The Social Graph of Malware

In communities that are under cyberattack, sometimes you begin to wonder if your mail is being read by someone. Because it comes back to you, regurgitated in the form of a targeted virus email.

A common form of attack is to send a message purportedly “from” someone in the group, “to” other members of the group. And to attach a virus or trojan that is new enough the virus-checkers won’t catch it.

In an email group that’s large enough, it’s pretty likely that one or more of the computers has been compromised — so if you‘re going to send secrets to someone, be sure you don’t send them to any email list. The bigger the list, the more likely some computer on the list is compromised.

What lesson can you learn from this?

• Email isn’t secure;
• Email lists aren’t secure, no matter how closely you control the membership;
• Any computer that you’re sending mail to might have been compromised.

Here’s a bit of interchange that went to a rather large list, members of which have been targeted over the last couple of years.

---

> On Wed, Jan 27, 2010 at 2:21 PM, Mr. X wrote:
>
>> I think we need to a) get used to the fact our
>> conversations are being eavesdropped and b) we all have to be careful to
>> post to the list only that which will not endanger someone’s life or
>> livelihood.

>>
> .X
>

> On Wed, Jan 27, 2010 at 2:21 PM, Mr. X wrote:
>
>> All the suggested links below are all good but inadequate to protect oneself
>> from a determined attacker. It is important to note that there is a critical
>> difference between the garden variety of attacks most of world gets and the
>> targetted attacks some of us in this community occasionally get. The
>> recommendations will help guard against the garden variety attacks but
>> probably won’t help much with the targetted attacks.
>>
>> Take virustotal.com. I use this excellent free service all the time, and it
>> has helped me to identify many infected files (pdf, doc, xls, etc.). But it
>> is no help at all when an attacker creates a new piece of malware for the
>> express purpose of infiltrating our community. That’s because Virustotal and
>> most anti-virus software depend on the identification of malware that has
>> already been used to attack someone else. But if the malware is brand new
>> those anti-malware programs are no help.
>>
>> It used to be that one could also rely on the poor English and unusual
>> wording as hints that attachments or links in an email message are bogus.
>> But attackers are getting pretty darn good at crafting messages designed to
>> get you to open the attachment or visit whatever links are included in the
>> message.
>>
>> The tough reality is that security within groups of interest to attackers is
>> probably declining. This list, for example, is only as strong as the weakest
>> link, and there are some 700 of us on this list. The chances are excellent
>> that at least one of us is infected and that copies of all of our postings
>> are going to where we would rather that they not go.
>>
>> Although Osama bin Laden manages to get his odious message out to the news
>> services and to the Internet, the U.S. government still does not know where
>> he is despite a huge effort to get him. That’s because he has a network of
>> old-fashioned runners who deliver the videos and documents to the media in
>> person, and that avoids Internet security issues. The bottom line is that if
>> you have something that absolutely must not get in the hands of the “enemy”
>> then you need to think like Osama and avoid any networked computer.
>> Otherwise, consider your messages and information effectively open and
>> available to determined hackers.
>>
>> Do we throw our hands up in the air and give up? No. This list still serves
>> a valuable purpose, and it has enough security to prevent nuisance and
>> noxious postings so we have a relatively secluded area on the Internet for
>> our discussions. But never assume your sensitive stuff is safe here.
>>
>> Someone suggested that we all ought to reinstall Windows because it seems
>> that one of us is in infected. It would be great if we could all do that,
>> but there is no way we can count on everyone taking the hours needed to
>> reinstall Windows. I think we need to a) get used to the fact our
>> conversations are being eavesdropped and b) we all have to be careful to
>> post to the list only that which will not endanger someone’s life or
>> livelihood.
>>
>>
>> On 1/27/2010 11:59 AM, Mr. T. wrote:
>>
>> I know that there are some great computer geeks on this list and I take the
>> liberty of speaking on their behalf for the sheer merit of having spoken to
>> them about this issue on quite a number of occassions. The experts in this
>> field say “there’s nothing called security” and “there’s no silver bullet”
>> to solve this problem although one would intuitively expect such a thing to
>> exist in the computer world. The solution to this problem boils down to some
>> education and a lot of common sense. Following links are most helpful to get
>> educated and practice responsibility for those dealing with sensitive data.
>>
>> http://security.ngoinabox.org/
>>
>> www.virustotal.com (excellent place to check whether that attached file
>> has viruses or not…the file is run through some 44 antivirus programs to
>> detect any malicious codes)