February 6, 2010

Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack.

According one state government security expert who received multiple copies of the message, the e-mail campaign — apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses.

The messages are spoofed so that they appear to have been sent by the National Intelligence Council (address used was nic@nsa.gov), which serves as the center for midterm and long-range strategic thinking for the U.S. intelligence community and reports to the office of the Director of National Intelligence.

The e-mails urge recipients to download a copy of a report named “2020 Project.” Another variant is spoofed to make it look like the e-mail came from admin@intelink.gov. The true sender, as pulled from information in the e-mail header, is nobody@sh16.ruskyhost.ru

My source told me that a significant discussion going on within the U.S. Computer Emergency Readiness Team (US-CERT) suggests that this attack was leveled only at governments, and that a relatively large number of recipients were taken in by the ruse and infected their PCs. For example, the state government agency that my source works at has already confirmed “a couple hundred” infections at their site. US-CERT officials could not be immediately reached for comment, and the organization’s Web site currently does not feature any information about this attack.

The scam e-mails may seem legitimate because the name of the booby-trapped file mimics a legitimate 2020 Project report published by the NIC, which has a stated goal of providing US policymakers “with a view of how the world developments could evolve, identifying opportunities and potentially negative developments that might warrant policy action.”

Only 16 of the 39 anti-virus scanners used by Virustotal.com detect the file as malicious, and those that do mostly label it as a variant of the Zeus/Zbot Trojan, a program designed to steal passwords from infected systems and give attackers remote control over sickened PCs.

Another source who asked not to be named said the version of Zeus being distributed in the e-mails is rather dated, but that it includes a configuration utility that allows the malware to be updated with the capability to upload PDF files and other interesting information from infected PCs.

The Zeus Trojan is the primary tool that organized criminals have been using to steal banking information from countless small businesses, as well as dozens of state and local government organizations. In each attack, the thieves use the stolen credentials to siphon the victim organization’s bank accounts, and funnel the money through accomplices in the United States, who then wire the cash overseas to Ukraine and other Eastern European nations.

Earlier this week, the New York town of Poughkeepsie reported that thieves had broken into the town’s bank account and stolen $378,000 in municipality funds. Poughkeepsie officials said $95,000 was recovered from a Ukrainian bank.

50 thoughts on “Zeus Attack Spoofs NSA, Targets .gov and .mil

  1. AlphaCentauri

    We are always told not to open attachments we don’t expect from people we don’t know sent for reasons that aren’t explained. Why do government employees feel the need to express their importance by demanding people ignore that advice?

    I get a crapload of massive Word and PDF files from clerical employees at government agencies. The attachments don’t say anything that couldn’t have been put in a small text document or into the body of the email. But instead, the body of the email just says, “See the attached document which contains the revised policy,” or something equally useless. It’s a bad habit that has led to a culture of people who deal with government agencies just going with the flow and clicking on whatever attachments they get.

    1. InfoSec Pro

      re not opening attachments, that’s passe (useless advice).

      About a year ago the state of the art in malware advanced to the point where Windows indexing or Outlook preview would automatically open PDF attachments and allow infection without any explicit user action at all.

      also the vast majority of these emails seen in our network have contained no attachments but instead count on the user to click a link.

      Ironically the current generation of these messages is a warning about this campaign, purporting to be from a security expert and containing a link to download the necessary protective software – which is of course the malware.

      Since most government agencies have a huge user base and a tiny Information Security staff most users will not have any personal acquaintance with the official channels, and some will do the wrong thing by trying to do the right thing.

      It’s not as easy when you are in the midst of the battle as it looks from the sidelines!

  2. Dalmatian90

    Because the Word or PDF is the legally approved policy.

    If they clerk was to copy it, paste it into an email, and either accidentally leave something out or have spell check auto-correct a word and send it you now have a wrong policy.

    Years ago I worked for a major insurer, and one of the retired secretaries came back on a part time basis because she maintained all their boiler plate contracts in Word Perfect 5.2.

    The bound and printed versions took up approximately 12′ of shelf space.

    While I suspect they’ve since bitten the bullet, at the time they were avoiding upgrading since they would have to have their legal staff review every page again after a conversion to make sure no words had been added, lost, changed, mis-hypenated, etc in the process.

    1. AlphaCentauri

      @Dalmatian90 –
      That at least makes sense, though I would think that if a document is that important, it’s important enough to include some mechanism to verify it’s from the sender it purports to be from.

      I was referring to very trivial items that would not be archived if they were on paper, like announcements for meetings.

  3. qka

    I think anyone who has worked in an organization of sufficient size will have received an e-mail that only contained a Word or PDF document that was plain text – no font variation, no tables or special features, etc.

    Face it – every organization hosts Luddites, and those messages are from said Luddites. They have their pet application which they attempt to use to solve all their work problems.

  4. ted

    Did you notice that Symantec/Norton were not on the Virustotal list?

    1. Ned

      I’ve noticed that also, I think they’ve pulled it from the list recently as I distinctly remember there being 41 engines last week.

    2. M. L. Kingsley

      Because my current antivirus subscription is on its last month before I have to decide to renew or start afresh, I took heed of your comment and went to Virustol to see who was there; the list I looked at did show Symantec/Norton — maybe I was looking at a different list than the one under discussion, or misinterpreted what I was looking at?

    3. M. L. Kingsley

      …ah, I think I see, sorry about previous comment/question; you I believe are referrring to the list on the homepage, whereas I looked at the opening paragraph and clicked on “More Information,” which led to the list that I saw Symantec on.

  5. Robert

    It makes you wonder if Norton (which I use) has confidence in their product.

    1. Rick

      Good question. But ultimately of no consequence. What’s important is whether users can have confidence in it. Even Luddites who can’t leave the platform regularly complain about Norton – it’s just too buggy and too bloated. One man in a short sleeved white shirt and one rather buggy program called Unerase – and now all this. The more important question is why you’d need software like that in the first place.

      1. Solo Owl

        I thought the iconic Peter Norton portrait showed him in a *pink* Oxford-type shirt with the sleeves partly rolled up. Ready to work. I might still have that box or book in the closet somewhere. (Pink was a little daring in those days.)

  6. AlphaMack

    Keep in mind that this is the same trojan which will, according to BK in a previous Security Fix column, happily run under LUAs. That would, in turn, defeat the previous advice to use a LUA for day-to-day use.

    What will it take for Windows to finally be declared unfit for the Internet?

    This comment will most certainly be modded to hell for those who can’t handle the truth, but it seems that a day doesn’t go by where we don’t hear about some new gaping hole in Windows or IE. It does not have anything to do with marketshare or popularity but rather an antiquated single-user paradigm. MS won’t do squat about it because it means losing backwards compatibility and marketshare to other operating systems. Not to mention, if Windows becomes secure from the ground up, the AV/”security” rainmakers will need to find something else to sell as they won’t have a swiss-cheese OS to sell reactive “solutions” to after-the-fact.

    As long as the status quo remains the same, this abuse of computer users everywhere will continue.

    1. Rick

      Windows has been declared unfit. By many organisations and by many independent security researchers. But of course not by anyone associated with the antivirus industry. The GAO and Gartner condemned it ten years ago. Migration has been significant but slow. People used to like to cite the Bill Gates success story as an example of the virtues of the free market system. But it’s not. It’s an example of how a market can be manipulated to keep sticking people with clearly inferior products. The memoirs of WordPerfect’s old marketing manager shed a lot of light onto how that part of the business really works. It’s never been about quality.

    2. wahnula

      >What will it take for Windows to finally be declared unfit for the Internet?

      That’s like asking when the internal combustion engine will be removed from the automotive industry. You know, that engine in your car that loses 70% of the energy from the combustion process as heat and is destroying the world’s air. Like it or don’t, it’s a mainstay of the system because that’s how it developed, and any change will be slow. If more-developed countries use an alternative, or a less-harmful version, there will still be countless others remaining in use worldwide.

      This (Windows-bashing) is not a valid argument for every security issue and is of little use in a serious discussion. Maybe, if we could start all over again things might develop differently, but we need to take a more realistic approach.

      Those same internal combustion engines from the 60’s now yield more power, more efficiency, and lower emissions…but look at all the add-ons it took to get there. Clumsy, but we took what we had and made it the best it can be. Now, newer technologies are on the rise, but it will be a long time before that engine disappears. Same with Windows.

      1. ned

        I don’t think the internal combustion engine analogy works well for software. Those engines remain in use simply because their fossil fuel packs so much energy in little space. Batteries are way behind, so there is a technological barrier to progress there.

        In my opinion, Microsoft has been complacent on security and there is a lot to be said there.

        1. wahnula

          The argument is not just fossil fuel vs. electric…it’s fossil fuel vs. every-other-thing-that-possibly-could-have-been-developed for personal transportation but wasn’t, for whatever reason.

          Likewise, the argument is not about Windows vs. Mac vs. Linux or perhaps Chrome or whatever is still in beta somewhere, or yet to be developed, it’s about blaming every security issue on the prevalence of Windows. That point is not a valid argument, as it presumes the majority of PC users need to stop using Windows

          1. wahnula

            …oops…need to stop using Windows to solve the problem. That is not a logical option at the moment.

          2. ned

            Sorry Wahnula

            I’m with you that moving away from Windows will not solve security problems and I do see your point on the evolution to current Windows OS. Although I don’t see Linux as secure as many believe, I think it has some merits, such as being open to security audits by anyone.

            I also don’t know if Microsoft licensing plays a negative role, but I’m betting it does. Microsoft business model is still centered on selling software and that is putting Microsoft in a difficult spot when it comes to security. Their OS is pirated and those versions are more susceptible to viruses due to lack of updates, which in turn cause problems for the owners of licensed versions. I do remember Microsoft once extended updates even to pirated versions of its OS, presumably to combat botnets.

            I don’t have a solution, but I think it’s time for Microsoft to rethink its business model to be mindful of risks.

      2. JS

        Comparing Windows to the internal combustion engine is not a good analogy. Its more of a case of horse versus great engineering.

        Microsoft really needs to re-invent itself but doesn’t have the brains or guts to pull an Apple like move from system 9 to OS X.

        Indeed MS may cry out — the cottage industries and small guys will not survive the transition. To which it must be remembered that horses used to keep a lot of people employed: Livery, sanitation, veterinarians, etc. When the passage to automation hit those jobs went away and the people learned to do the new things.

        Keeping with the theme it took Ralpf Nader a lot of noise making to get seat belts into cars, safety glass in the windscreen, etc. His battle is documented in “Unsafe at any speed.” Who is going to be Ralph Nader for business computing.

        Would you buy a truck for your business without anti-theft locks, safety glass, seat belts, airbags today?

        Right now you can buy Win7 that has primitive safety systems. A business to be diligent has to then go buy the AV, Anti-Malware, Full and incremental Backup, multiple layer Access Control (keyfob/biometrics, etc) all at “extra” license and professional installation costs.

        I’d rather business be able to buy a good package deal and be done with it.

        1. xAdmin

          Yikes! Just imagine the outcry and antitrust/monopoly issues that would ensue if Microsoft packaged everything into the system as you suggest! Frankly, besides the core operating system, I prefer the choice and control of what other software to install. Also, I definitely don’t want some government mandated mumbo jumbo either. We have enough of that as it is. Keep it in the free market system.

          Also, contrary to popular belief, Windows has come a long way, beginning with XP Service Pack 2, in becoming more secure forcing the bad guys to focus more on application software instead of the operating system itself. Internet facing applications such as browsers, media players, PDF readers, etc have become the main attack points. Windows (including server versions) is actually more secure than it has ever been. Regardless, it’s not difficult to properly secure a Windows system. And yes even Windows XP. Still using it and have no plans to change anytime soon. Never been infected or had a system compromised yet. It’s not so much about the OS as it is about properly securing the system to begin with and then operating it in a manner to keep it that way.

      3. CB

        “start all over again”…..hopefully Google will help us to start over.

        Most of us have heard the rumors that Google is working on an operating system. We can only hope.

        Google is an internet company, with lots of talented employees. I’m hoping that anything they come up with would be miles ahead of MS on the security front.

  7. snowflake

    People are buried up here. The power grid is down, so we had to run an evacuation operation. The computer wasn’t any help. Shovel was handy.

  8. B.A. Econ. 1954.

    Hopefully the name I’ve used here will excuse the question, it it needs to be asked, and I’ve never noticed it in my frequent surfing on this subject….If these brilliant guys in “short sleeved white shirts” can be traced back with their “headers”, why can’t they be lured with large bundles of money to work for the likes of NSA.
    Someone will say…”..they are, but it can’t be discussed”.
    O.K., then I’d welcome comments from knowledgeable folks on this “reverse spamming”. Why can’t these bad guys be zapped with some sort of electronic countermeasure? Surely the creativity is out there…..or do they pop up like mushrooms?

    Asking…pls provide some provocative links.

    1. Moike

      If the bad guys are being targeted with ‘reverse spamming’, it could not be discussed. But even if they were targeted and monitored, there’s no way to prosecute if their government condones the actions of the bad guys.

    2. AlphaCentauri

      They *can* be “zapped.” Easily. You can hack them and assume control, or you can send large amounts of data to those computers to overload them and make it impossible for them to function while hooked up to the internet. Several major problems with that:
      1. It’s illegal by private citizens (trespassing on someone else’s property), would be considered too Big Brotherish if done by law enforcement, and would be considered cyberwarfare when used by a government against citizens of another country. If we openly attacked computers in Russia or China, they have hundreds of thousands of bots (“zombie” computers, infected with malware, allowing the person who infected them to control them remotely) under their control to do the same to us.
      2. The IP addresses that are visible don’t belong to the bad guys. They belong to innocent people who, like the government employees mentioned above, got snookered in to clicking on the wrong link or attachment. You’d be attacking them, not the bad guys.
      3. Once a computer is zombified, it doesn’t matter where in the world the person controlling it is. So many of the computers most in need of being zapped actually belong to Americans. We have met the enemy, and he is us.

      It is certainly possible to do research by running an infected computer to see which other computers it contacts. Then you can try to shut down the “command and control center.” That has been done successfully in several cases recently. It would be more effective if people would stop getting themselves reinfected, or if the Russians would stop laughing at us long enough to arrest the people reinfecting our computers.

      The other easy thing is for the owners of the computers being used for attacks to be notified and given limited internet access until they get their computers cleaned. It’s unpopular and time-consuming for ISPs, as these can be elderly or poorly educated people, and many ISPs in the U.S. have just thrown up their hands at all their clueless users and allow them to continue to operate while their computers are being used for cybercrime.

      1. Solo Owl

        You imply I am contributing to crime by giving computers to naïve users. What should I be doing?

        1. InfoSec Pro

          Educate them when you give them the computer and/or connectivity, so that you are not doing the equivalent of handing car keys to the inept, or a loaded gun to a toddler.

    3. InfoSec Pro

      Re the suggestion that the bad guys be lured to work for the NSA by large sums of money, there’s probably a good reason to avoid having the NSA staffed by folks who will shift allegiances for a sufficiently large amount of cash, doncha think?

  9. B.A.Econ, 1954

    Maybe “wahmula’s” analogy of the slow incremental improvements to internal combustion engines gives a clue about Windows and its spamming lures…the cost of effectively fighting spam is so high that only the most sensitive of targets gets the best improvements…and also those most entrenched provide the most inertia?……then there is no end to this cat-and-mouse shadow boxing.

    Is Sisyphus grunting in agreement?

  10. B.A.Econ.1954

    Thanks, AlphaCentauri, for this and what followed. …”They *can* be “zapped.” Easily.”…

    This is a big clarification for me, and hopefully others of my generational mindset and experience. But, then the problem seems to center on two main points: A) …Nationally, can we be persuaded to accept a reduction in our “rights” to privacy and private property if it can be shown that “national security” trumps those “rights”?
    B) Avoid any broadcast attack on us the unwitting accomplices by an educational campaign not limited to those of us curious enough to Google the question, but made a required qualification to obtain a BBC- (..I know, I know…) -like license to participate via an Internet Provider . This takes the permit- granting onus away from the IP, and places it,perhaps, on Homeland Security. (..with no staff increase…). This is a broadening of AlphaCentauri’s thought of limiting a jerk’s use of the Internet until he cleansed himself.
    C) We must accept that we are right now participating in cyber-warfare, and place our nation on this wartime footing, and accept that that will require a curtailment of our Internet “rights”.

    We can’t continue having things “all-ways” without unpleasant bargaining.

    Those original DARPA innovators must be wondering how we permitted this to evolve.

    1. Solo Owl

      Those original network developers gave it no thought, any more than the inventors of the internal combustion engine could have imagined 12-lane superhighways, air bags, GPS, drunk driving, and 200 mph races.

      The precursor of the Internet was done around 1970. In the spirit of the times, they assumed everyone had good intentions. Spam and trojans came, years later, as a bitter shock.

      1. Sean

        The original network developers used operating systems that were designed for security. VMS & UNIX. It wasn’t an afterthought like Microsoft products.

  11. Michael Hamilton

    So here’s an obvious question for me – why would the Russians make so much noise and stick their finger directly in the eye of the federal government? That seems inconsistent with the goals of organized crime. This event may be an attempt to penetrate poorly-protected networks for the purpose of conducting the ACH fraud that Brian has documented well, OR this could be complete misdirection by some other threat actor like the Chinese, such that the political and media microscope is drawn away.

    I’m just sayin’. The obvious theory may not be the correct one.

    – mkh

    1. AlphaCentauri

      It does seem like someone who would go to the trouble to find out what name to give the attachment would have tried to attract less attention, so no one would know any machines had been infected.

      It may have been a trial run by someone trying to prove his capabilities to someone else, perhaps a malware author advertising his services.

  12. xAdmin

    My take on this in the big picture of things is there will always be low hanging fruit that is ripe for the picking and those who will pick it because it’s easy. In other words, there will always be victims and perpetrators. Its part of the human condition and the world we live in. That doesn’t mean you throw your hands up in the air and give up. You do the opposite. Be smart; educate yourself, in this case, on computer security and the threats out there. Learn to properly defend yourself. The first step is awareness!.

    Learn defense in depth methods to properly secure your own personal systems just as you take appropriate measures to physically secure your personal possessions (ex. house/car/etc.). Do what is appropriate on computer systems you don’t directly have control over, such as work or public systems and their networks. As an example, I NEVER use a work or public system/network for sensitive stuff (ex. online banking, online shopping, sensitive personal e-mail, etc.). I’ll only use my own network that I completely trust. I also NEVER use my personal wireless network for sensitive stuff. I disable the wireless card on my system and plug in the network cable which minimizes the possibility of someone being able to sniff sensitive data over wireless. They would have to physically connect to my hardwired network. I take that further by isolating the wireless and wired networks with their own routers/firewalls. So if someone were to hack my secured wireless network, they cannot access my secured wired network.

    It’s all about risk management and taking appropriate steps within your control to NOT be the low hanging fruit. Therein lays the problem as too many people are not even aware of the concept. It’s never crossed their mind.

    1. Solo Owl

      The problem is that your recommendation is beyond the knowledge and skills of a huge fraction of computer users. Cars come to us ready to be secured, although some people get Lo-Jack, or steering wheel locks, &c. Houses are harder to secure, but almost everyone knows what to do.

      I agree that Windows is a hopeless mess, but many businesses are stuck with it, and the masses assume that computer = Intel x86 + MS Windows + MS Office + MS Internet Explorer + any ISP. Linux and Mac fanboys contribute to the problem by claiming that antivirus is unnecessary on their boxes.

      The problem will only get worse until all operating systems are far more robust than today’s, and until all operating systems come with all layers of security turned on by default. Nobody is leading the way.

      1. Sean

        Because antivirus IS superfluous on a UNIX based system.

      2. AlphaMack

        >Linux and Mac fanboys contribute to the problem by claiming that antivirus is unnecessary on their boxes.

        Truthfully, AV should be unnecessary on any box. Using any kind of ‘reactive’ solution invites complacency and more often than not the latest and greatest AV with the most up-to-date signature database won’t stop the most determined of malware. I’ve cleaned more than my fair share of malware-laden systems with AV and other anti-this and anti-that tools installed.

        AV fails in two areas: signatures and virus-like behavior monitoring. The former most be continuously updated in order to keep up which ends up being a never-ending arms race while the latter leads to many false positives, defeating the whole point of AV to begin with.

        Instead of needlessly forking over money to the rainmakers, users should be made aware of avoiding social engineering tricks, using strong passphrases, and properly using a firewall.

        An ordinary user should never be able to leave their “home” without privilege escalation. Unfortunately the reality is that Windows in its current form makes it all too easy.

        1. AlphaCentauri

          The problem is that even trusted websites can be hacked. If you have set Noscript to always allow javascript for a site you visit regularly and that site gets hacked, your AV program is the only thing that may protect you. Not all AV programs will find every malicious program, but the fact that different people with different AV programs are visiting the website means it’s likely someone will have an AV program that detects the problem so the site owner can be notified. Also, many risks are not easy to detect at the time of download, but become obvious to your AV program once they start to get installed. If a hacker has substituted a malicious file for a zipped download on a website, it’s the user with the AV program running that will detect them, not the site owner.

  13. kinpin

    Hey I using Mcafee VirusScan Enterprise 8.5.oi,Am I protected against this Zeus Trojan?

  14. kingpin

    What about new DefenceWall Personal Firewall V3?It claims to have best?HIPS Software…

  15. InfoSec Pro

    re current antivirus coverage, and windows vs. other o/s, go read up on what is being called the “Advanced Persistent Threat” (http://www.mandiant.com/services/advanced_persistent_threat/ and follow the links to get their white paper).

    consider that the consistent pattern is that the tools and techniques used by the APT actors have generally shown up in the commercial malware space within a matter of days to weeks after being publicly disclosed for the first time.

    also consider the difficulty of keeping any targeted system secure from such attackers and the time it takes to deploy patches versus the time it takes to launch an attack.

    Antivirus is useless, any systems can be owned. Live with it.

  16. iamanamerican

    did you know that many if not most of the .mil login sites require ONLY internet explorer 6 or higher and do not work w/ other browsers? how freekin ridiculous is that?

    after 8 years of bush incompetency and fear mongering without actually dealing with internet security at basic levels, i’m guessing we taxpayers will once more be on the hook for gazillion dollar ‘fixes’ which will enrich more of the military industrial corporate complex.

    I am so sick of the incompetence and yet the republiCons are at it again with the full faith and force of the military warhawks and department of war.

    sickening….and distressing

  17. Volunteer Intelligence

    Layers of Encryption seem to work for me. I’ve encrypted my Hard Drive, Emails, Database and Browsers, as well as my Passwords with all different Encryption Systems and have found that even if a certain Mail gets through with a Malware cookie or a Trojan pre-emptive Email they will be picked up by my Anti-spyware as well as My Root kit scanners and Anti-virus before they can penetrate my system I just keep a Bunch of scanning going on my workstation all the Time, except when in use for Work Purposes. The Security systems do all the Security and Scanning as well as The Spam Filters and Email scanners too. They run all night for I can set them too. Then nothing comes in without serious Scrutiny. That makes penetration very unlikely to penetrate the Encryptions to get to The Security as well as the possibility of an injection from an adware too. They don’t have any passwords either. For my Perfect analyzer erases all the History and cookies, as well as The Browser pages after work too. Passwords are deleted too. Watching for unknown senders will keep the system safe from unknown choices too.

  18. Craig Spiezle

    The Online Trust Alliance (OTA) has been raising the concerns about this exposure for nearly a year. Last April we posted a failing report card for failing to protect their domains from such spoofing. https://otalliance.org/news/releases/OTA_414reportcard.html. We are encouraged by the recent willingness to proceed with best practices now adopted by many leading businesses. In April we will be updating this report to include the top 50 .gov and .mil sites as well as offering the targeted sites training to help implement industry standards.

  19. JAson

    Outlawing windows from making operating systems would really really help the situation out greatly. Sure everyone would have to learn new stuff, but in the case of new and complex parental controls for tv, parent were willing to learn something new to make them feel safer or their kids safer, so why not extend that same logic to protecting ones self. Learn to use something new, the free model seems to be the one that is out to protect you, after all Microsoft collects tons of personal information for law enforcement use. Linux is a good start, a linux kernal seems to be the right model, seems other try to copy the wy it works anyways, but they just dont quite get it right.

    Windows may look pretty , but it sure dont run so pretty, and ubuntu for one outdoes windows when it comes to eye candy and usefullness. Im not even commenting on mac, becsue its liek back in the day when everyone realize AOL was a fake ISP, the mac isnt a real pc, more like nazzi central with every mac lookign the same.

    So ya elimiate windows and watch how fast the talk of virii and major sec issues drops. Maybe not all but after all, i do think windows system is the gateway for the new attackware platform of stuxnet, so to what end will microsilly decode to so simething serious abtou their issues? Will windows be resonsible for an accidental nuke launch?

  20. SpliFF

    I’ve run my primary PC on linux for 10+ years and in all that time not one break-in or malware infection despite having no firewall or antivirus software. I’ve even inserted infected USB sticks with autorun malware plainly visible on the drive. I’ve opened numerous suspicious PDFs in xpdf, visited known attack sites with Firefox and NoScript, I open Word docs with impunity via LibreOffice and connect regularly to infected networks.

    All my software and dependencies install and update automatically from trustworthy repositories. I’ve never paid a cent for any of my software because it’s all free. I’ve never been given a document I couldn’t open, a disk format I couldn’t read or a file server I couldn’t connect to.

    Why anybody would pay for commercial software like Windows, MacOSX or Office when those tools are so easily and commonly exploited is completely beyond me. I wouldn’t even accept those programs as gifts! Frankly users of Microsoft/Apple/Adobe software get exactly what they deserve when they bring me their toasted systems every six months and pay me $120/hr to recover what’s left of their system.

    Using the above mentioned software in a home environment is bad enough, but using them in a commercial environment is the height of stupidity. In a military, healthcare, financial or government institution it is entirely unforgivable! I would go so far as to call it an act of treason equivalent to arming a modern defence force with bolt action rifles. God help us all once this sort of software finds general use in automotives, military hardware and hazardous industries!

    You want to argue that hackers would exploit linux more often if we all used it? Sure they would – but since ignorance is such a universal property amongst computer users that isn’t likely to happen any time soon.

Comments are closed.