Re: Spammers Jump on Latest MS Hole

Paul F. Roberts wrote:
>> Some of those fears were confirmed when reports surfaced, just days >> after the Aug. 8 patch release, that computers infected with malicious >> IRC 'bot' programs. > Some questions about today's technology: > What is a "bot" program, as opposed to other kinds of computer > programs?

It is a slang term for a program that runs in the background and take "orders" from somewhere else on the Internet. Short for robot. If you have one, someone else controls your computer. Typically they let you think you still have control and just use it to do their dirty work without (they hope) you knowing what's going on. Like someone taking your car each night from 1 am to 4 am to delivery drugs.

What allows and causes a foreign unauthorized program to start > execution on a computer where it doesn't belong? In other words, who > presses the start button on a supposedly personal computer to run > sabotage? I don't understand how some external person can gain > control of my computer, as if my neighbor could drive my automobile > from his kitchen window.

Your neighbor CAN get your keyless entry code from his kitchen window with the right radio scanner widgets and then install things at night that might cause your car to do all sorts of things.

Three main ways.

You are on the Internet without a router or with one but not behind a NAT setup which means you are exposed to the outside world. There are large number of computers probing EVERY address possible on the Internet to see if you respond. In a perfect world your computer would ignore these probes. But due to bugs in the various operating systems it is possible to find a bug that allows data sent in the probe to overwrite part of the OS and when that section of the OS is used the injected code takes over. Typically at this point it a very small program that calls home and downloads a larger program, hides it in your disk, sets things up to run at startup, then idles in the background waiting for "orders". And does all of this in a way such that you don't notice it happening.

You visit a web site or read an email that does basically the same as #1 but is based on bugs in your Internet browsing software. The web site (or AD on the web site) or email contains HTML code that exploits a bug and allows code to be inserted into your system.
Social engineering is where a pop up or email says click here and you WIN, GET, etc ... a million, prize, etc... and what you are clicking is a program (often disguised as a graphic) which install a BOT on your computer.

> were scanning the Internet for Windows systems that had the
>> MS06-040 vulnerability > What allows a private computer to be scanned by external means (like > Spock using his scanners on a planet far below) so that its internal > software may be examined and manipulated?

Alluding to the above, if you are connected to the Internet without a router doing NAT you're exposed. This protects you from the equivalent of folks walking down the street ringing doorbells and seeing which doors are not locked and people not home. The lock is being behind NAT and/or having a fully patched system with no known exploits. But the later is hard as the people looking for exploits to do bad do not advertise them when they find them.

If you surf you may be exposed. The only way to stop this is to disable java, activex, javascript, etc ... Which in todays web, makes for a very restricted experience.

> and then using publicly available code > Who wrote such code?

Kids who were having fun seeing what they could do at first. But now mostly thieves or folks paid by thieves to find such things. To be blunt, they do it because there's money to be made and they don't have a problem stealing for gain.

Lastly, why do such vulnerabilities exist in the first place? I keep > reading how the present Windows operating system is old; shouldn't all > the necessary fixes be developed by now?

Modern OS's have 10s of millions of lines of code. People buy features. They don't buy future security problems. All those systems designed with security as the first gaol fell on the junk heap of computing past and continue to do so. Well except for some very special cases where market share and cost doesn't mater. But even the NSA finds it cheaper to build totally isolated rooms, and I mean totally, to run software on insecure systems than try and develop custom things that are secure from the ground up. And they will likely have holes also, just not as many. Maybe.

But the basic issue with Windows (and all OS's after a while) is that it has to support old ancient programs plus new stuff and the code base is a mess. You don't really fix code like this. You do you best to apply what can be charitably called a permanent band aid. Been there. Done that. Got the pay stubs. (Not for windows but this is an issue that will not go away.)

How much does it cost for companies to keep applying these patches > every week?

LOT. Keeps me employed. Well not totally but is a PITA for me and I mostly admin macs. But have to deal with enough windows systems that it takes way too much time to deal with them. The windows systems that I support are for very specialized systems and the people running them have specific rules about what they can and cannot do.

What people do not realize is that an off the shelf Windows or Mac system with MS Office, Email, web surfing, iTunes, etc... is a more complicated system that their car or even the Apollo moon shots. It's very hard to touch one piece in isolation. And folks will argue that if design "right" this could all be avoided. To some degree they are correct. But it will never be perfect, even when folks try hard. Things are just too complicated for our minds or even our management structures to control it all.