Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Today’s "You’re an IDIOT" award goes to…

January 31st 2006 in Uncategorized

Anybody who embedded Robin Schuil’s graphic into their blogs.


Info about the graphic:
http://news.com.com/2061-10789_3-6031795.html


<Cue Rick Springfield singing “Don’t talk to strangers….”> No!!  No Springstein!!  Springfield!!


Seriously people… think about this… how hard would it be to replace an innocuous animated GIF with… say, a WMF exploit???


Have a look at the spread of this allegedly innocent prank:
http://www.moox.nl/blogworm/


For heavens sake people WAKE UP TO YOURSELVES!!!!


I don’t know Robin Schuil… I’ve never met Robin Schuil…. therefore I don’t trust Robin Schuil.  You should not trust Robin Schuil.


Let me ask you something… what is the NUMBER ONE reason that viruses and malware spread so easily? Why are so many people infected with crap via email or freeware?  (Fair warning – the first person to blame Windows will be hit over the head with my freshly charged flamethrower).


I’ll tell you the answer – trust combined with naivity (aka Social Engineering).  It simply doesn’t occur to us that some complete stranger who is offering something that *looks* fun or funny could possibly have an ulterior motive.


“Ah, but its a GIF, not a WMF” I hear you say…. well, check this out from the Security Bulletin for the WMF exploit:


“The only image format that is affected is the Windows Metafile (WMF) format. It is possible, however, that an attacker could rename the file name extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphics Rendering Engine would detect and render the file as a WMF image, which could allow exploitation.”


Ok, so I’m not saying that Robin Schuil is a bad person; I’m not saying that this particular case is an attempt to infect the world by stealth. 


What I *AM* saying is that we have to grow up – social engineering is how the bad guys spread.  Trust is how the bad guys spread.  Did *anybody* who added this script to their Blogs ask themselves what they know about Robin? Did any of them ask what would happen if virus.gif was replaced with virus.wmf?  Don’t fool yourself into thinking that renaming a WMF file as GIF will stop an exploit from working…. MIME handling enforcement wasn’t introduced until XP SP2:
http://www.microsoft.com/windows/IE/community/columns/improvements.mspx


What do you think will happen *when* (not IF) a bad guy followed Robin’s lead and used the same innocent “this is fun” trick to convince people to help spread malware or crapware?


Edit: Something else occurs to me.  When I last checked Robin was publishing links to pages that have added a blogworm; any one of those sites could take the opportunity to use the gif as a lure and embed a security exploit on their page.


9 comments to...
“Today’s "You’re an IDIOT" award goes to…”

Psyne

I couldn’t agree more that people need to think of they trust which is why I posted a locally hosted copy of the image file. I still think it is a cute example of how social engineering works. Specifically someone convinces you to do something otherwise innocuous that has far reaching circumstances. Though I think calling people idiots for posting the image is a little harsh, but we do need have a wake up call regarding trust.



Richard Dudley

Already happened, sort of. A year or two ago, a trojan was embedded in malformed JPGs, usually in a less-than-clothed variety of photo. I think these are still running around out there.



spoopryme

“””I don’t know Robin Schuil… I’ve never met Robin Schuil…. therefore I don’t trust Robin Schuil. You should not trust Robin Schuil.”

I’m not too happy with your comment on Blog.Worm. It’s just a fun viral marketing stunt with no commercial or malicious purposes.
Before you start using my name in negative context you should have given me a fair chance to comment on it.

Therefore I’d like to nominate you for the next “You’re an IDIOT” award just because you are.

Best regards,

Robin Schuil””

did you not read the article? how can you say “It’s just a fun viral marketing stunt with no commercial or malicious purposes. ” when you are given an example of just how it could be used as a malicious tool?



sandi

“Oh one more thing: whenever you are in the Netherlands please ping me so you have to opportunity to meet me 😉 After that you might trust me and you might even decide to get your blog infected *grin* 🙂 ”

I’ll make a point of it :o)



bradley

January 26th, Cnet has an article about a “new blog worm”

January 27th, blog.worm@gmail.com posts to bugtraq@securityfocus.com the article from cnet about a “new blog worm”.

January 31st Sandi posts this post about the danger of “follow the leader”.

January 31, Mr. Schuil posts on this blog and states that he is not too happy about Sandi’s comment about his stunt.

Today, February 5th, blog.worm@gmail.com emails me and asks me as the “Blog contact person” to ask Sandi to remove the comments from the blog. He indicates that he is not pleased that the first google on his name leads to a site where is name is mentioned in “quite a negative context”.

In tracking back to Mr. Schuil’s own blog, he links to the Blue Ribbon campaign for “Free Speech online and Stop Internet Censorship”.

Mr. Schuil, I quite agree with that Blue Ribbon Campaign.

I’ve been starting to read the book “Naked Conversations” and it’s an interesting read. Blogs are the next phase of the Cluetrain Manefesto and these days a company, a person, cannot control the message.

Just as you, Mr. Schuil indicate your strong belief in Free Speech online and not censoring the Internet, so do I.

Each blogger on this site at http://www.msmvps.com is the sole responsibility for their content. I do not edit or control it at all. I only facilitate the sharing of the blog space is all.

I only ask two things:

1. No NDA content.
2. Family friendly (ensure your posts will make it past spam filters and edit swear words that might come up when discussing technology such that they are readable by the masses and blacklisted)

I join you Mr. Schuil in your quest for non censorship of the Internet. Keep up the good work on that front and so will Sandi.



Alun Jones

I think Mr Schuil needs to remember that he has, indeed, not earned Sandi’s trust, so Sandi is right to not trust him. That doesn’t mean that Sandi is saying he’s known to be untrustworthy, but that she is saying he’s not (yet?) known to be trustworthy.
It’s a subtle point.



Robin

I’m happy to see that there are many people around the Internet that do enjoy the worm that was intended solely for fun. It disappoints me that the discussion here is going a whole different direction than what was intended by me or Sandi (right?). I’ve probably played quite a part in that, however, I don’t see why everybody seems so upset in the first place here.

The problem being address (“Follow the leader”) is also the case with many, many, many other graphics around the Internet. See the Bloglines, My Yahoo, Google buttons (and what to think about the recent “Ad Free Blog” button) that are constantly being hotlinked . IF such a server would get hacked and the image be replaced it would have much greater impact than this worm that is widespread for a funny gif, but doesn’t reach most of the Internet users. Even linking to an external site is dangerous, because the vulnerability could be exploited in a similar way.

It’s great to be aware of these dangers. Everyone should. But it’s much more important to teach people what exactly is the threat. It’s a bug in Microsoft Windows that is causing the problems. People should be teached to patch their systems as soon as there is a patch available.

The Internet is a place where people read and share information and fun stuff. Wether it is a news article, a blog worm or a photo of a sexy lady, people want to share it and one of the ways to do that is trough their blogs. People want to enjoy the Internet, and one of the things some people seemed to enjoy was the worm.

For me it was just a fun experiment to see how well-connected the blogosphere is and how fast something this simple would be picked up. It was created within half an hour using only MS Paint, Notepad and MS Gif animator, the most basic tools I could think of.

The climax had to come with valentine’s day, but now that there is this whole thing about security and threat going on I don’t think I’ll be enjoying this experiment much longer.

The worm will cease activities within a few days.

Everybody can sleep well again 🙂



sandi

“It disappoints me that the discussion here is going a whole different direction than what was intended by me or Sandi (right?).”

The discussion on this blog is what I’d hope to see – a discussion about the topic of my blog entry – trust on the internet and social engineering.

“The problem being address (“Follow the leader”) is also the case with many, many, many other graphics around the Internet. See the Bloglines, My Yahoo, Google buttons (and what to think about the recent “Ad Free Blog” button) that are constantly being hotlinked . IF such a server would get hacked and the image be replaced it would have much greater impact than this worm that is widespread for a funny gif, but doesn’t reach most of the Internet users. Even linking to an external site is dangerous, because the vulnerability could be exploited in a similar way”

None of the sites you mentioned use a “follow the leader” tactic that is remotely similar to blog.worm. In your case we have a complete stranger, a person, (not a large, well known company) saying “embed my graphic in your blog”, chatting to CNet and even spamming Bugtraq to get attention. Its the social engineering, the “do this because its fun”, the jump-off-a-cliff lemming behaviour that doesn’t consider what the risk may be.

Robin Schuil has been (except for one blog post) very polite. He may prove to be trustworthy, and may have no motive apart from a bit of fun, some notority and a hope to earn some dosh from selling a t-shirt or two, but what about the next person who tries the same thing? Or the person after that? What happens when some l33t script kiddy decides to impress his mates by seeing how many people he can infect with a security exploit by using bait ‘n’ switch?

“It’s great to be aware of these dangers. Everyone should. But it’s much more important to teach people what exactly is the threat. It’s a bug in Microsoft Windows that is causing the problems. People should be teached to patch their systems as soon as there is a patch available.”

In the current environment of non-responsible disclosure and zero day exploits, PATCHING IS NOT ENOUGH. We have to emphasise safe behaviour. There will always be undetectable viruses, rootkits, unpatched vulnerabilities. The only true protection is safe hex.

“For me it was just a fun experiment to see how well-connected the blogosphere is and how fast something this simple would be picked up. It was created within half an hour using only MS Paint, Notepad and MS Gif animator, the most basic tools I could think of.”

Your experiment about blogosphere connectivity was corrupted when you posted to bugtraq.

In conclusion, let me repeat what I said in my original column:

What is the NUMBER ONE reason that viruses and malware spread so easily? Why are so many people infected with crap via email or freeware? (Fair warning – the first person to blame Windows will be hit over the head with my freshly charged flamethrower).

I’ll tell you the answer – trust combined with naivity (aka Social Engineering). It simply doesn’t occur to us that some complete stranger who is offering something that *looks* fun or funny could possibly have an ulterior motive.



sandi

Robin has emailed me to tell me that he was not interviewed by CNet per se; he tells me they emailed and asked for his permission to host his graphic. He also tells me that the message to bugtraq was sent by an associate, not him.

Robin has been unfailingly polite in his emails to me. I am very impressed by his conduct in private.

Some important lessons have been learned here… first, publicity is a two edged sword – the bad must be taken with the good. Second, there can be unintended consequences to what seems fun.

Robin has asked me to remove his first two comments, which I’ll do if he confirms his request.


Yes, I know I’ve said it before….
Back in April 2005 I attended a very private session in Singapore about Rootkits and their potential for harm.  Way back then the guy giving the presentation mentioned the possibility of infecting a computer’s BIOS.
I remember those of us in that session left with a global sense of “we’re […]

Previous Entry

SBS (Small Business Server) uses self-signed certificates by default.  This may cause an issue for your users if they are running Internet Explorer 7.  As you can see from the screenshot, direct navigation to the Outlook Web Access log-on URL is blocked by IE7 when self signed certificates are used. 
To help avoid confusion I’d recommend you […]

Next Entry

Archives