Remember painstakingly explaining to people that no, your computer couldn’t get a virus just by reading an email, you had to click on an attachment? That images were safe to open? Remember when the worst people had to worry about from web pages was unwanted cookies? Getting a virus just from looking at a web page? Preposterous! And a virus that ran up your credit card? Ridiculous!

It’s sad to think that all those “ridiculous” things are now possible—in fact, they’re commonplace. Look back at that link up there. It’s Snopes’ page on computer virus warnings. Way back when, they were all bogus. These days, most of them are real.

So what’s next? Well, they keep talking about Internet-aware appliances, so a future virus probably could “recalibrate your refrigerator’s coolness setting so all your ice cream goes melty.”

Personally, MySpace bugs the heck out of me because it seems to have a culture that encourages embedding images from other sites. 18% of hits to hyperborea.org from other websites are from myspace. Admittedly that’s inflated by the fact that attempts to embed images from my Flash site redirect to the actual articles, so it’s probably more like 10%, but it’s still insane. Earlier this week I started blocking hits from MySpace to images posted on this blog, and I plan to do the same with the Flash images over the weekend. You like my photos? Great, link to my actual site! You like the scan I have of some movie logo? Great, copy it and upload it to your own site!

(via Slashdot)

CardSystems was hit by a virus-like computer script that captured customer data for the purpose of fraud, [MasterCard spokeswoman] Gamsin said. She said she did not know how the script got into the system. The FBI was investigating. (emphasis added)

Given the current porous state of many networks and operating systems, and the general public’s attitude that catching a computer virus is as inevitable as catching a cold, I’d guess it got into the system the same way most spyware does. An email attachment squeaked by the filters. Someone installed a tool that claimed it would make their web access faster. Someone got a well-designed phish, followed the link, and got infected by a backdoor because their browser was behind on security patches. Someone brought a laptop home, plugged it into their insecure home network, and brought back a virus.

Sadly, I expect we’ll be seeing a lot more of this.

Update June 20: Netcraft is reporting that it was indeed lax computer security that did them in:

MasterCard International said it “worked with CardSystems to remediate the security vulnerabilities in the processor’s systems. These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data.” Officials at affected institutions were not specifying the vulnerability and exploit used to breach CardSystems’ security. (emphasis added)

Netcraft seems to think it was likely their website, which runs on Windows 2000 and IIS 5, and they go on to promote their own security consulting services. So it’s not entirely an unbiased look at the incident.

Now here’s the weird part. We’re also getting bounces sent to another domain we manage, let’s say another-example.com. Both sets are coming from someserver.another-example.com.br!

I think that the virus is finding itself on another-example.com.br and not recognizing the country-specific domain name, misreading it as just another-example.com. It then looks up the mail server, finds our domain, and targets both.

Mytob is supposed to use its own SMTP engine, but the headers show an intranet trail, so maybe they have a proxy that forces all outgoing mail through their server.

Of course, a more mundane explanation might be that someone at another-example.com.br was checking out companies with similar names, and the contact page was sitting in their web cache when the virus arrived. But seriously, which explanation is more interesting?

Sure, the the pre-release Thunderbird still has problems dealing with very large folders, but 770 MB/day? Even Gmail only gives you 1 GB of total storage. I can’t think of any reasonable expectation that any mail client should have to deal with that at today’s level of data richness. Maybe in the future when we’re sending full-motion video on a regular basis, but not when most email is text with maybe some formatting and a couple of small images.

It’s just staggering that, even though the main email worms depend on Microsoft Outlook, Outlook Express, and Internet Explorer to spread themselves and infect new hosts, they can still damage systems that don’t use those programs!

The Register found the ads on their own website and identified the source as ad server Falk AG. They have pulled Falk AG’s ads from their rotation and apologized to their readers. Netcraft adds that Falk AG’s clients include high-profile sites such as A&E, NBC, and Sony. The ad company has issued a statement, but the page currently consists of the line “Server Engine: Application error.”

Update 3pm: The statement from Falk [archive.org] is readable now. Apparently someone broke into one of their network load balancers and reconfigured it to redirect ads to the malicious site. Once they discovered it, they shut down the affected system and started checking the rest. The malicious ads ran for a total of about 6 hours on Saturday.

Update Tuesday: the Internet Storm Center has posted a write-up of the attack response.

Of course, there are several ways to protect yourself from this type of attack.

Subject: VIRUS (Worm.SomeFool.P) IN MAIL FROM YOU

VIRUS ALERT

Our content checker found
    virus: Worm.SomeFool.P
in your email to the following recipient:
-> ADDRESS REMOVED

Please check your system for viruses,
or ask your system administrator to do so.

Delivery of the email was stopped!

And now my response:

Subject: BOGUS ALERT (sent to wrong address) IN MAIL FROM YOU

BOGUS WARNING ALERT

My BS checker found
    bogus warning: notice sent to known-forged sender
in your email to the following recipient:
-> MY ADDRESS

Please check your virus scanner for better notification options,
or ask your system administrator to do so.

All modern email-based viruses forge the sender address. Additionally, since your virus scanner was able to identify the specific virus, it can determine on its own that this virus always uses a forged address.

By notifying the supposed sender of a message when you know that sender is forged, you are knowingly sending virus warnings to people who are, in all likelihood, not using an infected computer. Messages like these are just noise, and the more of them that are sent, the less attention people will pay to *real* warnings. Additionally, it also runs the risk of causing unnecessary concern among the less tech-savvy (and extra calls to tech support about the nonexistant virus they fear they have).

(Feel free to re-use my response. I partially quoted myself anyway.)

I’m contemplating building a “hall of shame” and actually posting the sources of some of these. Any thoughts?

What’s that? It’s a program that listens in on traffic going across your network, looking for things like, oh, login names and passwords, credit card numbers, etc. They’re the reason online commerce requires SSL encryption.

Sniffers work because of the way ethernet is designed. Basically your local network is like holding a conversation in a crowded room. You focus on the people you’re talking with, and you tune out other people as best as you can. (In this case there’s also someone at the door who can relay your words to someone in another room, and relay back their responses.) To hold a private conversation you have to go somewhere else or talk in code. A traffic sniffer just doesn’t tune anyone out, so it picks up on everything in your local network.

So now, no matter how well you guard your own computer, if some moron on your network manages to get infected by Worm.SDBot (which thankfully hasn’t been spotted “in the wild” yet), you could still be handing out your email login/password when you log onto Yahoo/Hotmail/Outlook/etc.

You just might want to use that “secure login” option. Assuming, of course, that you have one.

Oddly, Symantec’s entry says nothing about the speech. Maybe they don’t have speakers on their test boxes.