[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] 3rd party repositories and debs was Re: Grism.org

To: "list@xxxxxxxxxxxxx" <list@xxxxxxxxxxxxx>
Subject: Re: [LUG] 3rd party repositories and debs was Re: Grism.org
From: Paul Hirst <paul.hirst@xxxxxxxxxx>
Date: Tue, 15 Dec 2009 16:01:40 +0000
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

On Tue, 2009-12-15 at 13:35 +0000, Simon Waters wrote:
> Paul Hirst wrote:
>  >
> > This thread spawned a bit of a discussion here. Rather inevitable when
> > surrounded by virus analysts :-).
>
> I'd be curious what proportion of Microsoft Windows malware events start
> with intentionally downloading and running software from the net (rather
> than say having an out of date version of Flash do it for you).
>
> Do Sophos tell folks that sort of thing? Do you guys even try and
> measure it?
>
>

I asked one of the guys here what he thought and he came back with this:

Several of the significant Win32 malware families around today rely on
users "deliberately" downloading and running some content. The usual
social engineering is used to encourage this:

- email messages encouraging a link to be clicked, or attachment to be
run

- web pages containing tricks to encourages users to download additional
applications (e.g. Zlob using the "you need this codec to view the
movie" tricks)

- web pages tricking users into installing rogue security software (fake
av, probably biggest single group of threats right now)

Whilst it is true that a lot of threats use exploits and compromised
sites to silently infect the victim, the simple fact is that users still
fall for the old tricks and often infect themselves by intentionally
downloading and running something. But as you alude to, the vast
majority do not involve a reputable site. Instead some newly registered
dodgy domain (though you would have to say that the fake av .com sites
are typically very professional looking and easy to fall for). Fake AV
use a type of combination approach:

1. compromised sites redirect you to some rogue security site
(professional looking .com)

2. this site tricks you into downloading the "security" software (fake
online scan)

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html

References:
- [LUG] Grism.org
  - From: John Hansen
- Re: [LUG] Grism.org
  - From: Rob Beard
- Re: [LUG] Grism.org
  - From: Neil Williams
- Re: [LUG] Grism.org
  - From: Rob Beard
- Re: [LUG] Grism.org
  - From: Neil Williams
- Re: [LUG] Grism.org
  - From: Simon Waters
- Re: [LUG] Grism.org
  - From: Neil Williams
- Re: [LUG] Grism.org
  - From: John Hansen
- Re: [LUG] Grism.org
  - From: Simon Robert
- [LUG] 3rd party repositories and debs was Re: Grism.org
  - From: Simon Waters
- Re: [LUG] 3rd party repositories and debs was Re: Grism.org
  - From: Paul Hirst
- Re: [LUG] 3rd party repositories and debs was Re: Grism.org
  - From: Simon Waters

Prev by Date: Re: [LUG] Linux manners
Next by Date: Re: [LUG] Linux manners
Previous by thread: Re: [LUG] 3rd party repositories and debs was Re: Grism.org
Next by thread: Re: [LUG] 3rd party repositories and debs was Re: Grism.org
Index(es):
- Date
- Thread