1 / 31

Eksempel p trusselbilde

faunus
Télécharger la présentation

Eksempel p trusselbilde

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Eksempel p trusselbilde Spam

    2. Agenda Trusselbildet i dag Teknikker og dumheter Verkty Lsningsmetoder Ondsinnet kode spamtekologi

    3. Norman - ende til ende strategi

    4. Opprinnelse Hormel 1937 /matvarefabrikk i USA ubestemmelige massen av langtidsholdbart kjtt Monty Pyton Restaurantsketsj Uansett hva du bestiller fr du: Spam egg og Spam baked beans og Spam .. P 1930-tallet drev far og snn Hormel en matvarefabrikk i USA. I 1937 oppfant de navnet SPAM. SPAM ble brukt til beskrive den ubestemmelige massen av langtidsholdbart kjtt som de fylte p boks. Monty Pyton Resturantsketsj, Uansett hva du bestiller fr du:Spam, egg og Spam baked beans og Spam .. P 1930-tallet drev far og snn Hormel en matvarefabrikk i USA. I 1937 oppfant de navnet SPAM. SPAM ble brukt til beskrive den ubestemmelige massen av langtidsholdbart kjtt som de fylte p boks. Monty Pyton Resturantsketsj, Uansett hva du bestiller fr du:Spam, egg og Spam baked beans og Spam ..

    5. Historie Nettbaserte tekstspill Diskusjonsgrupper Usenet 31.03.1993 Usenet-admin 200 * samme melding Oversprytet med innlegg Irrelevante Gjentagelse E-post Unsket e-post Reklame UBE Unsolicited Bulk e-mail UCE Unsolicited commercial e-mail Unsolicited = spontan Frste spam 03.05.1978 Alle p West Coast ARPAnet en markedssjef i Digital Equipment Corporation (DEC) U.S. Green Card lottery 1994 6000 diskusjonsgrupper 90 minutt Respons ISP Serverpark 15 krasj Selv om spam frst de siste rene er blitt et alvorlig problem, er det ikke noe nytt fenomen. Iflge BBC News har Brad Templeton, en gammel nettringrev, som funnet ut den frste spammeldingen m ha blitt sendte allerede den 3. mai 1978. Da skal en markedssjef i Digital Equipment Corporation (DEC) bestemt seg for sende alle brukerne av West Coast ARPAnet en melding om en pen dag hvor selskapet skulle vise fra en ny serie med datamaskiner. I 1978 var det omtrent ni r siden arbeidet med ARPAnet (Advanced Research Projects Agency) startet opp og gjorde det mulig for mange ansatte og studenter ved universiteter og offentlige institusjoner utveksle e-post. ARPAnet ble stengt i 1990 etter ha blitt erstattet av de raskere NFSnet (National Science Foundation Network) som i begynnelsen utgjorde stamnettet i det vi i dag kaller Internett. E-posten fra DEC skapte iflge BBC News stor oppstandelse blant ARPAnet-brukerne, delvis fordi den var s drlig skrevet, men mest fordi den klart brt med nettverkets retningslinjer. Som et forskningsverkty skulle e-meldinger p ARPAnet vre ikke-kommersielle. Bruken av ordet spam om sppelpost ble trolig brukt frste gang av sinte Usenet-brukere etter at en Usenet-administrator ved et uhell postet den samme meldingen 200 ganger til en diskusjonsgruppe den 31. mars 1993. Uttrykket skal tidligere mest ha blitt brukt i nettbaserte tekstspill, men skal angivelig stamme fra en Monty Python-sketsj hvor en kunde ved en restaurant blir tilbudt "spam with everything", hvor spam er en form for hermetisk kjtt. Mer om dette finner du p denne siden. En annen milepl i spamens historie skjedde iflge BBC News i april 1994 da et advokatkontor i Arizona sendte en melding med en annonse for "U.S. Green Card lottery" til opptil 6000 diskusjonsgrupper (antallet grupper varierer avhengig av kilde) p Usenet i lpet av knapt 90 minutter. Meldingene ble sendt fra en konto hos ved en Internett-leverandr i Arizona. Iflge Electronic Frontier Foundation var strmmen av negative tilbakemeldinger s stor at serverne til Internett-leverandren krasjet minst 15 ganger. The Definition of Spam The word "Spam" as applied to Email means Unsolicited Bulk Email ("UBE") Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content. Technical Definition: An electronic message is "spam" IF: (1) the recipient's personal identity and context are irrelevant because the message is equally applicable to many other potential recipients; AND (2) the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND (3) the transmission and reception of the message appears to the recipient to give a disproportionate benefit to the sender. Selv om spam frst de siste rene er blitt et alvorlig problem, er det ikke noe nytt fenomen.

    6. Forbud i Norge Rette markedsfringshenvendelser til forbruker p e-post uten samtykke Forbrukerreklame til bedrifts e-postsdresser Untak er jobbrelatert reklame Tilsvarende innen ES-omrdet USA Muligheter for skrive seg av adresselister

    7. Dagens trusselbilde

    8. Omfang MessageLabs Juli 2004 1,007,249,930e-poster 94.5% spam 84,068,375 inneholdt virus 70 % av all spam fra virusinfiserte maskiner 8 av 10 tilfeller serveren infiseres av virus nedetid p 17 timer eller mer

    9. Baysian Analyse Redningen? Kunstig tilpasset intelligens Analyserer hele teksten Ikke enkelt ord Konstant selvlrende brukersensitiv Sprkuavhengig og internasjonal Vanskeligere lure

    10. Remote Images

    11. Phishing Imiterer bedrifters identitet forbrukeres identitet Kredittnummer andre finansielle data Rammet den siste tiden AOL Charlotte's Bank of America Best Buy eBay Spam phishing Identitets tyver fisker kredittinformasjon om deg Norman har i den siste tiden registrert et kende antall spam via e-post som er sendt ut med hensikt stjele identitetsinformasjon fra forbrukere. Phising som det kalles er den kriminaliteten som n har strst kning p internett. Dette gjres ved at de immiterer kjente online-butikker med e-postadresser, logoer osv. for svindle til seg forbrukeres identitet, kredittnummer, og andre finansielle data . Et eksemple var AOL, der brukerene fikk tilsendt en e-post som sier at det har oppsttt en feil med ordre/fakturereingssystemet hos AOL og for ikke miste brukerkontoen de oppdatere sin informasjon. Videre i e-posten ble de anbefalt til klikke p en lenke http://www.aol.com/acount/ . Denne lenken frte brukerene til en side med med AOL sin identitet, logo, farger osv.. som ga brukerene en indikasjon p at de var hos AOL sin ploggingsside. Men det var de da ikke. Etter ha logget inn p de falske sidene med brukernavn og passord ble brukerene bedt om fylle ut sine data ang. navn, fdselsnummer, fakturaadresse, kredittkort som ble brukt hos AOL, samt nytt kredittkortnummer for rette opp feil, bankkonto med kredittgrense. I denne sammenhengen hadde kjeltringene klart skaffe til veie all informasjon som skulle til for tappe en person, bedrift for penger. Samt at de ble sittende med brukernavn og passord til e-postkontoene til brukerene som ble brukt til sende ut mer spam. Phishing er en betegnelse av hackere som imiterer bedrifters identitet i e-post for lokke til seg identitetsinformasjon som f.eks. brukernavn, passord og kreditkort nummer. Bedrifter som nylig har blitt utsatt for denne form for kriminalitet er Charlotte's Bank of America, Best Buy og eBay. Dette er n det mest hotte og ferskeste svindel p internet. Online bill payMSN Money Plus is the convenient way to pay your bills online:MSN Bill Pay Standard Plan is included with your MSN 8 subscription. You can make an unlimited number of bill payments for free to more than 900 companies.Receive bills electronically from numerous companiesView a list of upcoming bills for a quick picture of what's due Account management toolsUse the My Favorite Accounts section to manage all your accounts in one place:View account balances and transactions for your bank, brokerage, and credit cardaccountsTransfer money between accounts quickly and easilyYour account information is updated automatically, eliminating the need for manual data entry Spending and budget toolsUse MSN Money Plus to track where your money goes and to create a working budget:Charts help you better understand and analyze your spending habitsView your spending by category, by payee, or by date rangeCompare your actual spending to a budget you create based on your monthly income Easy accessIt's easy and convenient for you and your family to access information when and where you need to:View your information from any PC with Internet accessYou can invite your spouse to access your financial information, and children over 14 can use MSN Money Plus to start learning how to manage moneyUse Microsoft .NET Alerts to receive alerts when your financial situation changes. For example, you can receive alerts via MSN Messenger or e-mail when the price of your favorite stock changes, your credit card balance goes above a set amount, or your bank account goes below a pre-defined balance. Spam phishing Identitets tyver fisker kredittinformasjon om deg Norman har i den siste tiden registrert et kende antall spam via e-post som er sendt ut med hensikt stjele identitetsinformasjon fra forbrukere. Phising som det kalles er den kriminaliteten som n har strst kning p internett. Dette gjres ved at de immiterer kjente online-butikker med e-postadresser, logoer osv. for svindle til seg forbrukeres identitet, kredittnummer, og andre finansielle data . Et eksemple var AOL, der brukerene fikk tilsendt en e-post som sier at det har oppsttt en feil med ordre/fakturereingssystemet hos AOL og for ikke miste brukerkontoen de oppdatere sin informasjon. Videre i e-posten ble de anbefalt til klikke p en lenke http://www.aol.com/acount/ . Denne lenken frte brukerene til en side med med AOL sin identitet, logo, farger osv.. som ga brukerene en indikasjon p at de var hos AOL sin ploggingsside. Men det var de da ikke. Etter ha logget inn p de falske sidene med brukernavn og passord ble brukerene bedt om fylle ut sine data ang. navn, fdselsnummer, fakturaadresse, kredittkort som ble brukt hos AOL, samt nytt kredittkortnummer for rette opp feil, bankkonto med kredittgrense. I denne sammenhengen hadde kjeltringene klart skaffe til veie all informasjon som skulle til for tappe en person, bedrift for penger. Samt at de ble sittende med brukernavn og passord til e-postkontoene til brukerene som ble brukt til sende ut mer spam. Phishing er en betegnelse av hackere som imiterer bedrifters identitet i e-post for lokke til seg identitetsinformasjon som f.eks. brukernavn, passord og kreditkort nummer. Bedrifter som nylig har blitt utsatt for denne form for kriminalitet er Charlotte's Bank of America, Best Buy og eBay. Dette er n det mest hotte og ferskeste svindel p internet. Online bill payMSN Money Plus is the convenient way to pay your bills online:MSN Bill Pay Standard Plan is included with your MSN 8 subscription. You can make an unlimited number of bill payments for free to more than 900 companies.Receive bills electronically from numerous companiesView a list of upcoming bills for a quick picture of what's due Account management toolsUse the My Favorite Accounts section to manage all your accounts in one place:View account balances and transactions for your bank, brokerage, and credit cardaccountsTransfer money between accounts quickly and easilyYour account information is updated automatically, eliminating the need for manual data entry Spending and budget toolsUse MSN Money Plus to track where your money goes and to create a working budget:Charts help you better understand and analyze your spending habitsView your spending by category, by payee, or by date rangeCompare your actual spending to a budget you create based on your monthly income Easy accessIt's easy and convenient for you and your family to access information when and where you need to:View your information from any PC with Internet accessYou can invite your spouse to access your financial information, and children over 14 can use MSN Money Plus to start learning how to manage moneyUse Microsoft .NET Alerts to receive alerts when your financial situation changes. For example, you can receive alerts via MSN Messenger or e-mail when the price of your favorite stock changes, your credit card balance goes above a set amount, or your bank account goes below a pre-defined balance.

    12. Pishing

    13. Hvor hentes adressene fra? e-post adresser p websider Support Auksjoner, kjp og salg Diskusjonsforum Hjemmesider Kataloger Holdningskampanjer Andre plasser Newsgroups Online chat message boards CV - databaser Sanntids Messanger service ICQ, msn messanger... Domene navn registrarer whois Kontaktformidling MSN Soulmates Email Address Harvesting: How Spammers Reap What You Sow Is your in-box clogged with junk email messages from people you don't know? Are you overwhelmed by unsolicited email offering products or services you don't want? It's no wonder. According to research by the Federal Trade Commission (FTC) and several law enforcement partners, it's harvest time for spammers. But, the consumer protection agency says, the good news for computer users is that they can minimize the amount of spam they receive. According to the investigators, spammers typically use computer programs that search public areas on the Internet to compile, capture, or otherwise "harvest" lists of email addresses from web pages, newsgroups, chat rooms, and other online destinations. Email Address Harvesting: How Spammers Reap What You Sow Is your in-box clogged with junk email messages from people you don't know? Are you overwhelmed by unsolicited email offering products or services you don't want? It's no wonder. According to research by the Federal Trade Commission (FTC) and several law enforcement partners, it's harvest time for spammers. But, the consumer protection agency says, the good news for computer users is that they can minimize the amount of spam they receive. According to the investigators, spammers typically use computer programs that search public areas on the Internet to compile, capture, or otherwise "harvest" lists of email addresses from web pages, newsgroups, chat rooms, and other online destinations.

    14. Publiserte e-post adresser Web frode lein.no frode AT lein DOT no Frode_SPAM_lein.no Jeg lager mine private websider i MS Frontpage. Dette resulterer i at frstesiden blir navngitt Hovedside Jeg lager mine private websider i MS Frontpage. Dette resulterer i at frstesiden blir navngitt Hovedside

    15. Innhsting av e-post adresser Programvare Kompilere Whois Internics Oppfanging av skjermtekst Chat rooms Magnet for innhstingsprogramvare Fra frste gangs bruk til frste spam 9 minutt Skemotorer Oversettelser To find out which fields spammers consider most fertile for harvesting, investigators "seeded" 175 different locations on the Internet with 250 new, undercover email addresses. The locations included web pages, newsgroups, chat rooms, message boards, and online directories for web pages, instant message users, domain names, resumes, and dating services. During the six weeks after the postings, the accounts received 3,349 spam emails. The investigators found that: 86 percent of the addresses posted to web pages received spam. It didn't matter where the addresses were posted on the page: if the address had the "@" sign in it, it drew spam. 86 percent of the addresses posted to newsgroups received spam. Chat rooms are virtual magnets for harvesting software. One address posted in a chat room received spam nine minutes after it first was used. Addresses posted in other areas on the Internet received less spam, the investigators found. Half the addresses posted on free personal web page services received spam, as did 27 percent of addresses posted to message boards and nine percent of addresses listed in email service directories. Addresses posted in instant message service user profiles, "Whois" domain name registries, online resume services, and online dating services did not receive any spam during the six weeks of the investigation. In almost all instances, the investigators found, the spam received was not related to the address used. As a result, consumers who use email are exposed to a variety of spam - including objectionable messages - no matter the source of the address. Some email addresses posted to children's newsgroups received a large amount of spam promoting adult web sites, pitching work-at-home schemes, and even advertising hallucinogenic drugs. Slowing the Email Harvest The investigators indicate that email address harvesting usually is automated, because spam can hit the addresses soon after they are used publicly the first time; the spam was not targeted; and some addresses were picked up off web pages even when they weren't visible to the eye. Still, they say, consumers can protect their email addresses from harvesting programs. Here's how: 1. Consider "masking" your email address. Masking involves putting a word or phrase in your email address so that it will trick a harvesting computer program, but not a person. For example, if your email address is "johndoe@myisp.com," you could mask it as "johndoe@spamaway.myisp.com." Be aware that some newsgroup services or message boards won't allow you to mask your email address and some harvesting programs may be able to pick out common masks. 2. Use a separate screen name for chatting. If you use chat rooms, use a screen name that's not associated with your email address. Consider using the screen name only for online chat. 3. Set up disposable addresses. Decide if you want to use two email addresses - one for personal messages and one for posting in public. Consider using a disposable email address service that creates separate email addresses that forwards to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address. 4. Use two email accounts. If you work for a business or organization that wants to receive email from the public, consider creating separate accounts or disposable email addresses for that purpose, rather than having an employee's address posted in public. 5. Use a unique email address, containing both letters and numbers. Your choice of email address may affect the amount of spam you receive because some spammers use "dictionary attacks" to email many possible name combinations at large ISPs or email services, hoping to find a valid address. Meanwhile, what can you do with the spam in your in-box? Report it, making sure that you include the full email header. The information in the header makes it possible to follow up on your complaint. Send your spam to: The Federal Trade Commission, at uce@ftc.gov. The FTC uses the emails in this database to pursue law enforcement actions against people who send deceptive spam. Your ISP's abuse desk. Often the email address is abuse@yourispname.com or postmaster@yourispname.com. Forwarding your spam to your ISP lets them know about the spam problem on their system and helps them to stop it. Include a copy of the spam, along with the full email header, and at the top of the message, state that you're complaining about being spammed. The sender's ISP. Most ISPs want to cut off spammers who abuse their system. Include a copy of the message and header information and state that you're complaining about spam. To find out which fields spammers consider most fertile for harvesting, investigators "seeded" 175 different locations on the Internet with 250 new, undercover email addresses. The locations included web pages, newsgroups, chat rooms, message boards, and online directories for web pages, instant message users, domain names, resumes, and dating services. During the six weeks after the postings, the accounts received 3,349 spam emails. The investigators found that: 86 percent of the addresses posted to web pages received spam. It didn't matter where the addresses were posted on the page: if the address had the "@" sign in it, it drew spam. 86 percent of the addresses posted to newsgroups received spam. Chat rooms are virtual magnets for harvesting software. One address posted in a chat room received spam nine minutes after it first was used. Addresses posted in other areas on the Internet received less spam, the investigators found. Half the addresses posted on free personal web page services received spam, as did 27 percent of addresses posted to message boards and nine percent of addresses listed in email service directories. Addresses posted in instant message service user profiles, "Whois" domain name registries, online resume services, and online dating services did not receive any spam during the six weeks of the investigation. In almost all instances, the investigators found, the spam received was not related to the address used. As a result, consumers who use email are exposed to a variety of spam - including objectionable messages - no matter the source of the address. Some email addresses posted to children's newsgroups received a large amount of spam promoting adult web sites, pitching work-at-home schemes, and even advertising hallucinogenic drugs. Slowing the Email HarvestThe investigators indicate that email address harvesting usually is automated, because spam can hit the addresses soon after they are used publicly the first time; the spam was not targeted; and some addresses were picked up off web pages even when they weren't visible to the eye. Still, they say, consumers can protect their email addresses from harvesting programs. Here's how: 1. Consider "masking" your email address. Masking involves putting a word or phrase in your email address so that it will trick a harvesting computer program, but not a person. For example, if your email address is "johndoe@myisp.com," you could mask it as "johndoe@spamaway.myisp.com." Be aware that some newsgroup services or message boards won't allow you to mask your email address and some harvesting programs may be able to pick out common masks. 2. Use a separate screen name for chatting. If you use chat rooms, use a screen name that's not associated with your email address. Consider using the screen name only for online chat. 3. Set up disposable addresses. Decide if you want to use two email addresses - one for personal messages and one for posting in public. Consider using a disposable email address service that creates separate email addresses that forwards to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address. 4. Use two email accounts. If you work for a business or organization that wants to receive email from the public, consider creating separate accounts or disposable email addresses for that purpose, rather than having an employee's address posted in public. 5. Use a unique email address, containing both letters and numbers. Your choice of email address may affect the amount of spam you receive because some spammers use "dictionary attacks" to email many possible name combinations at large ISPs or email services, hoping to find a valid address. Meanwhile, what can you do with the spam in your in-box? Report it, making sure that you include the full email header. The information in the header makes it possible to follow up on your complaint. Send your spam to: The Federal Trade Commission, at uce@ftc.gov. The FTC uses the emails in this database to pursue law enforcement actions against people who send deceptive spam. Your ISP's abuse desk. Often the email address is abuse@yourispname.com or postmaster@yourispname.com. Forwarding your spam to your ISP lets them know about the spam problem on their system and helps them to stop it. Include a copy of the spam, along with the full email header, and at the top of the message, state that you're complaining about being spammed. The sender's ISP. Most ISPs want to cut off spammers who abuse their system. Include a copy of the message and header information and state that you're complaining about spam.

    16. E-post - innsamling

    17. Hva gjr vi ellers galt? e-post Svarer p spam Slr til p timetilbud o.l. Melder oss av mailiglister Auto-replay Fravrmeldinger Corporate IT Forum Automatisk forhndsvisning Kjedebrev Digresjon: Auto-replay Innbruddstyver kan bruke epost-svar Bruker du den automatiske svartjenesten p e-posten, kan innbruddstyver finne ut at du er bortreist p pskeferie. I mange e-postprogrammer kan man legge inn et automatisk svar som blir sendt til dem som sender e-post til deg. Legger du inn "Jeg er borte p ferie i tre uker og kan ikke svare p e-post", kan tyver vite at huset ditt str tomt og klart for et brekk. Det britiske teknologibransjeorganet Corporate IT Forum har funnet en rekke eksempler p at kriminelle kjper opp e-postlister for s sende ut e-poster for sjekke om de fr automatiske svar. Nr s ferievarselet kommer, sjekker tyvene hvilken boligadresse du har, skriver Dagsavisen. Datatilsynet har hrt om fremgangsmten, men kjenner ikke til noen eksempler p slike innbrudd i Norge. Heller ikke p Manglerud politistasjon i Oslo eller kokrim har de ftt slike saker. Digresjon: Auto-replay Innbruddstyver kan bruke epost-svar Bruker du den automatiske svartjenesten p e-posten, kan innbruddstyver finne ut at du er bortreist p pskeferie. I mange e-postprogrammer kan man legge inn et automatisk svar som blir sendt til dem som sender e-post til deg. Legger du inn "Jeg er borte p ferie i tre uker og kan ikke svare p e-post", kan tyver vite at huset ditt str tomt og klart for et brekk. Det britiske teknologibransjeorganet Corporate IT Forum har funnet en rekke eksempler p at kriminelle kjper opp e-postlister for s sende ut e-poster for sjekke om de fr automatiske svar. Nr s ferievarselet kommer, sjekker tyvene hvilken boligadresse du har, skriver Dagsavisen. Datatilsynet har hrt om fremgangsmten, men kjenner ikke til noen eksempler p slike innbrudd i Norge. Heller ikke p Manglerud politistasjon i Oslo eller kokrim har de ftt slike saker.

    18. Umulig stoppe spammere ? Earthlink (ISP) Ti dedikerte Spam ansatte stjeler ressurser / saksking Ikke nummervisning Stengte kontoene Nye kontoer uten sjekke alt Privat detektiv politiet Leverandr av urtepiller Masse hat mail og spam 3 mnd. fr de fikk overlevert Sakskt for 16 millioner dollar 13 mneder Buffalo Falske adresser og telefonnummerere Offentlige telefonnummer Stjlne kredittkortsnummer Programvare - millioner spam pr. time 343 kontoer 825 millioner spam mail pr. r Skryt 10 millioner reklamemeldinger 36 salg / 360 dollar rettslig kjennelse m leveres personlig Bor hos sin mor og tjent smsummer Her er forklaringen p hvorfor din norske e-postkonto lesses ned av sppel. Earthlinks jakt p en spammer viser hvordan det amerikanske samfunnet lar spammere skjule seg. I en digitalisert verden der alt kan sls opp og spores, kan det synes ufattelig at det er mulig overflomme Internett med millioner av reklamemeldinger og likevel slippe unna med det. Avisen Wall Street Journal har skrevet en sak om Internett-leverandren Earthlinks jakt p en versting som belyser hvordan spam fungerer og hvorfor den er s vanskelig stoppe. Historien er interessant lesning for norske nettbrukere fordi det meste av e-postsppelet trolig stammer fra amerikanske e-postkontoer. Earthlink, USAs tredje strste Internett-leverandr, har en stab p hele ti ansatte som forsker bremse spam og andre problemer. Innsatsen skyldes at spam stjeler enorme ressurser og i et land der det synes som om alle saksker alle for det aller meste, er nok Earthlink redd for bli avkrevet penger fra sine kunder. Likevel kan Earthlink bare konsentere seg om de aller verste. I ett r jaktet antispam-gruppen p en gjenganger som til slutt ble tatt. Her er momentene som forklarer hvorfor det er s vanskelig: Buffalo, som spammeren kalte seg, kunne ringe fra offentlige telefoner nr han ville og bestille nye Internett-kontoer. For betale, oppga han stjlne kredittkort-nummer. Stjlne kort forblir lenge i omlp i USA fordi bankvesenet ikke er fulldigitalisert i like stor grad som i eksempelvis Norge. Historien avslrer ogs at Internett-leverandrer som Earthlink deler ut nye kontoer fortlpende, penbart uten noen srlig sjekk. Earthlink stengte kontoene fortlpende, men da hadde som regel "Buffalo" gjort seg ferdig med en sending og opprettet bare en ny konto. Spam-programvare lar reklamesprederne sende millioner av meldinger p noen timer og s koble seg av. I alt brukte Buffalo 343 kontoer og sendte ut 825 millioner spam-meldinger det ret Earthlink jaktet p ham. Fordi langt fra alle telefonsentraler i USA er oppgradert til nummervisning, kan ikke selskaper som Earthlink blokkere all trafikk fra angitte telefonnummere. Spammerne fr ogs langt p vei jobbe i fred, for politiet prioriterer ikke spam-sakene over drap og andre krimsaker. Earthlink mtte derfor g til privat sksml og bruke privatdetektiver, noe som koster mye penger. Muligheten for erstatning og inndragning av inntekter er erfaringsmessig nesten lik null, og Earthlinks etterforskning avslrte dessuten at spam - i hvert fall i dette tilfellet - er lite effektivt: Earthlink forskte til slutt g p leverandrene som Buffalo reklamerte for. For dette er den eneste ekte informasjon som finnes i spam - mlet er jo sette deg i konktat med noen som skal selge deg noe. Det var under denne jakten at advokaten til Earthlink endelig kom i kontakt med en av spammerens kunder, en Florida-basert leverandr av urtepiller som vedgikk at en person som het Carmack til etternavn hadde skrytt av ha sendt ut 10 millioner reklamemeldinger for firmaet. Men dette ga bare 36 salg og Carmack tjente bare lusne 360 dollar p arbeidet. Men fordi leverandren fikk s mye hatmail og spam fra sine egne e-postbrukere, ba han Carmack om stoppe. Etter hvert ble 36 r gamle Howard Carmack sporet opp, men fordi en rettslig kjennelse m leveres personlig, brukte Earthlinks advokat hele tre mneder fr han fikk overrasket Carmack utenfor huset. Detektivene l p lur i en varebil med sotede ruter. Carmack hadde skjult seg bak et nett av falske adresser og telefonnumre slik det er mulig gjre i USA, blant annet fordi registre og lovverk er begrenset til hver delstat. Earthlink har sakskt Carmack for 16 millioner dollar, skriver Wall Street Journal. Men mannen lever hos sin mor og har alts tjent smsummer p overflomme Internett med sppel. Historien om Earthlink viser at det kanskje mest virksomme vpenet mot spammere er g ls p de som engasjerer dem - klager, sksml og annet kan hjelpe for bremse ettersprsel etter spammernes tjenester. Her er forklaringen p hvorfor din norske e-postkonto lesses ned av sppel. Earthlinks jakt p en spammer viser hvordan det amerikanske samfunnet lar spammere skjule seg. I en digitalisert verden der alt kan sls opp og spores, kan det synes ufattelig at det er mulig overflomme Internett med millioner av reklamemeldinger og likevel slippe unna med det.

    19. Problemstillinger Silverpops pnet e-postkontoer hos Hotmail Yahoo Registrerte seg p div. varslingstjenester 1 av 4 meldinger ndde ikke frem

    20. Samferdselsdepartementet Ikke benytt forhndsvisning av e-post. Ikke pne spam, men slett spam p grunnlag av avsender-, mottaker- og emnefeltet. Ikke svar p og gjr aldri innkjp p grunnlag av tilfeldig utsendt e-post. Ikke videresend kjedebrev eller delta i underskriftskampanjer. Ikke legg igjen din e-postadresse p websider, nyhetsgrupper, chat og lignende. Benytt lang ulogisk e-postadresse. (veldig8vanskelig2epost45@isp.no) Bruk en e-post til jobb, en annen til venner og tredje til de du ikke kjenner. Den tredje e-post-adressekontoen kan avsluttes nr den blir fanget av spammere. Ikke spre e-postadressene dine ukritisk til mange. Ikke bruk automatisk svar i e-postprogrammet. Ikke send e-post med synlige e-postadresser til mottakerne, om du sender til mange. Kris Abel Recognizing that you're bound to get junk e-mail no matter what you do online, Abel says the first strategy should be to delete them as soon as they arrive in your inbox. Because a lot of spam is addressed to email account names generated by special software, the sender often has no idea whether the target is legitimate or not. "Don't open them," Abel told Canada AM. "Because if you open them, they'll open up a pile of graphics and that will send a signal back to the sender telling them that your e-mail account is active." As soon as the spammer knows an e-mail account is active, they will not only send you more spam, but they will sell your address on to other illegal spam artists, Abel warned. Even sharing your e-mail with friends online could spell trouble down the road. "If you're going to a forum and you want to connect with somebody else, give them your e-mail address, but don't use the '@' symbol," Abel said. Because no e-mail address lacks the tell-tale symbol, programs that scour the Internet use it as a signpost for identifying e-mail addresses. By typing the word 'at' instead of the symbol, readers can understand but computer programs will be fooled, Abel said. Slowing the Email Harvest The investigators indicate that email address harvesting usually is automated, because spam can hit the addresses soon after they are used publicly the first time; the spam was not targeted; and some addresses were picked up off web pages even when they weren't visible to the eye. Still, they say, consumers can protect their email addresses from harvesting programs. Here's how: 1. Consider "masking" your email address. Masking involves putting a word or phrase in your email address so that it will trick a harvesting computer program, but not a person. For example, if your email address is "johndoe@myisp.com," you could mask it as "johndoe@spamaway.myisp.com." Be aware that some newsgroup services or message boards won't allow you to mask your email address and some harvesting programs may be able to pick out common masks. 2. Use a separate screen name for chatting. If you use chat rooms, use a screen name that's not associated with your email address. Consider using the screen name only for online chat. 3. Set up disposable addresses. Decide if you want to use two email addresses - one for personal messages and one for posting in public. Consider using a disposable email address service that creates separate email addresses that forwards to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address. 4. Use two email accounts. If you work for a business or organization that wants to receive email from the public, consider creating separate accounts or disposable email addresses for that purpose, rather than having an employee's address posted in public. 5. Use a unique email address, containing both letters and numbers. Your choice of email address may affect the amount of spam you receive because some spammers use "dictionary attacks" to email many possible name combinations at large ISPs or email services, hoping to find a valid address. Meanwhile, what can you do with the spam in your in-box? Report it, making sure that you include the full email header. The information in the header makes it possible to follow up on your complaint. Send your spam to: The Federal Trade Commission, at uce@ftc.gov. The FTC uses the emails in this database to pursue law enforcement actions against people who send deceptive spam. Your ISP's abuse desk. Often the email address is abuse@yourispname.com or postmaster@yourispname.com. Forwarding your spam to your ISP lets them know about the spam problem on their system and helps them to stop it. Include a copy of the spam, along with the full email header, and at the top of the message, state that you're complaining about being spammed. The sender's ISP. Most ISPs want to cut off spammers who abuse their system. Include a copy of the message and header information and state that you're complaining about spam. Utkast til regler for minimalisere unsket tilfeldig e-post (spam) Ikke benytt forhndsvisning av e-post. Ikke pne spam, men slett spam p grunnlag av avsender-, mottaker- og emnefeltet. Ofte er det enklest gjre dette via web-basert e-postleser. Ikke svar p og gjr aldri innkjp p grunnlag av tilfeldig utsendt e-post. Ikke videresend kjedebrev eller delta i underskriftskampanjer. Ikke legg igjen din e-postadresse p websider, nyhetsgrupper, chat og lignende. I de tilfeller du gjr det, sjekk frst betingelser og serisitet. Benytt lang ulogisk e-postadresse. (veldig8vanskelig2epost45@isp.no) Bruk en e-post til jobb, en annen til venner og tredje til de du ikke kjenner. Den tredje e-post-adressekontoen kan avsluttes nr den blir fanget av spammere. Ikke spre e-postadressene dine ukritisk til mange. Ikke bruk automatisk svar i e-postprogrammet. Ikke send e-post med synlige e-postadresser til mottakerne, om du sender til mange. E-postprogrammene inneholder funksjoner for unng dette. Skaff deg oppdatert spamfilter, enten p egen maskin eller via Internettjenesteleverandren din. Hold deg kontinuerlig oppdatert p siste informasjonsutvikling via aktuelle nettsteder, lr om hvordan spam, virus og lignende virker. Benytt oppdatert virusfilter. Oppdater operativsystemet p pcen kontinuerlig, med tanke p nyoppdagede sikkerhetshull. Benytt brannmur. Punktene 12, 13 og 14 forhindrer at du selv ufrivillig blir en som sender ut spam.Kris Abel Recognizing that you're bound to get junk e-mail no matter what you do online, Abel says the first strategy should be to delete them as soon as they arrive in your inbox. Because a lot of spam is addressed to email account names generated by special software, the sender often has no idea whether the target is legitimate or not. "Don't open them," Abel told Canada AM. "Because if you open them, they'll open up a pile of graphics and that will send a signal back to the sender telling them that your e-mail account is active." As soon as the spammer knows an e-mail account is active, they will not only send you more spam, but they will sell your address on to other illegal spam artists, Abel warned. Even sharing your e-mail with friends online could spell trouble down the road. "If you're going to a forum and you want to connect with somebody else, give them your e-mail address, but don't use the '@' symbol," Abel said. Because no e-mail address lacks the tell-tale symbol, programs that scour the Internet use it as a signpost for identifying e-mail addresses. By typing the word 'at' instead of the symbol, readers can understand but computer programs will be fooled, Abel said. Slowing the Email HarvestThe investigators indicate that email address harvesting usually is automated, because spam can hit the addresses soon after they are used publicly the first time; the spam was not targeted; and some addresses were picked up off web pages even when they weren't visible to the eye. Still, they say, consumers can protect their email addresses from harvesting programs. Here's how: 1. Consider "masking" your email address. Masking involves putting a word or phrase in your email address so that it will trick a harvesting computer program, but not a person. For example, if your email address is "johndoe@myisp.com," you could mask it as "johndoe@spamaway.myisp.com." Be aware that some newsgroup services or message boards won't allow you to mask your email address and some harvesting programs may be able to pick out common masks. 2. Use a separate screen name for chatting. If you use chat rooms, use a screen name that's not associated with your email address. Consider using the screen name only for online chat. 3. Set up disposable addresses. Decide if you want to use two email addresses - one for personal messages and one for posting in public. Consider using a disposable email address service that creates separate email addresses that forwards to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address. 4. Use two email accounts. If you work for a business or organization that wants to receive email from the public, consider creating separate accounts or disposable email addresses for that purpose, rather than having an employee's address posted in public. 5. Use a unique email address, containing both letters and numbers. Your choice of email address may affect the amount of spam you receive because some spammers use "dictionary attacks" to email many possible name combinations at large ISPs or email services, hoping to find a valid address. Meanwhile, what can you do with the spam in your in-box? Report it, making sure that you include the full email header. The information in the header makes it possible to follow up on your complaint. Send your spam to: The Federal Trade Commission, at uce@ftc.gov. The FTC uses the emails in this database to pursue law enforcement actions against people who send deceptive spam. Your ISP's abuse desk. Often the email address is abuse@yourispname.com or postmaster@yourispname.com. Forwarding your spam to your ISP lets them know about the spam problem on their system and helps them to stop it. Include a copy of the spam, along with the full email header, and at the top of the message, state that you're complaining about being spammed. The sender's ISP. Most ISPs want to cut off spammers who abuse their system. Include a copy of the message and header information and state that you're complaining about spam. Utkast til regler for minimalisere unsket tilfeldig e-post (spam) Ikke benytt forhndsvisning av e-post. Ikke pne spam, men slett spam p grunnlag av avsender-, mottaker- og emnefeltet. Ofte er det enklest gjre dette via web-basert e-postleser. Ikke svar p og gjr aldri innkjp p grunnlag av tilfeldig utsendt e-post. Ikke videresend kjedebrev eller delta i underskriftskampanjer. Ikke legg igjen din e-postadresse p websider, nyhetsgrupper, chat og lignende. I de tilfeller du gjr det, sjekk frst betingelser og serisitet. Benytt lang ulogisk e-postadresse. (veldig8vanskelig2epost45@isp.no) Bruk en e-post til jobb, en annen til venner og tredje til de du ikke kjenner. Den tredje e-post-adressekontoen kan avsluttes nr den blir fanget av spammere. Ikke spre e-postadressene dine ukritisk til mange. Ikke bruk automatisk svar i e-postprogrammet. Ikke send e-post med synlige e-postadresser til mottakerne, om du sender til mange. E-postprogrammene inneholder funksjoner for unng dette. Skaff deg oppdatert spamfilter, enten p egen maskin eller via Internettjenesteleverandren din. Hold deg kontinuerlig oppdatert p siste informasjonsutvikling via aktuelle nettsteder, lr om hvordan spam, virus og lignende virker. Benytt oppdatert virusfilter. Oppdater operativsystemet p pcen kontinuerlig, med tanke p nyoppdagede sikkerhetshull. Benytt brannmur. Punktene 12, 13 og 14 forhindrer at du selv ufrivillig blir en som sender ut spam.

    21. Vennlig spam dreper produktiviteten Venner Kjente Kolleger Cc "reply to all 35 milliard e-post innen 2005 E-mail doesn't save you time, it wastes it. Friendly-spam can kill your productivity By Dale Tournemille, CTV News Staff E-mail, it's been said, is the Internet's killer app. It's fast, easy and cheap. But for all its worth, e-mail is killing productivity and becoming a sinking lifeboat in a sea of messages. There's simply too much e-mail being tossed around, and not just from unscrupulous peddlers of get-rich-quick schemes, pornography, or scams on how to lose 50 pounds in 50 hours. The deluge of e-mail filling our inboxes is increasingly of the so-called friendly-spam variety -- messages from chatty friends, colleagues, customers, professional associates, and just about anyone else you might have handed your business card to. Friendly-spam arrives from people you know and maybe even trust, which has stoked the notion that it's acceptable and, indeed, to be encouraged. Therein lies the problem. A new study at the University of Western Ontario suggests too much of a good thing can be bad for you, particularly when it comes to e-mail. "People enjoy the convenience of sending relevant information quickly and easily, but this is far overshadowed by the volumes of low-value e-mails received each day," says business professor Christina Cavanagh. Her study of 57 business professionals showed what many Internet users have quickly been discovering themselves: E-mail doesn't save you time, it wastes it. The study suggests e-mail is killing productivity because the simple act of managing so much e-mail is taking up more and more valuable time. On average, 70 per cent of respondents said that over the last two years, time spent managing e-mail has increased an additional hour per day. And it gets worse. Internet users at work are having to spend their personal time at home handling the overflow of work-related e-mails, making the work-lifestyle balance even more difficult to maintain. The study found that the primarily culprit was -- wait for it -- friendly-spam. The problem is that in the workplace, users commonly address e-mails to dozens or more co-workers thanks to the indiscriminate use of corresponding copy (cc) and the "reply to all" features built into today's e-mail programs. "The use of these features is considered out of control and contributes greatly to low-value, yet highly irksome, e-mails," says Cavanagh. "People abuse the privilege of knocking on your door with e-mail." The problem could also be our own laziness. Respondents in Cavanagh's study questioned the need to send e-mail to someone who sits down the hall or in the cubicle next door. Too much e-mail costs time and money, but it could also be costing people a lot more because of the social isolation asociated with some forms of technology. A Stanford University study of 4,000 adult Internet users found that while e-mail use increases "contact" with family and friends, it results in less time spent in contact with real human beings. "The Internet could be the ultimate isolating technology that further reduces our participation in communities even more than did automobiles and television before it," said Stanford Professor Norman Nie. "This is an early trend that, as a society, we really need to monitor carefully." As a technologically-savvy bunch, Canadians are very much at risk. Statistics Canada says 13 million Canadians, or 53 per cent of those aged 15 and over, use the Internet regularly. Almost all use e-mail. By the year 2005, the number of worldwide e-mails sent on an average day is expected to hit 35 billion by the year 2005, more than triple what it is now. Like a heavy rain, escalating e-mail usage can be a blessing or a curse depending on how prepared you are. The best way to cut down on e-mail use is to attack it at the root -- the sender. Cavanagh advises users to start advising senders about unnecessary messages. A proactive way to combat the problem is also to always respond directly to the original sender; dont use the "reply to all" feature. If that doesn't work, try setting up electronic filters -- almost all e-mail programs have them -- to sort and file messages based on importance, which should end up moving most of them right into the trash bin.Friendly-spam can kill your productivity By Dale Tournemille, CTV News Staff E-mail, it's been said, is the Internet's killer app. It's fast, easy and cheap. But for all its worth, e-mail is killing productivity and becoming a sinking lifeboat in a sea of messages. There's simply too much e-mail being tossed around, and not just from unscrupulous peddlers of get-rich-quick schemes, pornography, or scams on how to lose 50 pounds in 50 hours. The deluge of e-mail filling our inboxes is increasingly of the so-called friendly-spam variety -- messages from chatty friends, colleagues, customers, professional associates, and just about anyone else you might have handed your business card to. Friendly-spam arrives from people you know and maybe even trust, which has stoked the notion that it's acceptable and, indeed, to be encouraged. Therein lies the problem. A new study at the University of Western Ontario suggests too much of a good thing can be bad for you, particularly when it comes to e-mail. "People enjoy the convenience of sending relevant information quickly and easily, but this is far overshadowed by the volumes of low-value e-mails received each day," says business professor Christina Cavanagh. Her study of 57 business professionals showed what many Internet users have quickly been discovering themselves: E-mail doesn't save you time, it wastes it. The study suggests e-mail is killing productivity because the simple act of managing so much e-mail is taking up more and more valuable time. On average, 70 per cent of respondents said that over the last two years, time spent managing e-mail has increased an additional hour per day. And it gets worse. Internet users at work are having to spend their personal time at home handling the overflow of work-related e-mails, making the work-lifestyle balance even more difficult to maintain. The study found that the primarily culprit was -- wait for it -- friendly-spam. The problem is that in the workplace, users commonly address e-mails to dozens or more co-workers thanks to the indiscriminate use of corresponding copy (cc) and the "reply to all" features built into today's e-mail programs. "The use of these features is considered out of control and contributes greatly to low-value, yet highly irksome, e-mails," says Cavanagh. "People abuse the privilege of knocking on your door with e-mail." The problem could also be our own laziness. Respondents in Cavanagh's study questioned the need to send e-mail to someone who sits down the hall or in the cubicle next door. Too much e-mail costs time and money, but it could also be costing people a lot more because of the social isolation asociated with some forms of technology. A Stanford University study of 4,000 adult Internet users found that while e-mail use increases "contact" with family and friends, it results in less time spent in contact with real human beings. "The Internet could be the ultimate isolating technology that further reduces our participation in communities even more than did automobiles and television before it," said Stanford Professor Norman Nie. "This is an early trend that, as a society, we really need to monitor carefully." As a technologically-savvy bunch, Canadians are very much at risk. Statistics Canada says 13 million Canadians, or 53 per cent of those aged 15 and over, use the Internet regularly. Almost all use e-mail. By the year 2005, the number of worldwide e-mails sent on an average day is expected to hit 35 billion by the year 2005, more than triple what it is now. Like a heavy rain, escalating e-mail usage can be a blessing or a curse depending on how prepared you are. The best way to cut down on e-mail use is to attack it at the root -- the sender. Cavanagh advises users to start advising senders about unnecessary messages. A proactive way to combat the problem is also to always respond directly to the original sender; dont use the "reply to all" feature. If that doesn't work, try setting up electronic filters -- almost all e-mail programs have them -- to sort and file messages based on importance, which should end up moving most of them right into the trash bin.

    22. Spam i samfunnet popups Windows Messanger Service Mobil Sms Mms Telefon Sprreunderskelser IP-telefoni

    23. Lsninger

    24. Lsninger Klientlsninger Hjemmekontor Serverlsninger 9 forskjellige filter 8 av 10 tilfeller serveren infiseres av virus nedetid p 17 timer eller mer Online tjeneste Driftet & overvket 24/7

    25. Skisse Norman Online Protection

    26. Eksempel: W32/Mydoom.A-mm e-post orm som benytter spam teknologi W32/MyDoom.A@mm Explanation of the different characteristics used below.General characteristics Type: Worm Alias: Novarg.A, Shimg.A, Mimail.R Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Detected by virus detection files published: 27 Jan 2004 Virus characteristics first published: 26 Jan 2004 23:26 (CET) Virus characteristics latest update: 27 Jan 2004 18:14 (CET) Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe or HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry key HLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory. The installed DLL inserts the follwing registry key: HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dll This has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 1: Filenames used when creating files in Kazaa-directories. winamp5 nuke2004 office_crack rootkitXP strip-girl-2.0bdcom_patches Wordlist 2: Extensions used when creating file in Kazaa directories. *.bat *.exe *.scr *.pif Wordlist 3: Possible email subject fields random letters "Error" "Status" "Server report" "Mail Transaction Failed" "Mail Delivery System" "Hello" "Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachments Random letter combination "Message" "Doc" "Test" "Body" "Data" "File" "Text" "Readme" "Document" Wordlist 6: Possible file extensions for mail attachments zip bat cmd exe scr pif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses. wab pl adb tbb dbx asp php sht htm txt Wordlist 8: Names used for guessing addresses sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael alex john Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot. W32/MyDoom.A@mm Explanation of the different characteristics used below.General characteristics Type: Worm Alias: Novarg.A, Shimg.A, Mimail.R Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Detected by virus detection files published: 27 Jan 2004 Virus characteristics first published: 26 Jan 2004 23:26 (CET) Virus characteristics latest update: 27 Jan 2004 18:14 (CET) Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\VersionHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exeorHKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry keyHLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory.The installed DLL inserts the follwing registry key:HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dllThis has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 1: Filenames used when creating files in Kazaa-directories.winamp5nuke2004office_crackrootkitXPstrip-girl-2.0bdcom_patches Wordlist 2: Extensions used when creating file in Kazaa directories.*.bat*.exe*.scr*.pif Wordlist 3: Possible email subject fieldsrandom letters"Error""Status""Server report""Mail Transaction Failed""Mail Delivery System""Hello""Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachmentsRandom letter combination"Message""Doc""Test""Body""Data""File""Text""Readme""Document" Wordlist 6: Possible file extensions for mail attachments zipbatcmdexescrpif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses.wabpladbtbbdbxaspphpshthtmtxt Wordlist 8: Names used for guessing addressessandralindajuliejimmyjerryhelendebbyclaudiabrendaannaalicebrentadamtedfredjackbillstansmithstevemattdavedanjoejanebobrobertpetertomraymarysergbrianjimmarialeojoseandrewsamgeorgedavidkevinmikejamesmichaelalexjohn Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot.

    27. Spredning source: messagelabs.com Stoppet frst: Russland Totalt stoppet: 43302279 Mest aktive mned: Feb 2004 Antall land: 216 Hyeste infeksjonsdato: 27 Jan 2004 Hyeste infeksjonsrate: 1 / 12 Rapoterte infeksjoner Norman: 10 enkelt brukere MessageLab Information No description available for this virus DETAILS Information W32/Mydoom.A-mm General Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa. The worm harvests addresses from infected machines and targets files with the following extensions: .wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm, .txt. Mydoom also tries to randomly generate or guess likely email addresses to send itself to. In addition, initial analysis suggests that Mydoom opens a connection on TCP port 3127, an indication of a remote access component. Email characteristics From: Random, spoofed email address Subject: Random Text: Various, including: The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attached file: Various, with extensions including .exe, .pif, .cmd, .scr. The attachment often arrives in a zip archive, and is also represented by what appears to be a text file icon, but is in fact an executable. Size: 22, 528 bytes Detection MessageLabs detected all strains of this virus proactively, using its unique and patented Skeptic predictive heuristics technologyMessageLab Information No description available for this virus DETAILS Information W32/Mydoom.A-mm General Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa. The worm harvests addresses from infected machines and targets files with the following extensions: .wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm, .txt. Mydoom also tries to randomly generate or guess likely email addresses to send itself to. In addition, initial analysis suggests that Mydoom opens a connection on TCP port 3127, an indication of a remote access component. Email characteristics From: Random, spoofed email address Subject: Random Text: Various, including: The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attached file: Various, with extensions including .exe, .pif, .cmd, .scr. The attachment often arrives in a zip archive, and is also represented by what appears to be a text file icon, but is in fact an executable. Size: 22, 528 bytes Detection MessageLabs detected all strains of this virus proactively, using its unique and patented Skeptic predictive heuristics technology

    28. Infeksjon via fildelingstjenester Filnavn brukt Winamp5 Nuke2004 office_crack strip-girl-2.0bdcom_patches rootkitXP

    29. Installasjon Minne mutex "SwebSipcSmtxS0 Windows System mappe TASKMON.EXE SHIMGAPI.DLL Windows registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon =[SYSTEM]\taskmon.exe eller HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = SYSTEM]\taskmon.exe HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dll KAZAA HLCU\Software\Kazaa\Transfer DlDir0 pner porter Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe or HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry key HLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory. The installed DLL inserts the follwing registry key: HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dll This has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 3: Possible email subject fields random letters "Error" "Status" "Server report" "Mail Transaction Failed" "Mail Delivery System" "Hello" "Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachments Random letter combination "Message" "Doc" "Test" "Body" "Data" "File" "Text" "Readme" "Document" Wordlist 6: Possible file extensions for mail attachments zip bat cmd exe scr pif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses. wab pl adb tbb dbx asp php sht htm txt Wordlist 8: Names used for guessing addresses sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael alex john Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot. Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\VersionHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exeorHKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry keyHLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory.The installed DLL inserts the follwing registry key:HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dllThis has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 3: Possible email subject fieldsrandom letters"Error""Status""Server report""Mail Transaction Failed""Mail Delivery System""Hello""Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachmentsRandom letter combination"Message""Doc""Test""Body""Data""File""Text""Readme""Document" Wordlist 6: Possible file extensions for mail attachments zipbatcmdexescrpif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses.wabpladbtbbdbxaspphpshthtmtxt Wordlist 8: Names used for guessing addressessandralindajuliejimmyjerryhelendebbyclaudiabrendaannaalicebrentadamtedfredjackbillstansmithstevemattdavedanjoejanebobrobertpetertomraymarysergbrianjimmarialeojoseandrewsamgeorgedavidkevinmikejamesmichaelalexjohn Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot.

    30. Installasjon Windows System mappe SHIMGAPI.DLL Lytte til port 3127-3198 Windows registry HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dll Starter prosesser og blir i minne Starter med Windows Sjekker dato 01.02.2004 12.02.2004 Sanker @ adresser Replikerer seg selv Tilbake til 1 - 2 Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe or HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry key HLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory. The installed DLL inserts the follwing registry key: HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dll This has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 3: Possible email subject fields random letters "Error" "Status" "Server report" "Mail Transaction Failed" "Mail Delivery System" "Hello" "Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachments Random letter combination "Message" "Doc" "Test" "Body" "Data" "File" "Text" "Readme" "Document" Wordlist 6: Possible file extensions for mail attachments zip bat cmd exe scr pif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses. wab pl adb tbb dbx asp php sht htm txt Wordlist 8: Names used for guessing addresses sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael alex john Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot. Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\VersionHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exeorHKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry keyHLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory.The installed DLL inserts the follwing registry key:HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dllThis has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 3: Possible email subject fieldsrandom letters"Error""Status""Server report""Mail Transaction Failed""Mail Delivery System""Hello""Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachmentsRandom letter combination"Message""Doc""Test""Body""Data""File""Text""Readme""Document" Wordlist 6: Possible file extensions for mail attachments zipbatcmdexescrpif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses.wabpladbtbbdbxaspphpshthtmtxt Wordlist 8: Names used for guessing addressessandralindajuliejimmyjerryhelendebbyclaudiabrendaannaalicebrentadamtedfredjackbillstansmithstevemattdavedanjoejanebobrobertpetertomraymarysergbrianjimmarialeojoseandrewsamgeorgedavidkevinmikejamesmichaelalexjohn Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot.

    31. Anskaffelse av adresser Tidligere erfaringer WAB, HTML f.eks Leter etter adresser .adb .asp .dbx .htm .php .sht .tbb .txt .wab e-post generator navneliste@domene.*

    32. Denial-of-service attack Datosjekk 1 februar 2004 Web request www.sco.com

More Related