Trick or trojan - watch out for Halloween malware Surfers are warned to be wary this Halloween of malicious spam messages playing on Wednesday's horror-themed holiday. A run of Halloween-themed spam invites would-be marks to visit a site and download a "dancing skeleton", a malicious package that falsely claims to create a novelty dancing skeleton on users' desktops. In …
Are we going to have a report on every single holiday and disaster storm worm varient?
So, they have the ability to create as many variants as possible, harvest peoples emails from the computers they infect and then re spam a new variant as many times as they like. Boooring....
So, lets see.... Google list of up and coming holidays, sports events and the like, print them all on here, and standardize an article to go with each and every one Easy reporting!
If people are *still* being stupid enough to run random programs without getting a competent programmer whom they trust to inspect the Source Code first, then they *still* deserve everything they get.
I say it's about time we put a stop to their stupidity once and for all, by writing a trojan of our own -- one that simply wipes everything off their hard disk (zeroing it out would be even better) and then brings up a screen telling them it serves them right for running untrusted programs.
[...without getting a competent programmer whom they trust to inspect the Source Code first...]
Really, so you sign a NDA for every piece of software you run then either inspect it yourself or have a friend/contractor do it for you? I thought *I* was elitist, but that just takes the biscuit and all the crumbs left in the bottom of the tin too.
People should certainly be careful what they runand preferably do it sans admin privileges, but the whole "check the source code first" argument is retarded. Masses of software doesn't come with source code, and if you thought checking source was hard enough try working through a few MBs of disassembly. If you're really looking for a challenge try it with gdb - AT&T syntax is an abomination unto the Lord.
You've carried out a code review on every single piece of software ever installed on your machine?
Lets face it, most Linux apps are accepted largely on faith, games are totally closed. Perhaps the safest is the linux kernel, but if you've gone for a patched variant from a distro.....
They deserve to be infected, do they? Even your granny, who uses a computer for the email because the grandkids are halfway across the world?
Yes, yes all very well, but if somebody else gets infected it's still your problem because of all the crap the zombots spew out: it's *your* email that gets spammed, and *your* DNS/website/whatever that gets DDOSed.
So get off your high horses and get involved.
Ref A J Stiles
The code is executed via an exploit, not intentionally. Even if it was executed intentionally, this "check the source" concept is a ridiculous, elitist ideology. I love the way that you have these people who can, with some of this magical "checking", understand all the weaknesses in the application, its libraries, the OS on which it runs, and so on.
Think of the time savings! No more long product cycles. Months of coding, research, testing, beta testing, etc, all shortcut by one person doing some "checking" in a few minutes! If these Legendary Codemeister Boffins are not too busy watching dancing skeletons, can they please get in touch with me as I'd like to hire them.
I would prefer to see some kind of ISP-led course, which instructs users on the dos and don'ts of the Net, with perhaps a modest discount for those completing it successfully. People have blind faith in computers, hence the success of ad campaigns such as TVL's, DVLA's, Benefits Office "The Computer Knows" and the parody "Computer Says No" syndrome. Until we can break that perception I don't think people will stop clicking on unsolicited links.
Checking one's Net behaviour, not the source code, is the key.
One can't help suspecting the point may have flown just above your head there...
The only thing worse than failing to check code (or at least checking out what those who did check it found) is running systems and programs that don't make it possibe to do so.
(Icons Suck. Sorry guys.Waste of code).
No, I don't and won't sign NDAs. And if I ever *did* sign one and then discover something shocking enough that it would be better for all concerned for it to be revealed, I would not hesitate to tell all.
I simply make a point of not using software unless the Source Code is made available for inspection. It's really not that hard! *Everyone* has a *right* to the Source Code for every piece of software running on *their* computer.
Masses of software *does* come with Source Code -- enough for all the common tasks server-side and client-side, anyway.
>I simply make a point of not using software unless the Source Code is made available for inspection.
But do you inspect it?
If not, why is it any better than the source not being there?
Really, you should buy software that's described, with legal force, as "fit for purpose" but of course no-one would ever make such an outlandish claim.
It'd be almost as mad as putting a warranty on a car!
as a right to source code. It lives only in the utopian universe of open sourcers. It is also ridiculous to think that anyone in his right mind would have time to audit every line of code running on its computer. There are millions of lines of code running in there. Not to mention that a very small fraction of the computer-using population that can read source code. And then even many programmers aren't working on low-level programming, and wouldn't know/understand the intricacies of low-level/optimised code. I know I wouldn't.
Friends don't let friends run Windows!
But seriously, this is why I've gotten all the stupid people I can convince OFF Windows.
Sure a competent person can keep a Windows install clean of such, but they are not the problem. Ignorant "click on anything" twits are. And that is the major windows fanbase.
It's arrogant, holier-than-thou pricks like you guys that prevent me from running Linux. Not because it's technically impossible (though I couldn't replace all my work as I work in the game industry) but because the user community is absolutely insufferable.
At least born again Christians compensate for their "do as I do" attitude by being helpful when you join up, instead of lambasting the sinner for not already knowing the bible.
I'm using the icon just to waste code. Pbbbbblt.
That it's not hard to trojan the bloody compiler to insert malicious code into your open source software. Don't get me wrong, I dislike M$ as much as the rest of most of you, but it's just proof that you can't trust code you did not write entirely by yourself. You want to trust your computer absolutely? Write your own damned operating system from the ground up.
<put your nomex suits on everyone>
"Friends don't let friends run Windows!
But seriously, this is why I've gotten all the stupid people I can convince OFF Windows.
Sure a competent person can keep a Windows install clean of such, but they are not the problem. Ignorant "click on anything" twits are. And that is the major windows fanbase."
Hmm. Nice idea, but some of us actually have to work with Windows professionally, and have users who have all the IQ and common sense of a lemon.
I say this having a job that would make most 'IT engineers' weep - 500+ devices, 1500+ users, educational establishment [IE full of non-IT savvy staff and loadsa wannabe hackers trying to kill your DCs every day] and only three of us to run the whole lot.
hence little reminders liek this to send an "all staff" email to the site to NOT open random attachments with a link to a story like this, are really rather nice.
Cheers El Reg.
Pint for you next time you are in Islington.
Yours,
One seriously under-paid, massively overworked, hugely-pissed-off-with-people-who-have-never- had-a-real-job-in-IT engineer.
</put your nomex suits on everyone>
Rob Moore is the only one not talking utter bollocks here IMHO.
"I say this having a job that would make most 'IT engineers' weep - 500+ devices, 1500+ users, educational establishment [IE full of non-IT savvy staff and loadsa wannabe hackers trying to kill your DCs every day] and only three of us to run the whole lot."
Brother Anonymous, my heart weeps for you - and no, I'm not taking the p. I was a techie support rep for Burroughs (remember them?) 25+ yrs ago, and I must have been one of the first to use the term "Liveware error" in my call reports. When I was occasionally berated for not making an installation totally idiot-proof, I had to remind my boss of just how inventive and imaginative idiots could be. Still, in those days we didn't have hackers to contend with - unless you count the inevitable director's 14yr old offspring, who thought he was a computer genius because he'd played with a TRS-80 or Commodore PET at school...
Hell, I almost miss the days of wood-burning, steam powered computers when 128K RAM was just showing off...
Yes, it's possible to trojan the compiler so that the binary it spits out does not do exactly what the source code says it should do. But all you have to do to defeat that, is write a partial interpreter in assembler, that can deal with just enough of the language to run the compiler interpretatively. This is excruciatingly slow, but only needs to be done once. When you've compiled a "clean" compiler, you can be sure that the rest of your OS is clean. You still can't really be sure that the silicon isn't trojanned, though .....
For the smart-arse who asked about graphics cards, I'm running an nVidia card with the Open Source "nv" driver, whose Source Code can be found in the X.org distribution. I know, no 3D acceleration, yeah, whatever. I don't care. For one thing, I've only got a 2D monitor; and for another, I'll choose slow code over untrustworthy code anyday.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
