1 / 31

Eksempel p trusselbilde

faunus
Download Presentation

Eksempel p trusselbilde

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Eksempel på trusselbilde Spam

    2. Agenda Trusselbildet i dag Teknikker og dumheter Verktøy Løsningsmetoder Ondsinnet kode spamtekologi

    3. Norman - ende til ende strategi

    4. Opprinnelse Hormel 1937 /matvarefabrikk i USA ubestemmelige massen av langtidsholdbart kjøtt Monty Pyton Restaurantsketsj Uansett hva du bestiller får du: Spam egg og Spam baked beans og Spam ….. På 1930-tallet drev far og sønn Hormel en matvarefabrikk i USA. I 1937 oppfant de navnet SPAM. SPAM ble brukt til å beskrive den ubestemmelige massen av langtidsholdbart kjøtt som de fylte på boks. Monty Pyton Resturantsketsj, Uansett hva du bestiller får du:Spam, egg og Spam baked beans og Spam ….. På 1930-tallet drev far og sønn Hormel en matvarefabrikk i USA. I 1937 oppfant de navnet SPAM. SPAM ble brukt til å beskrive den ubestemmelige massen av langtidsholdbart kjøtt som de fylte på boks. Monty Pyton Resturantsketsj, Uansett hva du bestiller får du:Spam, egg og Spam baked beans og Spam …..

    5. Historie Nettbaserte tekstspill Diskusjonsgrupper Usenet 31.03.1993 Usenet-admin 200 * samme melding Oversprøytet med innlegg Irrelevante Gjentagelse E-post Uønsket e-post Reklame UBE Unsolicited Bulk e-mail UCE Unsolicited commercial e-mail Unsolicited = spontan Første spam 03.05.1978 Alle på West Coast ARPAnet en markedssjef i Digital Equipment Corporation (DEC) U.S. Green Card lottery 1994 6000 diskusjonsgrupper 90 minutt Respons ISP Serverpark 15 krasj Selv om spam først de siste årene er blitt et alvorlig problem, er det ikke noe nytt fenomen. Ifølge BBC News har Brad Templeton, en gammel nettringrev, som funnet ut den første spammeldingen må ha blitt sendte allerede den 3. mai 1978. Da skal en markedssjef i Digital Equipment Corporation (DEC) bestemt seg for å sende alle brukerne av West Coast ARPAnet en melding om en åpen dag hvor selskapet skulle vise fra en ny serie med datamaskiner. I 1978 var det omtrent ni år siden arbeidet med ARPAnet (Advanced Research Projects Agency) startet opp og gjorde det mulig for mange ansatte og studenter ved universiteter og offentlige institusjoner å utveksle e-post. ARPAnet ble stengt i 1990 etter å ha blitt erstattet av de raskere NFSnet (National Science Foundation Network) som i begynnelsen utgjorde stamnettet i det vi i dag kaller Internett. E-posten fra DEC skapte ifølge BBC News stor oppstandelse blant ARPAnet-brukerne, delvis fordi den var så dårlig skrevet, men mest fordi den klart brøt med nettverkets retningslinjer. Som et forskningsverktøy skulle e-meldinger på ARPAnet være ikke-kommersielle. Bruken av ordet spam om søppelpost ble trolig brukt første gang av sinte Usenet-brukere etter at en Usenet-administrator ved et uhell postet den samme meldingen 200 ganger til en diskusjonsgruppe den 31. mars 1993. Uttrykket skal tidligere mest ha blitt brukt i nettbaserte tekstspill, men skal angivelig stamme fra en Monty Python-sketsj hvor en kunde ved en restaurant blir tilbudt "spam with everything", hvor spam er en form for hermetisk kjøtt. Mer om dette finner du på denne siden. En annen milepæl i spamens historie skjedde ifølge BBC News i april 1994 da et advokatkontor i Arizona sendte en melding med en annonse for "U.S. Green Card lottery" til opptil 6000 diskusjonsgrupper (antallet grupper varierer avhengig av kilde) på Usenet i løpet av knapt 90 minutter. Meldingene ble sendt fra en konto hos ved en Internett-leverandør i Arizona. Ifølge Electronic Frontier Foundation var strømmen av negative tilbakemeldinger så stor at serverne til Internett-leverandøren krasjet minst 15 ganger. The Definition of Spam The word "Spam" as applied to Email means Unsolicited Bulk Email ("UBE") Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content. Technical Definition: An electronic message is "spam" IF: (1) the recipient's personal identity and context are irrelevant because the message is equally applicable to many other potential recipients; AND (2) the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND (3) the transmission and reception of the message appears to the recipient to give a disproportionate benefit to the sender. Selv om spam først de siste årene er blitt et alvorlig problem, er det ikke noe nytt fenomen.

    6. Forbud i Norge Rette markedsføringshenvendelser til forbruker på e-post uten samtykke Forbrukerreklame til bedrifts e-postsdresser Untak er jobbrelatert reklame Tilsvarende innen EØS-området USA Muligheter for å skrive seg av adresselister

    7. Dagens trusselbilde

    8. Omfang MessageLabs – Juli 2004 1,007,249,930 e-poster 94.5% spam 84,068,375 inneholdt virus 70 % av all spam fra virusinfiserte maskiner 8 av 10 tilfeller serveren infiseres av virus nedetid på 17 timer eller mer

    9. Baysian Analyse Redningen? Kunstig tilpasset intelligens Analyserer hele teksten Ikke enkelt ord Konstant selvlærende brukersensitiv Språkuavhengig og internasjonal Vanskeligere å lure

    10. Remote Images

    11. ”Phishing” Imiterer bedrifters identitet forbrukeres identitet Kredittnummer andre finansielle data Rammet den siste tiden AOL Charlotte's Bank of America Best Buy eBay Spam – ”phishing” Identitets tyver ”fisker” kredittinformasjon om deg Norman har i den siste tiden registrert et økende antall ”spam” via e-post som er sendt ut med hensikt å stjele identitetsinformasjon fra forbrukere. ”Phising” som det kalles er den kriminaliteten som nå har størst økning på internett. Dette gjøres ved at de immiterer kjente ”online”-butikker med e-postadresser, logoer osv. for svindle til seg forbrukeres identitet, kredittnummer, og andre finansielle data . Et eksemple var AOL, der brukerene fikk tilsendt en e-post som sier at det har oppstått en feil med ordre/fakturereingssystemet hos AOL og for å ikke miste brukerkontoen de oppdatere sin informasjon. Videre i e-posten ble de anbefalt til å klikke på en lenke http://www.aol.com/acount/ . Denne lenken førte brukerene til en side med med AOL sin identitet, logo, farger osv.. som ga brukerene en indikasjon på at de var hos AOL sin påloggingsside. Men det var de da ikke. Etter å ha logget inn på de falske sidene med brukernavn og passord ble brukerene bedt om å fylle ut sine data ang. navn, fødselsnummer, fakturaadresse, kredittkort som ble brukt hos AOL, samt nytt kredittkortnummer for å rette opp feil, bankkonto med kredittgrense. I denne sammenhengen hadde kjeltringene klart å skaffe til veie all informasjon som skulle til for å tappe en person, bedrift for penger. Samt at de ble sittende med brukernavn og passord til e-postkontoene til brukerene som ble brukt til å sende ut mer spam. ”Phishing” er en betegnelse av hackere som imiterer bedrifters identitet i e-post for lokke til seg identitetsinformasjon som f.eks. brukernavn, passord og kreditkort nummer. Bedrifter som nylig har blitt utsatt for denne form for kriminalitet er Charlotte's Bank of America, Best Buy og eBay. Dette er nå det mest hotte og ferskeste svindel på internet. Online bill payMSN Money Plus is the convenient way to pay your bills online:MSN Bill Pay Standard Plan is included with your MSN 8 subscription. You can make an unlimited number of bill payments for free to more than 900 companies.•Receive bills electronically from numerous companies•View a list of upcoming bills for a quick picture of what's due Account management toolsUse the My Favorite Accounts section to manage all your accounts in one place:•View account balances and transactions for your bank, brokerage, and credit card accounts•Transfer money between accounts quickly and easily•Your account information is updated automatically, eliminating the need for manual data entry Spending and budget toolsUse MSN Money Plus to track where your money goes and to create a working budget:•Charts help you better understand and analyze your spending habits•View your spending by category, by payee, or by date range•Compare your actual spending to a budget you create based on your monthly income Easy accessIt's easy and convenient for you and your family to access information when and where you need to:•View your information from any PC with Internet access•You can invite your spouse to access your financial information, and children over 14 can use MSN Money Plus to start learning how to manage money•Use Microsoft .NET Alerts to receive alerts when your financial situation changes. For example, you can receive alerts via MSN Messenger or e-mail when the price of your favorite stock changes, your credit card balance goes above a set amount, or your bank account goes below a pre-defined balance. Spam – ”phishing” Identitets tyver ”fisker” kredittinformasjon om deg Norman har i den siste tiden registrert et økende antall ”spam” via e-post som er sendt ut med hensikt å stjele identitetsinformasjon fra forbrukere. ”Phising” som det kalles er den kriminaliteten som nå har størst økning på internett. Dette gjøres ved at de immiterer kjente ”online”-butikker med e-postadresser, logoer osv. for svindle til seg forbrukeres identitet, kredittnummer, og andre finansielle data . Et eksemple var AOL, der brukerene fikk tilsendt en e-post som sier at det har oppstått en feil med ordre/fakturereingssystemet hos AOL og for å ikke miste brukerkontoen de oppdatere sin informasjon. Videre i e-posten ble de anbefalt til å klikke på en lenke http://www.aol.com/acount/ . Denne lenken førte brukerene til en side med med AOL sin identitet, logo, farger osv.. som ga brukerene en indikasjon på at de var hos AOL sin påloggingsside. Men det var de da ikke. Etter å ha logget inn på de falske sidene med brukernavn og passord ble brukerene bedt om å fylle ut sine data ang. navn, fødselsnummer, fakturaadresse, kredittkort som ble brukt hos AOL, samt nytt kredittkortnummer for å rette opp feil, bankkonto med kredittgrense. I denne sammenhengen hadde kjeltringene klart å skaffe til veie all informasjon som skulle til for å tappe en person, bedrift for penger. Samt at de ble sittende med brukernavn og passord til e-postkontoene til brukerene som ble brukt til å sende ut mer spam. ”Phishing” er en betegnelse av hackere som imiterer bedrifters identitet i e-post for lokke til seg identitetsinformasjon som f.eks. brukernavn, passord og kreditkort nummer. Bedrifter som nylig har blitt utsatt for denne form for kriminalitet er Charlotte's Bank of America, Best Buy og eBay. Dette er nå det mest hotte og ferskeste svindel på internet. Online bill payMSN Money Plus is the convenient way to pay your bills online:MSN Bill Pay Standard Plan is included with your MSN 8 subscription. You can make an unlimited number of bill payments for free to more than 900 companies.•Receive bills electronically from numerous companies•View a list of upcoming bills for a quick picture of what's due Account management toolsUse the My Favorite Accounts section to manage all your accounts in one place:•View account balances and transactions for your bank, brokerage, and credit card accounts•Transfer money between accounts quickly and easily•Your account information is updated automatically, eliminating the need for manual data entry Spending and budget toolsUse MSN Money Plus to track where your money goes and to create a working budget:•Charts help you better understand and analyze your spending habits•View your spending by category, by payee, or by date range•Compare your actual spending to a budget you create based on your monthly income Easy accessIt's easy and convenient for you and your family to access information when and where you need to:•View your information from any PC with Internet access•You can invite your spouse to access your financial information, and children over 14 can use MSN Money Plus to start learning how to manage money•Use Microsoft .NET Alerts to receive alerts when your financial situation changes. For example, you can receive alerts via MSN Messenger or e-mail when the price of your favorite stock changes, your credit card balance goes above a set amount, or your bank account goes below a pre-defined balance.

    12. Pishing

    13. Hvor hentes adressene fra? e-post adresser på websider Support Auksjoner, kjøp og salg Diskusjonsforum Hjemmesider Kataloger Holdningskampanjer Andre plasser Newsgroups Online chat message boards CV - databaser Sanntids Messanger service ICQ, msn messanger... Domene navn – registrarer whois Kontaktformidling MSN Soulmates Email Address Harvesting: How Spammers Reap What You Sow Is your in-box clogged with junk email messages from people you don't know? Are you overwhelmed by unsolicited email offering products or services you don't want? It's no wonder. According to research by the Federal Trade Commission (FTC) and several law enforcement partners, it's harvest time for spammers. But, the consumer protection agency says, the good news for computer users is that they can minimize the amount of spam they receive. According to the investigators, spammers typically use computer programs that search public areas on the Internet to compile, capture, or otherwise "harvest" lists of email addresses from web pages, newsgroups, chat rooms, and other online destinations. Email Address Harvesting: How Spammers Reap What You Sow Is your in-box clogged with junk email messages from people you don't know? Are you overwhelmed by unsolicited email offering products or services you don't want? It's no wonder. According to research by the Federal Trade Commission (FTC) and several law enforcement partners, it's harvest time for spammers. But, the consumer protection agency says, the good news for computer users is that they can minimize the amount of spam they receive. According to the investigators, spammers typically use computer programs that search public areas on the Internet to compile, capture, or otherwise "harvest" lists of email addresses from web pages, newsgroups, chat rooms, and other online destinations.

    14. Publiserte e-post adresser Web frode lein.no frode AT lein DOT no Frode_SPAM_lein.no Jeg lager mine private websider i MS Frontpage. Dette resulterer i at førstesiden blir navngitt ”Hovedside” Jeg lager mine private websider i MS Frontpage. Dette resulterer i at førstesiden blir navngitt ”Hovedside”

    15. Innhøsting av e-post adresser Programvare Kompilere Whois Internics Oppfanging av skjermtekst Chat rooms Magnet for ”innhøstingsprogramvare” Fra første gangs bruk til første spam 9 minutt Søkemotorer Oversettelser To find out which fields spammers consider most fertile for harvesting, investigators "seeded" 175 different locations on the Internet with 250 new, undercover email addresses. The locations included web pages, newsgroups, chat rooms, message boards, and online directories for web pages, instant message users, domain names, resumes, and dating services. During the six weeks after the postings, the accounts received 3,349 spam emails. The investigators found that: 86 percent of the addresses posted to web pages received spam. It didn't matter where the addresses were posted on the page: if the address had the "@" sign in it, it drew spam.   86 percent of the addresses posted to newsgroups received spam.   Chat rooms are virtual magnets for harvesting software. One address posted in a chat room received spam nine minutes after it first was used. Addresses posted in other areas on the Internet received less spam, the investigators found. Half the addresses posted on free personal web page services received spam, as did 27 percent of addresses posted to message boards and nine percent of addresses listed in email service directories. Addresses posted in instant message service user profiles, "Whois" domain name registries, online resume services, and online dating services did not receive any spam during the six weeks of the investigation. In almost all instances, the investigators found, the spam received was not related to the address used. As a result, consumers who use email are exposed to a variety of spam - including objectionable messages - no matter the source of the address. Some email addresses posted to children's newsgroups received a large amount of spam promoting adult web sites, pitching work-at-home schemes, and even advertising hallucinogenic drugs. Slowing the Email Harvest The investigators indicate that email address harvesting usually is automated, because spam can hit the addresses soon after they are used publicly the first time; the spam was not targeted; and some addresses were picked up off web pages even when they weren't visible to the eye. Still, they say, consumers can protect their email addresses from harvesting programs. Here's how: 1. Consider "masking" your email address. Masking involves putting a word or phrase in your email address so that it will trick a harvesting computer program, but not a person. For example, if your email address is "johndoe@myisp.com," you could mask it as "johndoe@spamaway.myisp.com." Be aware that some newsgroup services or message boards won't allow you to mask your email address and some harvesting programs may be able to pick out common masks. 2. Use a separate screen name for chatting. If you use chat rooms, use a screen name that's not associated with your email address. Consider using the screen name only for online chat. 3. Set up disposable addresses. Decide if you want to use two email addresses - one for personal messages and one for posting in public. Consider using a disposable email address service that creates separate email addresses that forwards to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address. 4. Use two email accounts. If you work for a business or organization that wants to receive email from the public, consider creating separate accounts or disposable email addresses for that purpose, rather than having an employee's address posted in public. 5. Use a unique email address, containing both letters and numbers. Your choice of email address may affect the amount of spam you receive because some spammers use "dictionary attacks" to email many possible name combinations at large ISPs or email services, hoping to find a valid address. Meanwhile, what can you do with the spam in your in-box? Report it, making sure that you include the full email header. The information in the header makes it possible to follow up on your complaint. Send your spam to: The Federal Trade Commission, at uce@ftc.gov. The FTC uses the emails in this database to pursue law enforcement actions against people who send deceptive spam.   Your ISP's abuse desk. Often the email address is abuse@yourispname.com or postmaster@yourispname.com. Forwarding your spam to your ISP lets them know about the spam problem on their system and helps them to stop it. Include a copy of the spam, along with the full email header, and at the top of the message, state that you're complaining about being spammed.   The sender's ISP. Most ISPs want to cut off spammers who abuse their system. Include a copy of the message and header information and state that you're complaining about spam. To find out which fields spammers consider most fertile for harvesting, investigators "seeded" 175 different locations on the Internet with 250 new, undercover email addresses. The locations included web pages, newsgroups, chat rooms, message boards, and online directories for web pages, instant message users, domain names, resumes, and dating services. During the six weeks after the postings, the accounts received 3,349 spam emails. The investigators found that: 86 percent of the addresses posted to web pages received spam. It didn't matter where the addresses were posted on the page: if the address had the "@" sign in it, it drew spam.   86 percent of the addresses posted to newsgroups received spam.   Chat rooms are virtual magnets for harvesting software. One address posted in a chat room received spam nine minutes after it first was used. Addresses posted in other areas on the Internet received less spam, the investigators found. Half the addresses posted on free personal web page services received spam, as did 27 percent of addresses posted to message boards and nine percent of addresses listed in email service directories. Addresses posted in instant message service user profiles, "Whois" domain name registries, online resume services, and online dating services did not receive any spam during the six weeks of the investigation. In almost all instances, the investigators found, the spam received was not related to the address used. As a result, consumers who use email are exposed to a variety of spam - including objectionable messages - no matter the source of the address. Some email addresses posted to children's newsgroups received a large amount of spam promoting adult web sites, pitching work-at-home schemes, and even advertising hallucinogenic drugs. Slowing the Email HarvestThe investigators indicate that email address harvesting usually is automated, because spam can hit the addresses soon after they are used publicly the first time; the spam was not targeted; and some addresses were picked up off web pages even when they weren't visible to the eye. Still, they say, consumers can protect their email addresses from harvesting programs. Here's how: 1. Consider "masking" your email address. Masking involves putting a word or phrase in your email address so that it will trick a harvesting computer program, but not a person. For example, if your email address is "johndoe@myisp.com," you could mask it as "johndoe@spamaway.myisp.com." Be aware that some newsgroup services or message boards won't allow you to mask your email address and some harvesting programs may be able to pick out common masks. 2. Use a separate screen name for chatting. If you use chat rooms, use a screen name that's not associated with your email address. Consider using the screen name only for online chat. 3. Set up disposable addresses. Decide if you want to use two email addresses - one for personal messages and one for posting in public. Consider using a disposable email address service that creates separate email addresses that forwards to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address. 4. Use two email accounts. If you work for a business or organization that wants to receive email from the public, consider creating separate accounts or disposable email addresses for that purpose, rather than having an employee's address posted in public. 5. Use a unique email address, containing both letters and numbers. Your choice of email address may affect the amount of spam you receive because some spammers use "dictionary attacks" to email many possible name combinations at large ISPs or email services, hoping to find a valid address. Meanwhile, what can you do with the spam in your in-box? Report it, making sure that you include the full email header. The information in the header makes it possible to follow up on your complaint. Send your spam to: The Federal Trade Commission, at uce@ftc.gov. The FTC uses the emails in this database to pursue law enforcement actions against people who send deceptive spam.   Your ISP's abuse desk. Often the email address is abuse@yourispname.com or postmaster@yourispname.com. Forwarding your spam to your ISP lets them know about the spam problem on their system and helps them to stop it. Include a copy of the spam, along with the full email header, and at the top of the message, state that you're complaining about being spammed.  The sender's ISP. Most ISPs want to cut off spammers who abuse their system. Include a copy of the message and header information and state that you're complaining about spam.

    16. E-post - innsamling

    17. Hva gjør vi ellers galt? e-post Svarer på spam Slår til på timetilbud o.l. Melder oss “av” mailiglister Auto-replay Fraværmeldinger Corporate IT Forum Automatisk forhåndsvisning Kjedebrev Digresjon: Auto-replay Innbruddstyver kan bruke epost-svar Bruker du den automatiske svartjenesten på e-posten, kan innbruddstyver finne ut at du er bortreist på påskeferie. I mange e-postprogrammer kan man legge inn et automatisk svar som blir sendt til dem som sender e-post til deg. Legger du inn "Jeg er borte på ferie i tre uker og kan ikke svare på e-post", kan tyver vite at huset ditt står tomt og klart for et brekk. Det britiske teknologibransjeorganet Corporate IT Forum har funnet en rekke eksempler på at kriminelle kjøper opp e-postlister for så å sende ut e-poster for å sjekke om de får automatiske svar. Når så ferievarselet kommer, sjekker tyvene hvilken boligadresse du har, skriver Dagsavisen. Datatilsynet har hørt om fremgangsmåten, men kjenner ikke til noen eksempler på slike innbrudd i Norge. Heller ikke på Manglerud politistasjon i Oslo eller Økokrim har de fått slike saker. Digresjon: Auto-replay Innbruddstyver kan bruke epost-svar Bruker du den automatiske svartjenesten på e-posten, kan innbruddstyver finne ut at du er bortreist på påskeferie. I mange e-postprogrammer kan man legge inn et automatisk svar som blir sendt til dem som sender e-post til deg. Legger du inn "Jeg er borte på ferie i tre uker og kan ikke svare på e-post", kan tyver vite at huset ditt står tomt og klart for et brekk. Det britiske teknologibransjeorganet Corporate IT Forum har funnet en rekke eksempler på at kriminelle kjøper opp e-postlister for så å sende ut e-poster for å sjekke om de får automatiske svar. Når så ferievarselet kommer, sjekker tyvene hvilken boligadresse du har, skriver Dagsavisen. Datatilsynet har hørt om fremgangsmåten, men kjenner ikke til noen eksempler på slike innbrudd i Norge. Heller ikke på Manglerud politistasjon i Oslo eller Økokrim har de fått slike saker.

    18. Umulig å stoppe spammere ? Earthlink (ISP) Ti dedikerte Spam ansatte stjeler ressurser / saksøking Ikke nummervisning Stengte kontoene Nye kontoer – uten å sjekke alt Privat detektiv politiet Leverandør av urtepiller Masse hat mail og spam 3 mnd. før de fikk overlevert Saksøkt for 16 millioner dollar 13 måneder ”Buffalo” Falske adresser og telefonnummerere Offentlige telefonnummer Stjålne kredittkortsnummer Programvare - millioner spam pr. time 343 kontoer 825 millioner spam mail pr. år Skryt ”10 millioner reklamemeldinger” 36 salg / 360 dollar rettslig kjennelse må leveres personlig Bor hos sin mor og tjent småsummer Her er forklaringen på hvorfor din norske e-postkonto lesses ned av søppel. Earthlinks jakt på en spammer viser hvordan det amerikanske samfunnet lar spammere skjule seg. I en digitalisert verden der alt kan slås opp og spores, kan det synes ufattelig at det er mulig å overflomme Internett med millioner av reklamemeldinger og likevel slippe unna med det. Avisen Wall Street Journal har skrevet en sak om Internett-leverandøren Earthlinks jakt på en versting som belyser hvordan spam fungerer og hvorfor den er så vanskelig å stoppe. Historien er interessant lesning for norske nettbrukere fordi det meste av e-postsøppelet trolig stammer fra amerikanske e-postkontoer. Earthlink, USAs tredje største Internett-leverandør, har en stab på hele ti ansatte som forsøker å bremse spam og andre problemer. Innsatsen skyldes at spam stjeler enorme ressurser og i et land der det synes som om alle saksøker alle for det aller meste, er nok Earthlink redd for å bli avkrevet penger fra sine kunder. Likevel kan Earthlink bare konsentere seg om de aller verste. I ett år jaktet antispam-gruppen på en gjenganger som til slutt ble tatt. Her er momentene som forklarer hvorfor det er så vanskelig: Buffalo, som spammeren kalte seg, kunne ringe fra offentlige telefoner når han ville og bestille nye Internett-kontoer. For å betale, oppga han stjålne kredittkort-nummer. Stjålne kort forblir lenge i omløp i USA fordi bankvesenet ikke er fulldigitalisert i like stor grad som i eksempelvis Norge. Historien avslører også at Internett-leverandører som Earthlink deler ut nye kontoer fortløpende, åpenbart uten noen særlig sjekk. Earthlink stengte kontoene fortløpende, men da hadde som regel "Buffalo" gjort seg ferdig med en sending og opprettet bare en ny konto. Spam-programvare lar reklamesprederne sende millioner av meldinger på noen timer og så koble seg av. I alt brukte Buffalo 343 kontoer og sendte ut 825 millioner spam-meldinger det året Earthlink jaktet på ham. Fordi langt fra alle telefonsentraler i USA er oppgradert til nummervisning, kan ikke selskaper som Earthlink blokkere all trafikk fra angitte telefonnummere. Spammerne får også langt på vei jobbe i fred, for politiet prioriterer ikke spam-sakene over drap og andre krimsaker. Earthlink måtte derfor gå til privat søksmål og bruke privatdetektiver, noe som koster mye penger. Muligheten for erstatning og inndragning av inntekter er erfaringsmessig nesten lik null, og Earthlinks etterforskning avslørte dessuten at spam - i hvert fall i dette tilfellet - er lite effektivt: Earthlink forsøkte til slutt å gå på leverandørene som Buffalo reklamerte for. For dette er den eneste ekte informasjon som finnes i spam - målet er jo å sette deg i konktat med noen som skal selge deg noe. Det var under denne jakten at advokaten til Earthlink endelig kom i kontakt med en av spammerens kunder, en Florida-basert leverandør av urtepiller som vedgikk at en person som het Carmack til etternavn hadde skrytt av å ha sendt ut 10 millioner reklamemeldinger for firmaet. Men dette ga bare 36 salg og Carmack tjente bare lusne 360 dollar på arbeidet. Men fordi leverandøren fikk så mye hatmail og spam fra sine egne e-postbrukere, ba han Carmack om å stoppe. Etter hvert ble 36 år gamle Howard Carmack sporet opp, men fordi en rettslig kjennelse må leveres personlig, brukte Earthlinks advokat hele tre måneder før han fikk overrasket Carmack utenfor huset. Detektivene lå på lur i en varebil med sotede ruter. Carmack hadde skjult seg bak et nett av falske adresser og telefonnumre slik det er mulig å gjøre i USA, blant annet fordi registre og lovverk er begrenset til hver delstat. Earthlink har saksøkt Carmack for 16 millioner dollar, skriver Wall Street Journal. Men mannen lever hos sin mor og har altså tjent småsummer på å overflomme Internett med søppel. Historien om Earthlink viser at det kanskje mest virksomme våpenet mot spammere er gå løs på de som engasjerer dem - klager, søksmål og annet kan hjelpe for å bremse etterspørsel etter spammernes tjenester. Her er forklaringen på hvorfor din norske e-postkonto lesses ned av søppel. Earthlinks jakt på en spammer viser hvordan det amerikanske samfunnet lar spammere skjule seg. I en digitalisert verden der alt kan slås opp og spores, kan det synes ufattelig at det er mulig å overflomme Internett med millioner av reklamemeldinger og likevel slippe unna med det.

    19. Problemstillinger Silverpops Åpnet e-postkontoer hos Hotmail Yahoo Registrerte seg på div. varslingstjenester 1 av 4 meldinger nådde ikke frem

    20. Samferdselsdepartementet Ikke benytt forhåndsvisning av e-post. Ikke åpne spam, men slett spam på grunnlag av avsender-, mottaker- og emnefeltet. Ikke svar på og gjør aldri innkjøp på grunnlag av tilfeldig utsendt e-post. Ikke videresend kjedebrev eller delta i underskriftskampanjer. Ikke legg igjen din e-postadresse på websider, nyhetsgrupper, chat og lignende. Benytt lang ”ulogisk” e-postadresse. (veldig8vanskelig2epost45@isp.no) Bruk en e-post til jobb, en annen til venner og tredje til de du ikke kjenner. Den tredje e-post-adressekontoen kan avsluttes når den blir fanget av spammere. Ikke spre e-postadressene dine ukritisk til mange. Ikke bruk automatisk svar i e-postprogrammet. Ikke send e-post med synlige e-postadresser til mottakerne, om du sender til mange. Kris Abel Recognizing that you're bound to get junk e-mail no matter what you do online, Abel says the first strategy should be to delete them as soon as they arrive in your inbox. Because a lot of spam is addressed to email account names generated by special software, the sender often has no idea whether the target is legitimate or not. "Don't open them," Abel told Canada AM. "Because if you open them, they'll open up a pile of graphics and that will send a signal back to the sender telling them that your e-mail account is active." As soon as the spammer knows an e-mail account is active, they will not only send you more spam, but they will sell your address on to other illegal spam artists, Abel warned. Even sharing your e-mail with friends online could spell trouble down the road. "If you're going to a forum and you want to connect with somebody else, give them your e-mail address, but don't use the '@' symbol," Abel said. Because no e-mail address lacks the tell-tale symbol, programs that scour the Internet use it as a signpost for identifying e-mail addresses. By typing the word 'at' instead of the symbol, readers can understand but computer programs will be fooled, Abel said. Slowing the Email Harvest The investigators indicate that email address harvesting usually is automated, because spam can hit the addresses soon after they are used publicly the first time; the spam was not targeted; and some addresses were picked up off web pages even when they weren't visible to the eye. Still, they say, consumers can protect their email addresses from harvesting programs. Here's how: 1. Consider "masking" your email address. Masking involves putting a word or phrase in your email address so that it will trick a harvesting computer program, but not a person. For example, if your email address is "johndoe@myisp.com," you could mask it as "johndoe@spamaway.myisp.com." Be aware that some newsgroup services or message boards won't allow you to mask your email address and some harvesting programs may be able to pick out common masks. 2. Use a separate screen name for chatting. If you use chat rooms, use a screen name that's not associated with your email address. Consider using the screen name only for online chat. 3. Set up disposable addresses. Decide if you want to use two email addresses - one for personal messages and one for posting in public. Consider using a disposable email address service that creates separate email addresses that forwards to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address. 4. Use two email accounts. If you work for a business or organization that wants to receive email from the public, consider creating separate accounts or disposable email addresses for that purpose, rather than having an employee's address posted in public. 5. Use a unique email address, containing both letters and numbers. Your choice of email address may affect the amount of spam you receive because some spammers use "dictionary attacks" to email many possible name combinations at large ISPs or email services, hoping to find a valid address. Meanwhile, what can you do with the spam in your in-box? Report it, making sure that you include the full email header. The information in the header makes it possible to follow up on your complaint. Send your spam to: The Federal Trade Commission, at uce@ftc.gov. The FTC uses the emails in this database to pursue law enforcement actions against people who send deceptive spam.   Your ISP's abuse desk. Often the email address is abuse@yourispname.com or postmaster@yourispname.com. Forwarding your spam to your ISP lets them know about the spam problem on their system and helps them to stop it. Include a copy of the spam, along with the full email header, and at the top of the message, state that you're complaining about being spammed.   The sender's ISP. Most ISPs want to cut off spammers who abuse their system. Include a copy of the message and header information and state that you're complaining about spam. Utkast til regler for å minimalisere uønsket tilfeldig e-post (spam) Ikke benytt forhåndsvisning av e-post. Ikke åpne spam, men slett spam på grunnlag av avsender-, mottaker- og emnefeltet. Ofte er det enklest å gjøre dette via web-basert e-postleser. Ikke svar på og gjør aldri innkjøp på grunnlag av tilfeldig utsendt e-post. Ikke videresend kjedebrev eller delta i underskriftskampanjer. Ikke legg igjen din e-postadresse på websider, nyhetsgrupper, chat og lignende. I de tilfeller du gjør det, sjekk først betingelser og seriøsitet. Benytt lang ”ulogisk” e-postadresse. (veldig8vanskelig2epost45@isp.no) Bruk en e-post til jobb, en annen til venner og tredje til de du ikke kjenner. Den tredje e-post-adressekontoen kan avsluttes når den blir fanget av spammere. Ikke spre e-postadressene dine ukritisk til mange. Ikke bruk automatisk svar i e-postprogrammet. Ikke send e-post med synlige e-postadresser til mottakerne, om du sender til mange. E-postprogrammene inneholder funksjoner for å unngå dette. Skaff deg oppdatert spamfilter, enten på egen maskin eller via Internettjenesteleverandøren din. Hold deg kontinuerlig oppdatert på siste informasjonsutvikling via aktuelle nettsteder, lær om hvordan spam, virus og lignende virker. Benytt oppdatert virusfilter. Oppdater operativsystemet på pc’en kontinuerlig, med tanke på nyoppdagede sikkerhetshull. Benytt brannmur. Punktene 12, 13 og 14 forhindrer at du selv ufrivillig blir en som sender ut spam.Kris Abel Recognizing that you're bound to get junk e-mail no matter what you do online, Abel says the first strategy should be to delete them as soon as they arrive in your inbox. Because a lot of spam is addressed to email account names generated by special software, the sender often has no idea whether the target is legitimate or not. "Don't open them," Abel told Canada AM. "Because if you open them, they'll open up a pile of graphics and that will send a signal back to the sender telling them that your e-mail account is active." As soon as the spammer knows an e-mail account is active, they will not only send you more spam, but they will sell your address on to other illegal spam artists, Abel warned. Even sharing your e-mail with friends online could spell trouble down the road. "If you're going to a forum and you want to connect with somebody else, give them your e-mail address, but don't use the '@' symbol," Abel said. Because no e-mail address lacks the tell-tale symbol, programs that scour the Internet use it as a signpost for identifying e-mail addresses. By typing the word 'at' instead of the symbol, readers can understand but computer programs will be fooled, Abel said. Slowing the Email HarvestThe investigators indicate that email address harvesting usually is automated, because spam can hit the addresses soon after they are used publicly the first time; the spam was not targeted; and some addresses were picked up off web pages even when they weren't visible to the eye. Still, they say, consumers can protect their email addresses from harvesting programs. Here's how: 1. Consider "masking" your email address. Masking involves putting a word or phrase in your email address so that it will trick a harvesting computer program, but not a person. For example, if your email address is "johndoe@myisp.com," you could mask it as "johndoe@spamaway.myisp.com." Be aware that some newsgroup services or message boards won't allow you to mask your email address and some harvesting programs may be able to pick out common masks. 2. Use a separate screen name for chatting. If you use chat rooms, use a screen name that's not associated with your email address. Consider using the screen name only for online chat. 3. Set up disposable addresses. Decide if you want to use two email addresses - one for personal messages and one for posting in public. Consider using a disposable email address service that creates separate email addresses that forwards to your permanent account. If one of the disposable addresses begins to receive spam, you can shut it off without affecting your permanent address. 4. Use two email accounts. If you work for a business or organization that wants to receive email from the public, consider creating separate accounts or disposable email addresses for that purpose, rather than having an employee's address posted in public. 5. Use a unique email address, containing both letters and numbers. Your choice of email address may affect the amount of spam you receive because some spammers use "dictionary attacks" to email many possible name combinations at large ISPs or email services, hoping to find a valid address. Meanwhile, what can you do with the spam in your in-box? Report it, making sure that you include the full email header. The information in the header makes it possible to follow up on your complaint. Send your spam to: The Federal Trade Commission, at uce@ftc.gov. The FTC uses the emails in this database to pursue law enforcement actions against people who send deceptive spam.   Your ISP's abuse desk. Often the email address is abuse@yourispname.com or postmaster@yourispname.com. Forwarding your spam to your ISP lets them know about the spam problem on their system and helps them to stop it. Include a copy of the spam, along with the full email header, and at the top of the message, state that you're complaining about being spammed.  The sender's ISP. Most ISPs want to cut off spammers who abuse their system. Include a copy of the message and header information and state that you're complaining about spam. Utkast til regler for å minimalisere uønsket tilfeldig e-post (spam) Ikke benytt forhåndsvisning av e-post. Ikke åpne spam, men slett spam på grunnlag av avsender-, mottaker- og emnefeltet. Ofte er det enklest å gjøre dette via web-basert e-postleser. Ikke svar på og gjør aldri innkjøp på grunnlag av tilfeldig utsendt e-post. Ikke videresend kjedebrev eller delta i underskriftskampanjer. Ikke legg igjen din e-postadresse på websider, nyhetsgrupper, chat og lignende. I de tilfeller du gjør det, sjekk først betingelser og seriøsitet. Benytt lang ”ulogisk” e-postadresse. (veldig8vanskelig2epost45@isp.no) Bruk en e-post til jobb, en annen til venner og tredje til de du ikke kjenner. Den tredje e-post-adressekontoen kan avsluttes når den blir fanget av spammere. Ikke spre e-postadressene dine ukritisk til mange. Ikke bruk automatisk svar i e-postprogrammet. Ikke send e-post med synlige e-postadresser til mottakerne, om du sender til mange. E-postprogrammene inneholder funksjoner for å unngå dette. Skaff deg oppdatert spamfilter, enten på egen maskin eller via Internettjenesteleverandøren din. Hold deg kontinuerlig oppdatert på siste informasjonsutvikling via aktuelle nettsteder, lær om hvordan spam, virus og lignende virker. Benytt oppdatert virusfilter. Oppdater operativsystemet på pc’en kontinuerlig, med tanke på nyoppdagede sikkerhetshull. Benytt brannmur. Punktene 12, 13 og 14 forhindrer at du selv ufrivillig blir en som sender ut spam.

    21. Vennlig spam dreper produktiviteten Venner Kjente Kolleger Cc "reply to all“ 35 milliard e-post innen 2005 “E-mail doesn't save you time, it wastes it.” Friendly-spam can kill your productivity By Dale Tournemille, CTV News Staff E-mail, it's been said, is the Internet's killer app. It's fast, easy and cheap. But for all its worth, e-mail is killing productivity and becoming a sinking lifeboat in a sea of messages. There's simply too much e-mail being tossed around, and not just from unscrupulous peddlers of get-rich-quick schemes, pornography, or scams on how to lose 50 pounds in 50 hours. The deluge of e-mail filling our inboxes is increasingly of the so-called friendly-spam variety -- messages from chatty friends, colleagues, customers, professional associates, and just about anyone else you might have handed your business card to. Friendly-spam arrives from people you know and maybe even trust, which has stoked the notion that it's acceptable and, indeed, to be encouraged. Therein lies the problem. A new study at the University of Western Ontario suggests too much of a good thing can be bad for you, particularly when it comes to e-mail. "People enjoy the convenience of sending relevant information quickly and easily, but this is far overshadowed by the volumes of low-value e-mails received each day," says business professor Christina Cavanagh. Her study of 57 business professionals showed what many Internet users have quickly been discovering themselves: E-mail doesn't save you time, it wastes it. The study suggests e-mail is killing productivity because the simple act of managing so much e-mail is taking up more and more valuable time. On average, 70 per cent of respondents said that over the last two years, time spent managing e-mail has increased an additional hour per day. And it gets worse. Internet users at work are having to spend their personal time at home handling the overflow of work-related e-mails, making the work-lifestyle balance even more difficult to maintain. The study found that the primarily culprit was -- wait for it -- friendly-spam. The problem is that in the workplace, users commonly address e-mails to dozens or more co-workers thanks to the indiscriminate use of corresponding copy (cc) and the "reply to all" features built into today's e-mail programs. "The use of these features is considered out of control and contributes greatly to low-value, yet highly irksome, e-mails," says Cavanagh. "People abuse the privilege of knocking on your door with e-mail." The problem could also be our own laziness. Respondents in Cavanagh's study questioned the need to send e-mail to someone who sits down the hall or in the cubicle next door. Too much e-mail costs time and money, but it could also be costing people a lot more because of the social isolation asociated with some forms of technology. A Stanford University study of 4,000 adult Internet users found that while e-mail use increases "contact" with family and friends, it results in less time spent in contact with real human beings. "The Internet could be the ultimate isolating technology that further reduces our participation in communities even more than did automobiles and television before it," said Stanford Professor Norman Nie. "This is an early trend that, as a society, we really need to monitor carefully." As a technologically-savvy bunch, Canadians are very much at risk. Statistics Canada says 13 million Canadians, or 53 per cent of those aged 15 and over, use the Internet regularly. Almost all use e-mail. By the year 2005, the number of worldwide e-mails sent on an average day is expected to hit 35 billion by the year 2005, more than triple what it is now. Like a heavy rain, escalating e-mail usage can be a blessing or a curse depending on how prepared you are. The best way to cut down on e-mail use is to attack it at the root -- the sender. Cavanagh advises users to start advising senders about unnecessary messages. A proactive way to combat the problem is also to always respond directly to the original sender; don’t use the "reply to all" feature. If that doesn't work, try setting up electronic filters -- almost all e-mail programs have them -- to sort and file messages based on importance, which should end up moving most of them right into the trash bin.Friendly-spam can kill your productivity By Dale Tournemille, CTV News Staff E-mail, it's been said, is the Internet's killer app. It's fast, easy and cheap. But for all its worth, e-mail is killing productivity and becoming a sinking lifeboat in a sea of messages. There's simply too much e-mail being tossed around, and not just from unscrupulous peddlers of get-rich-quick schemes, pornography, or scams on how to lose 50 pounds in 50 hours. The deluge of e-mail filling our inboxes is increasingly of the so-called friendly-spam variety -- messages from chatty friends, colleagues, customers, professional associates, and just about anyone else you might have handed your business card to. Friendly-spam arrives from people you know and maybe even trust, which has stoked the notion that it's acceptable and, indeed, to be encouraged. Therein lies the problem. A new study at the University of Western Ontario suggests too much of a good thing can be bad for you, particularly when it comes to e-mail. "People enjoy the convenience of sending relevant information quickly and easily, but this is far overshadowed by the volumes of low-value e-mails received each day," says business professor Christina Cavanagh. Her study of 57 business professionals showed what many Internet users have quickly been discovering themselves: E-mail doesn't save you time, it wastes it. The study suggests e-mail is killing productivity because the simple act of managing so much e-mail is taking up more and more valuable time. On average, 70 per cent of respondents said that over the last two years, time spent managing e-mail has increased an additional hour per day. And it gets worse. Internet users at work are having to spend their personal time at home handling the overflow of work-related e-mails, making the work-lifestyle balance even more difficult to maintain. The study found that the primarily culprit was -- wait for it -- friendly-spam. The problem is that in the workplace, users commonly address e-mails to dozens or more co-workers thanks to the indiscriminate use of corresponding copy (cc) and the "reply to all" features built into today's e-mail programs. "The use of these features is considered out of control and contributes greatly to low-value, yet highly irksome, e-mails," says Cavanagh. "People abuse the privilege of knocking on your door with e-mail." The problem could also be our own laziness. Respondents in Cavanagh's study questioned the need to send e-mail to someone who sits down the hall or in the cubicle next door. Too much e-mail costs time and money, but it could also be costing people a lot more because of the social isolation asociated with some forms of technology. A Stanford University study of 4,000 adult Internet users found that while e-mail use increases "contact" with family and friends, it results in less time spent in contact with real human beings. "The Internet could be the ultimate isolating technology that further reduces our participation in communities even more than did automobiles and television before it," said Stanford Professor Norman Nie. "This is an early trend that, as a society, we really need to monitor carefully." As a technologically-savvy bunch, Canadians are very much at risk. Statistics Canada says 13 million Canadians, or 53 per cent of those aged 15 and over, use the Internet regularly. Almost all use e-mail. By the year 2005, the number of worldwide e-mails sent on an average day is expected to hit 35 billion by the year 2005, more than triple what it is now. Like a heavy rain, escalating e-mail usage can be a blessing or a curse depending on how prepared you are. The best way to cut down on e-mail use is to attack it at the root -- the sender. Cavanagh advises users to start advising senders about unnecessary messages. A proactive way to combat the problem is also to always respond directly to the original sender; don’t use the "reply to all" feature. If that doesn't work, try setting up electronic filters -- almost all e-mail programs have them -- to sort and file messages based on importance, which should end up moving most of them right into the trash bin.

    22. Spam – i samfunnet popups Windows Messanger Service Mobil Sms Mms Telefon Spørreundersøkelser IP-telefoni

    23. Løsninger

    24. Løsninger Klientløsninger Hjemmekontor Serverløsninger 9 forskjellige filter 8 av 10 tilfeller serveren infiseres av virus nedetid på 17 timer eller mer Online tjeneste Driftet & overvåket 24/7

    25. Skisse – Norman Online Protection

    26. Eksempel: W32/Mydoom.A-mm e-post orm som benytter spam teknologi W32/MyDoom.A@mm Explanation of the different characteristics used below.General characteristics Type: Worm Alias: Novarg.A, Shimg.A, Mimail.R Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Detected by virus detection files published: 27 Jan 2004 Virus characteristics first published: 26 Jan 2004 23:26 (CET) Virus characteristics latest update: 27 Jan 2004 18:14 (CET) Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe or HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry key HLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory. The installed DLL inserts the follwing registry key: HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dll This has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 1: Filenames used when creating files in Kazaa-directories. winamp5 nuke2004 office_crack rootkitXP strip-girl-2.0bdcom_patches Wordlist 2: Extensions used when creating file in Kazaa directories. *.bat *.exe *.scr *.pif Wordlist 3: Possible email subject fields random letters "Error" "Status" "Server report" "Mail Transaction Failed" "Mail Delivery System" "Hello" "Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachments Random letter combination "Message" "Doc" "Test" "Body" "Data" "File" "Text" "Readme" "Document" Wordlist 6: Possible file extensions for mail attachments zip bat cmd exe scr pif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses. wab pl adb tbb dbx asp php sht htm txt Wordlist 8: Names used for guessing addresses sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael alex john Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot. W32/MyDoom.A@mm Explanation of the different characteristics used below.General characteristics Type: Worm Alias: Novarg.A, Shimg.A, Mimail.R Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Detected by virus detection files published: 27 Jan 2004 Virus characteristics first published: 26 Jan 2004 23:26 (CET) Virus characteristics latest update: 27 Jan 2004 18:14 (CET) Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\VersionHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exeorHKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry keyHLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory.The installed DLL inserts the follwing registry key:HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dllThis has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 1: Filenames used when creating files in Kazaa-directories.winamp5nuke2004office_crackrootkitXPstrip-girl-2.0bdcom_patches Wordlist 2: Extensions used when creating file in Kazaa directories.*.bat*.exe*.scr*.pif Wordlist 3: Possible email subject fieldsrandom letters"Error""Status""Server report""Mail Transaction Failed""Mail Delivery System""Hello""Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachmentsRandom letter combination"Message""Doc""Test""Body""Data""File""Text""Readme""Document" Wordlist 6: Possible file extensions for mail attachments zipbatcmdexescrpif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses.wabpladbtbbdbxaspphpshthtmtxt Wordlist 8: Names used for guessing addressessandralindajuliejimmyjerryhelendebbyclaudiabrendaannaalicebrentadamtedfredjackbillstansmithstevemattdavedanjoejanebobrobertpetertomraymarysergbrianjimmarialeojoseandrewsamgeorgedavidkevinmikejamesmichaelalexjohn Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot.

    27. Spredning source: messagelabs.com Stoppet først: Russland Totalt stoppet: 43302279 Mest aktive måned: Feb 2004 Antall land: 216 Høyeste infeksjonsdato: 27 Jan 2004 Høyeste infeksjonsrate: 1 / 12 Rapoterte infeksjoner Norman: 10 enkelt brukere MessageLab Information No description available for this virus DETAILS Information W32/Mydoom.A-mm General Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa. The worm harvests addresses from infected machines and targets files with the following extensions: .wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm, .txt. Mydoom also tries to randomly generate or guess likely email addresses to send itself to. In addition, initial analysis suggests that Mydoom opens a connection on TCP port 3127, an indication of a remote access component. Email characteristics From: Random, spoofed email address Subject: Random Text: Various, including: The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attached file: Various, with extensions including .exe, .pif, .cmd, .scr. The attachment often arrives in a zip archive, and is also represented by what appears to be a text file icon, but is in fact an executable. Size: 22, 528 bytes Detection MessageLabs detected all strains of this virus proactively, using its unique and patented Skeptic™ predictive heuristics technologyMessageLab Information No description available for this virus DETAILS Information W32/Mydoom.A-mm General Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa. The worm harvests addresses from infected machines and targets files with the following extensions: .wab, .adb, .tbb, .dbx, .asp, .php, .sht, .htm, .txt. Mydoom also tries to randomly generate or guess likely email addresses to send itself to. In addition, initial analysis suggests that Mydoom opens a connection on TCP port 3127, an indication of a remote access component. Email characteristics From: Random, spoofed email address Subject: Random Text: Various, including: The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attached file: Various, with extensions including .exe, .pif, .cmd, .scr. The attachment often arrives in a zip archive, and is also represented by what appears to be a text file icon, but is in fact an executable. Size: 22, 528 bytes Detection MessageLabs detected all strains of this virus proactively, using its unique and patented Skeptic™ predictive heuristics technology

    28. Infeksjon via fildelingstjenester Filnavn brukt Winamp5 Nuke2004 office_crack strip-girl-2.0bdcom_patches rootkitXP

    29. Installasjon Minne mutex "SwebSipcSmtxS0“ Windows System mappe TASKMON.EXE SHIMGAPI.DLL Windows registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon =[SYSTEM]\taskmon.exe eller HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = SYSTEM]\taskmon.exe HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dll KAZAA HLCU\Software\Kazaa\Transfer DlDir0 Åpner porter Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe or HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry key HLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory. The installed DLL inserts the follwing registry key: HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dll This has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 3: Possible email subject fields random letters "Error" "Status" "Server report" "Mail Transaction Failed" "Mail Delivery System" "Hello" "Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachments Random letter combination "Message" "Doc" "Test" "Body" "Data" "File" "Text" "Readme" "Document" Wordlist 6: Possible file extensions for mail attachments zip bat cmd exe scr pif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses. wab pl adb tbb dbx asp php sht htm txt Wordlist 8: Names used for guessing addresses sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael alex john Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot. Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\VersionHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exeorHKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry keyHLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory.The installed DLL inserts the follwing registry key:HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dllThis has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 3: Possible email subject fieldsrandom letters"Error""Status""Server report""Mail Transaction Failed""Mail Delivery System""Hello""Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachmentsRandom letter combination"Message""Doc""Test""Body""Data""File""Text""Readme""Document" Wordlist 6: Possible file extensions for mail attachments zipbatcmdexescrpif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses.wabpladbtbbdbxaspphpshthtmtxt Wordlist 8: Names used for guessing addressessandralindajuliejimmyjerryhelendebbyclaudiabrendaannaalicebrentadamtedfredjackbillstansmithstevemattdavedanjoejanebobrobertpetertomraymarysergbrianjimmarialeojoseandrewsamgeorgedavidkevinmikejamesmichaelalexjohn Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot.

    30. Installasjon Windows System mappe SHIMGAPI.DLL Lytte til port 3127-3198 Windows registry HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dll Starter prosesser og blir i minne Starter med Windows Sjekker dato 01.02.2004 – 12.02.2004 Sanker @ adresser Replikerer seg selv Tilbake til 1 - 2 Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe or HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry key HLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory. The installed DLL inserts the follwing registry key: HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dll This has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 3: Possible email subject fields random letters "Error" "Status" "Server report" "Mail Transaction Failed" "Mail Delivery System" "Hello" "Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachments Random letter combination "Message" "Doc" "Test" "Body" "Data" "File" "Text" "Readme" "Document" Wordlist 6: Possible file extensions for mail attachments zip bat cmd exe scr pif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses. wab pl adb tbb dbx asp php sht htm txt Wordlist 8: Names used for guessing addresses sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael alex john Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot. Spreading mechanism: Email, other Email characteristics: Subject: Variable Body: Variable Attachment: Variable Destructivity: Medium Payload: Denial-of-service attack/backdoor functionality Additional description of malicious program Type This is a new worm. File size is 22528 bytes, though size may vary some when the worm comes as zip. Spreading mechanism The worm installs itself in memory and creates the mutex "SwebSipcSmtxS0" to avoid being loaded twice. It copies itself to the Windows System directory under the name TASKMON.EXE. The original, if any, is deleted. The worm creates the following registry keys:HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\VersionHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Version HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exeorHKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon = [SYSTEM]\taskmon.exe The worm now checks the registry keyHLCU\Software\Kazaa\Transfer DlDir0 for the presence of a Kazaa Peer-to-Peer default download directory. If found, it will copy itself to this directory as well. Main spreading function is by email. MyDoom searches through several types of files hunting for email addresses to send itself to. A file called SHIMGAPI.DLL is also installed to the Windows System directory.The installed DLL inserts the follwing registry key:HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InprocServer32 = shimgapi.dllThis has the effect that the DLL is loaded along with the operating system at startup. When the worm executes, it will usually display some garbage data via Notepad. The worm will stop spreading on February 12th 2004. However, it will retain the backdoor functionality. Wordlist 3: Possible email subject fieldsrandom letters"Error""Status""Server report""Mail Transaction Failed""Mail Delivery System""Hello""Hi" Wordlist 4: Possible email text. no body text random garbage text "Mail transaction failed. Partial message is available." "The message contains Unicode characters and has been sent as a binary attachment." "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "test" Wordlist 5: Possible file names used for mail attachmentsRandom letter combination"Message""Doc""Test""Body""Data""File""Text""Readme""Document" Wordlist 6: Possible file extensions for mail attachments zipbatcmdexescrpif Note: When the attachment comes as a zip file, it is common that the file inside has double extension, where the last extension is attempted hidden by adding a lot of spaces to the name. Wordlist 7: File types searched for email addresses.wabpladbtbbdbxaspphpshthtmtxt Wordlist 8: Names used for guessing addressessandralindajuliejimmyjerryhelendebbyclaudiabrendaannaalicebrentadamtedfredjackbillstansmithstevemattdavedanjoejanebobrobertpetertomraymarysergbrianjimmarialeojoseandrewsamgeorgedavidkevinmikejamesmichaelalexjohn Destructivity and Payload Depending on a date trigger (between Feb 1st 2004 and Feb 12th 2004), the worm will perform a denial-of-service attack against www.sco.com. If this triggers, it will check every 8th sec whether it is connected to Internet. If it is, and if the site www.sco.com is found, threads conducting neverending series of HTTP GET requests are directed to this site. The installed SHIMGAPI.DLL listens on ports 3127-3198. The full functionality is not yet fully uncovered, but it seems that it enables an attacker to upload and execute a file. Detection and removal This worm is detected and removed using defs from Jan 27th 2004 and newer. To completely remove the worm from infected systems you should work through the following procedure: On Windows Me and Windows XP, deactivate System Restore. Download and run MyDoomFix.com. Restart the computer. The reboot is necessary to delete infected file(s) that cannot be deleted without a reboot.

    31. Anskaffelse av adresser Tidligere erfaringer WAB, HTML f.eks Leter etter adresser .adb .asp .dbx .htm .php .sht .tbb .txt .wab e-post generator navneliste@domene.*

    32. Denial-of-service attack Datosjekk 1 februar 2004 Web request www.sco.com

More Related