Linux Today: Linux News On Internet Time.
Search Linux Today
search.internet.com
Linux News Sections: Blog - Developer - High Performance - Infrastructure - IT Management - Security - Storage -
Linux Today Blog
Linux Today Navigation
LT Home
Preferences
Contribute
Link to Us
Search
Linux Jobs

Marketplace Partners

internet.commerce
Be a Commerce Partner

The Linux Channel at internet.com
Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Technology Jobs

searchcats.jpg
search.jpg

May 2009
Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

53 Pages, 10 Months, 1295 Infected Hosts, 103 Countries, And They Still Can't Say "Windows Malware"

By Carla Schroder on March 31, 2009 12:58 AM | | Comments (17) | TrackBacks (1)
"Vast Spy System Loots Computers in 103 Countries"-- sounds promising, right? In the New York Times, no less, so it should be good. Well, no, I was rather disappointed at yet another security analysis that left out vital information-- which operating systems and applications were vulnerable. If it were Linux or Mac do you think they would be so tight-lipped? Why is the Dalai Lama running Windows?

**UPDATED**
I received a reply from John Markoff, the New York Times reporter. See below...

"A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded."

Wow, this has to be good. Two pages in the New York Times, and the report itself is 53 pages. But don't get your hopes up. In all of those 53 pages, which go into detail on packet sniffing, HTTP methods, malicious binaries, honeypots, ghOst RAT, and cool maps of the Ghost Net, not once is any operating system or vulnerable application named.

They identified compromised systems by location and IP address, and made a nice pie chart showing the distribution by country. They identified high, medium, and low-value targets. They witnessed machines being profiled and sensitive documents stolen. They witnessed keystroke loggers, and Webcams and microphones activated on the sneak. They learned that the malware that fuels the Ghost Net is spread via Web sites and email attachments. The investigation took 10 months and covered 103 countries.

After all that, I am puzzled why they would omit such basic information as what software was vulnerable on the infected hosts. It sure looks like a growing trend to not name names, doesn't it. Except when they're blaming end users. Though in this report it appears to be as much political as technological.

The NY Times article links to another report, http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf "The Snooping Dragon." They don't name names either, but use a new term I'm seeing more of: social malware. Not Windows malware, nooo, social malware. Nothing is new but the name, it's the same old Windows vulnerabilities we've been rolling our eyes at for over a decade.

"The Snooping Dragon" gives some recommendations for hardening security, but none of them are worth a darn since they won't admit that Windows is the core problem, and everything else is a weak bandage.

What if there were a way to infect Linux, Mac, or UNIX computers and Borg them into botnets via email attachments and drive-bys on infected Web sites? Everyone who believes this would be plastered all over front pages with no ambiguities whatsoever, raise your hands.

Oh-- and amusingly, after everything I've written recently on Flash Cookies, the report is published in Flash-- yes, really!-- and you have to allow Flash cookies for it to work. Setting your ~/.macromedia directory to read-execute (no write) works OK; the /dev/null trick doesn't.

I have some inquiries out but I'm not holding my breath. **UPDATE**
John Markoff, author of the New York Times article, replied to my inquiry:

"On Mon, Mar 30, 2009 at 8:20 PM, NYTimes.com
wrote:

> To: JOHN MARKOFF
>
> You have received reader mail via nytimes.com. To respond to this reader,
> simply 'reply' to this message.
>
> READER'S NAME:
> Carla Schroder
>
> READER'S E-MAIL:
> cschroder@internet.com
>
> READER'S MESSAGE:
> Dear Mr. Markoff, I was disappointed with "Tracking GhostNet: Investigating
> a Cyber Espionage Network". Such a promising title, and then so few
> specifics. What computer operating systems and application software are
> vulnerable? You do know that there are at least several dozen operating
> systems, and that there are five that are widely-used: UNIX, Linux, FreeBSD,
> Mac OS X, and MS Windows. Are the exploits used in the Ghost Net
> cross-platform? I suspect they are not, especially after reading the equally
> uninformative Security Focus article,
> http://www.securityfocus.com/blogs/1809, which mentions some common
> Windows file formats. This is a common flaw in tech reporting and I don't
> understand it. When a car is recalled the brand and model are named. When
> food is contaminated the supplier and distributors are all named. Why this
> reluctance to be as specific with something as important as our computers?
> I'm not real happy with the linked research paper, "Tracking GhostNet"
> either.
> For gosh sakes, why publish it in a a manner that requires Adobe Flash,
> and even worse, will not function when Flash cookies are disabled? I would
> appreciate an on-the-record response. thanks and best regards, Carla
> Schroder managing editor, Linux Today and LinuxPlanet
> cschroder@internet.com"

Dear Carla,
This wasn't a computer security story so much as an espionage story. It's not about you, or about Linux. Its about a systematic espionage effort against Governments.

Sincerely,

John Markoff"

References

Vast Spy System Loots Computers in 103 Countries
Tracking GhostNet: Investigating a Cyber Espionage Network
The Snooping Dragon: social malware surveillance of the Tibetan movement
Adobe Flash Cookies: Yes They Are Dangerous, and More Cool Linux Hacks(Mar 30, 2009)
Getting Rid of Nasty Adobe Flash Cookies the Cool Linux Way(Mar 27, 2009)
Getting Rid of Nasty Flash Cookies on Linux(Mar 24, 2009)

1 TrackBacks

Listed below are links to blogs that reference this entry: 53 Pages, 10 Months, 1295 Infected Hosts, 103 Countries, And They Still Can't Say "Windows Malware".

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/7770

» Confirmed: Conficker Awakens from Boycott Novell

Boycott Novell goes offline as Conficker goes up ... Read More

Tracked on May 17, 2009 1:56 AM

17 Comments

Emil said:

Oh, what did you expect?

Try to discover how much money companies got to mention linux, and then, how much money they got not to mention Windows' flaws.

Yea, it's all about money.

March 31, 2009 10:42 AM
AC said:

I've read some of John's writings, and I am sure he knows what the real question was.

SO basically John Markoff basically weaseled out of your question by choosing to treat this as "about you or about Linux".

I like your analogy to car and food recalls. Taking that further, I seriously DOUBT he could write about a "systematic lack of safety tests on imported toys or food" and NOT name names.

The more likely explanation is naming the OS is not something that would pass the editor's black marker, and/or John is unwilling to push the issue. After all, the NY Times is a MEDIA company, and while their editors are often asleep at the switch... they'll wake up if a subversive writer used "Windows malware". When you're barely profitable, you don't want to piss off the important advertisers.

March 31, 2009 10:56 AM
KH said:

With articles like this, is it any wonder that the paper-based newspapers are all going bankrupt? If they maintained a high standard for the authors they paid, who actually reported the whole story as it really is, I think there would be more people willing to continue paying for a subscription. That kind of pandering garbage isn't worth paying for, so users read online for free instead.

March 31, 2009 11:26 AM
BRose said:

Well - we just got a Security Bulletin from Trustwave. Guess what? Basically five paragraphs (some with bulleted points) and not a single mention of *what* operating systems/revision levels Conficker can infect. So it's not only the news outlets - its IT Security businesses as well. This is getting ridiculous...

March 31, 2009 11:50 AM
Khan Md Ashraf said:

The trouble is that Microsoft Windows could be a ticking bomb, but since it a unique monopoly and has most people and the rest of the establishment by the *****, you ain't never gonna hear about them being the cause of most of what ails the computing world. Since also Microsoft is the only company in the history of the world to reach such a dominant and dangerous position. Of being able to influence things without even saying a word.
George Orwell got it all wrong when he came up with Big Brother. He could not have imagined that it would come not from totalitarianism but from rampant abusive capitalism. That the subversion of the individual would originate and be ochestrated from a supposed 'free' society. So without a doubt Microsoft is the representation of what the real Big Brother is all about.

March 31, 2009 11:51 AM
Fat Pop Do Wop said:

What a crappy response you received! Taking up your analogy, when the contaminated baby milk in an eastern country was reported, did they merely say "some people working for some company in a country far far away caused severe injury and death by supplying a dodgy product"? They'd only be reporting a generic issue after all, but wouldn't the rest of the world cry out for more of the vital information? Why doesn't Markoff see that?
Carla, you're a well respected expert in your field. However, remember that most of the world uses one very common O/S and the majority think that there is only one O/S in the entire universe, so they'll all assume it's WINDOWS that's affected anyway! Those with more savvy (even vaguely aware of stuff like Linux) can easily work this out too.
Please keep up the work you do!

March 31, 2009 11:55 AM
dickt_cal said:

I have come to the conclusion that for many of these journalists, not to mention the typical user, they don't need to mention the OS because they don't 1) realize that the OS is separate from the computer and 2) don't know that there are other OSs that have a different structure than MS Windows. After all, isn't the Apple MacIntosh simply another prettier interface and for those few who have ever heard of it, isn't linux the one with the archaic command line interface?

The real problem is that many of these people have never been exposed to anything other than MS Windows and so can not evaluate anything else.

March 31, 2009 1:51 PM
John Morris said:

You are fighting a losing battle here if you expect the lamestream media to do much real reporting, period. In case you haven't noticed, they don't do much of that anymore and haven't for years.

We happen to notice when the media screws up stuff we are closely aquainted with but they screw EVERYTHING up. A doctor will complain they get everything wrong in medical reporting, the military complains they don't understand what they do well enough to properly explain, and so on.

Not only does the media lack industry specific knowledge, they refuse to face up to the existence of a problem. And while in times past skilled fact checkers and editors back in the newsroom could backstop their field staff and prevent egregious errors from making it into print, cutbacks in staff means there ain't nobody home in the back offices anymore. Witness how many simple typographical and grammer errors get committed to print in leading newspapers these days. They don't even have time to run an automated spellcheck.

And does the name Jayson Blair ring any bells? That clown managed to sit at home in his pajamas and file stories pasted together from Google searches and a few phone calls and get away with it for years. If that doesn't prove there are no fact checkers or editors left, at least at the NYT, nothing will.

Getting them to identify Windows is even more futile, they are like The Phone Company of yore, simply assumed to be all present. A focused effort to get vulnerable applications named might bear some fruit since not ALL applications are from Microsoft.

And you even got it wrong in your question, only proving that getting the facts right is harder than it seems at first glance. It isn't "UNIX, Linux, FreeBSD, Mac OS X, and MS Windows." Just as Linux is a family of related systems, so is FreeBSD only one example from the BSD family which includes Free, Net and OpenBSD.

March 31, 2009 3:01 PM
Captain Tux said:

I think I can surmise many people's feelings with this: Never (ever!) let facts get in the way of a good story.

Personally, I think the NYT is no longer a relevant nor reputable source of information... but that's just me.

March 31, 2009 5:10 PM
cenc said:

I say we all start a campaign to add comments calling them out on every single media source that publishes this. Any time virus infections are mentioned and windows is not directly pointed at as the problem, add comments asking why they did not talk about it. Even if the media hides their head in the MS sand, at least the readers will have to stop and question what we are talking about.

March 31, 2009 7:07 PM
JcDelta said:

I'd compare it more to defective armor in military equipment than anything else.

If a company sold the Army body armor and it failed in the field, I'd expect to know who manufactured it and who is putting American lives at risk.

March 31, 2009 7:20 PM
DBenson said:

Just wanted to chime in... I applied the r-x permissions to my ~/.macromedia folders as outlined in your other post and I am no longer able to read anything on Scribd (the location of the posted article on GhostNet)...

But you can still download the article and read offline...

If you are on Linux and suffer from the issue with DHTML menus opening behind Flash objects, you can just AdBlock the scribd viewer, click on the download menu item, select the PDF link and then login with a user/pass from bugmenot.com...

Cheers!

March 31, 2009 7:29 PM
Smirnoff said:

The John Markoff's excuses for not citing windows in his article nor the report is stupid bexcause the article was published in the TECHNOLOGY of the New York Times, not in the POLITICS SECTION.

The NYT journal is not interested in citting the windows insecutity because M$ may give them much money in advertising.

March 31, 2009 8:11 PM
ilde said:

@cenc:I agree with your idea. In fact I have visited some sites giving these kind of news, and I've made readers aware that the infected machines were all running Windows. Cheers.

March 31, 2009 10:44 PM
paul -the unverified said:

...and again, this is why we need a credibility index. Make them accountable for their lack of objectivity and accuracy. And refer everyone to check the list if ever in doubt of an article's content value.

BTW, there is a cred list of sorts started at...
http://boycottnovell.com/credibility-index/

(My apologies Carla, if it's a faux pas to include a link like that.)

Over the years, I've seen first-hand how effectively the open source community responds to this type of media bias. The community members have the ability to soundly refute the utter garbage that comes from the mass media machine. The open source community should challenge these media sources by questioning their credibility. Hopefully, we at least can start a truly open dialog that will draw attention to the facts.

I also apologize for having a Pollyanna moment on the internet. I'm the determined optimist that thinks right will prevail.

April 1, 2009 1:04 AM
SysKoll said:

Carla, the NYT has never been a good source for accurate tech reporting. Besides, they have a tendency to dishonest, knee-jerk reactions. Do you remember what they did to the unfortunate Adrian Lamo? The poor guy's hobby was to try and find security flaws in web sites using this powerful hacker tool known as "Internet Explorer" (yes, it's sarcasm). Adrian found flaws in the web sites of several large institutions, and worked (for free!) with their IT departments to fix it. When he found that a gross mistake exposed the SSNs of NYT contributors to visitors of the paper's web site, he warned them as usual, and they send the FBI after him. The FBI. For rubbing their nose into their own incompetence. Such open-mindedness, such decency, such strength of character! Truly they are an icon of American culture. The perfect outfit for the Jayson Blairs of this world.

Then, within this decadent paper, you have Markoff, throning like the rotten cherry on a crumbling cake. Markoff made a mockery of fairness, accuracy and honesty in his overhyped, indecently sensationalist articles on Kevin Mitnick. This has been amply documented.

So it is not surprising to see yet another inaccurate, incomplete and biased article appear under Markoff's name. Just another nail in the coffin of the NYT's credibility.

My advice would be to stop paying attention to the man. A lot of people already have.

April 1, 2009 12:35 PM
Jacques Merde said:

Well,

I, too, find Mr. Markoff's reply to Carla to be unsatisfactory. It is absurd that an article of that scope would not mention the technology that enables the worm. I do note, however, that in his follow up story, Mr. Markoff specifically discusses "the process of disinfecting and protecting machines infected by the software, which targets Windows-based computers."

http://www.nytimes.com/2009/04/01/technology/internet/01virus.html

April 1, 2009 9:15 PM

Leave a comment


All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux, Apache and PHP

internet.commediabistro.comJusttechjobs.comGraphics.com

Search:

WebMediaBrands Corporate Info

Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs