P_R0_/\/!!!!!", I mean, it's been a bit since I was fluent in aol speak, and maybe they talk like that now... but really..? The big thing is emails from trusted sources. Like when your friend gets his inbox haxx0red and spams his contact list.

That being said, I've got 3 email accounts I use daily, 1 work and 2 personal. I get almost -no- spam. Gmails blockers are kick ass, and what ever my work uses works really well. The only spam that slips through gmail is the very rare weak ass phish from Bank of America where it is like:

"Dear Customer, please visit the address below and enter your username and password: http://123.35.121.41/somejibberish.php"

where they don't even bother to spoof the address.

Time to change? No more executables in email?

Perhaps it's time for email to return to boring old plain HTML with no executable content or better still, we could return to rich text with nothing executable. In the chase to make things easier for users we have instead swapped ease of use for ease of abuse.

Instead of fighting a losing battle to prevent this crap from coming in through email, lets simply cut them off. The same thing goes for all that whizz bang interactive crap on the net. We haven't in fact made anything easier to actually use, all we have done is made it easier for advertisers and black hats alike to push stuff we haven't requested on to our screens and hard discs.

Not Exactly

"Please tell me you don't really think that idiots running Linux are in less danger of being compromised than idiots running Windows."

I'd have thought that people who are smart enough to install an OS (be it Windows or Linux) would be smart enough to not do stupid things.

Then again the smartest people tend to have the least common sense.

Simple enough solutions

To solve the problem of dialers, what would be needed is for modems to be designed so that you have to dial out manually to connect your computer. To solve the problem of worms, browsers shouldn't be able to write files with execute permissions - to give a file execute permissions, you have to go into the Control Panel and do something like "activate application". That would work.

What makes you think they clicked?

Doesn't Outlook Express still default to having the preview pane, which, essentially, "auto-clicks" on whatever message is on top when you launch it?

And before everybody says "Well, don't run OE", take a deep breath and consider the poor sod who, y'know, has to work for a living, in one of the (vast majority of) offices that use Exchange for everything and whose boss is always "pushing the envelope" in ways that make only bug-for-bug compatible with Outlook usable at all.

Protecting users

A good many XP home users don't know that they have an admin account - or even that one exists.

They certainly wouldn't cope well with having a different log in to install stuff from.

Added to that, there is some pretty badly written software that will only add itself to the start menu of the current user, so it's no good installing it from an admin account. Then, the fact that most users don't want to do anything to their computers whatsoever, and the machines are actually sold as commodity items, alongside the vacuum cleaners, why would they take any notice of computer security tricks..

And also there's stuff that only runs from an admin account anyway.

Personally I fond it hard to believe that the multimillion $$ industry can't find ways to track down the spammers and deal with them and their lousy customers.

Ignorance is bliss

Any half-decent botnet software is going to be largely transparent to the infected machine. The only obvious symptoms are the large amounts of email being sent out, and since the average home user doesn't monitor their own network traffic, they won't be any the wiser. Equally, since the infection doesn't actually cause any trouble, the average home user probably has no incentive to become any wiser.

The ISP, on the other hand, probably does have the know-how and the infrastructure to perform such monitoring. It also pays the cost (in network congestion) so it has the incentive. Any legal or privacy concerns could be disposed of in the service contract, and there could be an option for "power users" (Ooh, yes, flatter me some more.) to dispense with the filtering. It could even be sold to non-power users as a "we keep you safe" feature. So why isn't this more common?

@Mike

Isn't that, you know, illegal? And what makes you so smug when you are essentally lowering yourself to the level of a malware pusher?

Destroying some poor familys home computer because some 12 year old dosn't understand email is a bit harsh.

And to all those "people who arn't security experts are morons" grow up. I know a few really smart people who only know what they have to on computers and do important jobs like saving lives.

I agree with the ISP monortering. If they can send me an email saying I have used 95% of my d/loads for the month why can't they tell me I have send 1000 emails in the last hour.

people are morons

i had a friend who worked at APACS - the british credit/debit card security type firm. They would always be sending out stuff saying "dont give out your phone number/date of birth etc on social networking sites" but still send me "look at this its r3lly funneee" type emails with powerpoints, word docs etc in there. No matter how many times I explained about 0-day exploits, it seemed they'd just open files from friends because it had "scanned by blammo-virus scanner and found safe" at the bottom of the mail.

what does this say? the average worker is so bored they couldn't care less about security over taking their mind off the crappy work they have to do. I'd sack anybody who do that....