So Maura just shared with you a recent little adventure we had with a pushbot worm. I’d like to give you my side, and a bit of insight into the thinking that should be going on in your head when something like this happens.
It comes down to the practice of what is called Skeptical Computing, or as Maura might say, not misplacing your Trust. This means questioning when something is sent to you out of the blue and making sure it’s genuine. It also means trusting your instincts if something seems ‘not right’, and not just blindly clicking links and running files sent to you with relatively ‘reckless abandon’ as some folks seem to do. It is also the single best way I know of to avoid falling prey to things like Phishing scams, and worms/trojans/viri that spread via a social engineering vector. In this particular case it’s what saved me from being infected with a nasty little worm that would have tried to spread to everyone in my messenger list, and opened a back door on my computer to persons with almost certain bad intentions.
Lets set the scene.. I’m at work, working on a loadtest script when I get a messenger popup from an ex-coworker who I’ve not chatted with in over a year. The message is not characteristic of her, but still somewhat believable.. it’s short, asks the question ‘is this you?’ and contains a link.. Okaaay. Stop. Think. Does this fit the profile of a ‘social engineering’ attack, ala the infamous ‘I love you’ worm? Yes it does. It’s a very short, generic message, designed to appeal to anyone and get them to click that link. Ratchet suspicion level up one notch..
Lets just stop and consider the situation. You are now faced with the virtual equivalent of a friendly looking cup of unknown stuff that says “drink me”, set down on the table in front of you by what appears to be someone you know. So what do you do? What would you do if this happened in person? Would you just pick up the cup and drink?
How about if we ask ‘em what’s in the cup? “What’s in the link“ I send back. Now, since their IM was JUST sent, it’s reasonable that IF it was sent by my friend, I’ll get a response. You techies will recognize this as a simple ‘touring test.’ While I wait for a response, let’s have a closer look at the link. it LOOKS like it’s going to serve me up some kind of image, since part of the server path is \images\ but it’s ALSO got my email address in there as part of a ‘query-string’ presumably used to find the right image. STOP. THINK. This isn’t some ‘imageid’ number, it’s my email address. how would this site have my email address? Now, my friend has my email address, because it’s part of the messenger contact info, but why would some site hosting images have the image indexed by my email?
My friend has also not responded back. Ratchet the suspicion level up another few notches because not only is the link suspicious, but it’s looking less and less likely that the IM I got was sent by a human. In our analogy, the person who set the ‘drink me’ cup on the table has not moved or said a word, and not responded to a direct query made to them. The cup is very enticing, and really almost engineered to pique someone’s curiosity and get them to drink it. But on closer inspection, the stuff in the cup is looking kinda weird if you ask me.
So, ok, at this point if I was not a tester by nature, I’d leave well enough alone, and wait for my friend to respond, and if I could not ascertain what’s in the link and that they REALLY sent it to me, I’d not touch it. But hey that’s not me. Still, at this point I’m fairly well up on full alert.
Should we click the link and see what happens? Actually that’s what I did, but in hindsite it’s not what I SHOULD have done. Did I get owned by clicking? No, but what I did do by clicking the link was send my email address to an unknown server. So I may have just signed myself up for some spam on an address that was up to this point almost entirely spam free (joy). So yeah what I SHOULD have done was copy the link, change the email address, and then fire it off (I actually did this a bit later, but more on that in a moment).
So I click the link. Now I should mention at this point that my browser security settings are pretty high, popups are blocked, scripts need permission to execute etc.. am I protected 100%? No, not likely, but chances of getting owned by merely clicking the link are low. Do I get rewarded with an image? Nope, I get a popup asking me if I want to run or save a file. What? Oh my, this is interesting. Let’s look at the details: the filename is long, and of a form like image7.jpg.something, so it’s trying hard to LOOK like an image but the system isn’t treating it like one, and in fact for file type it says ‘ms-dos application’ which means this is an executable file.
An executable file that is trying to look like it’s a harmless image. Riiiight. Yeah, this can’t be good.
The Cancel Button is your Friend at times like this. Nope, I don’t want to execute this, I don’t want to save it, I don’t want it anywhere near my machine.
I sent mail to my friend that stated “I think your box is owned with some kind of messenger worm” and a few details of the message she supposedly sent me, etc.
Now the tester in me comes out in full force. I do one of the things I should have done in the first place, I first look at the main root of the site (which was www.mainmsn.com). Oh ho, what’s this? It’s a generic default page for a webserver, similar to the kind you see when you first setup a webserver, but have not provided any content. Interesting. So the main site is pretending that nobody is home, yet there is this \images\ directory that is serving what looks like a worm. Uh uh, more and more suspicious all the time
So next I do another thing I should have done in the first place, I take the link, change the email address to ‘firstname.lastname@example.org’ and submit it. Same response, SAME file. So the email address part either has nothing to do with this, or the server is harvesting them and will pass them along later. (I curse myself for not editing link before I first submitted it. Hopefully I’ve not just made that account into a spam magnet.)
At this point I contact a friend I have who knows folks on the MS anti-virus/anti-malware team and tell ‘em to have their folks check this thing out. Sure enough, a little later I get confirmation it’s a worm.
Am I done? No because there’s more I can do to try and shut this thing down now that I know what it is. I know that, despite their clout, MS is unlikely to try and get that site shut down. They get enough flak from folks for being big brother, the 800pound bully etc. that they are unlikely to do anything that might come across as that sort of thing. So they won’t contact the site operators or anyone else to get that thing shut down.
But I’m not MS and I don’t work for them, so I don’t have to worry about that. In fact, I CAN take steps to notify ISP’s etc and get the thing shut down. So first I ping the site and get the IP, then use a who-is tool to find the owner of the IP address range (it turns out to have been the business services division of a major ISP). I contact their security folks and tell them they have a system on an IP address leased from them that is serving up a messenger worm. I give them details of the site, the IP being used, etc. Odds are someone had some brand new site setup and it wasn’t secure and it got owned by someone who’s using it to serve this worm. But I’ll let them worry about contacting their customer, and hopefully cleaning off their compromised server.
Next I track down the registration on the ‘mainmsn’ domain itself. Why? Because the worm used the site name, not the IP, and unless the name gets invalidated, it can simply be shifted to another IP to keep the worm alive and spreading. So I track down the folks who sold that domain name, and and let them know it’s being used as part of a messenger worm and that I suspect the registration data is bogus (it’s listed as some guy in cleveland or somesuch, but the contact email name given belongs to a domain in bulgeria or thereabouts). In any event, they might want to revoke the registration and see if they can put some kind of tombstone on the DNS data so the name can’t continue to be used in this way.
Did my efforts make a difference? Hard to know in the long run, but for right now I can tell you that four days later that domain name no longer resolves to an IP address which means, for now, the worm is no longer able to spread using the link I saw. There’s still a default page at the IP address that mainmsn was using, but it will no longer try to serve me the worm from the path that was used, so the server might have been cleaned up as well. On the other hand, the worm itself included some back-door access to affected machines, so the authors could have changed to a different domain name, different path on the server etc. So yeah, minor victory in shutting down one site/domain name but I’m sure there will be another varient soon, using a different site and different domain name. And as long as some folks click the link, and then run the exe it downloads, the worm will continue to spread.
However, because I was skeptical, and didn’t just click the link and run the program it sent me, I won’t be part of spreading the worm. I won’t have my system owned by some punk, and instead I can actually be a small part of making it harder for their junk to spread around the web.
Did I need to be some computer wiz to spot what was wrong? No, not really. All that was really needed was a healthy dose of skepticism and the attempt to check back with the sender before opening a link in a very generic and non personal message. Barring that, asking the question “Why does an image file want to RUN on my computer?” can also save you a lot of grief. That sort of thing should be a red flag that has you checking back with the sender to find out what this thing is, and what it’s going to install on your system if you run it.