RANT: Spam and Sonic.net

[ankh]

How secure are WordPress blogs hosted at Sonic, for avoiding intruders getting further into access?
EDIT nevermind, I'll look for an appropriate place to ask more about securing things here.

Back to ...

[kgc]

I know that when something like this happens, the first instinct is to assume someone's computer has been infected with malware, but more and more I find this less often to be the case. Even casual users these days are less gullible to virus attached emails and later editions of Windows are better protected against malware. In short, this isn't 2001 and no one's running Windows 98 anymore.

I don't think that is the correct assessment. If it were true, the massive botnets responsible for much of the spam, DoS attacks, ransomeware (cryptolocker) would not exist. And it would not take global coordinated effort of law enforcement, ISPs and corporations including Microsoft to cut off the bots from their C&C systems in order to break them. http://en.wikipedia.org/wiki/Operation_Tovar (And this thread wouldn't exist.)

[ankh]

Yeah, but -- isn't there _anything_ in the log files that make it possible to say, for sure, where the problem is?
Could Sonic set up say a dedicated honeypot for us customers to connect a suspect machine to?
To use once there's some suspicion that some computer on our home network has been infested?

Is there any way, that or anything else, you know would get the bot/virus/infection/malware to reveal itself?
The malware scanners aren't reliable; you don't share the log files that trigger cutting off an account when something happens, just wait, I guess, to see if it happens again.

How about a fake Internet, to which we could connect, to try to tease the malware into exposing itself if it's on one of our machines?j

Walk us through it by phone; set up the Sonic rental modem to do it; something like that.

I dunno. Just handwaving here. But erasing and reinstalling multiple machines is the alternative, and even that won't fix the backup drives.

[tensigh]

I know that when something like this happens, the first instinct is to assume someone's computer has been infected with malware, but more and more I find this less often to be the case. Even casual users these days are less gullible to virus attached emails and later editions of Windows are better protected against malware. In short, this isn't 2001 and no one's running Windows 98 anymore.

I don't think that is the correct assessment. If it were true, the massive botnets responsible for much of the spam, DoS attacks, ransomeware (cryptolocker) would not exist. And it would not take global coordinated effort of law enforcement, ISPs and corporations including Microsoft to cut off the bots from their C&C systems in order to break them. http://en.wikipedia.org/wiki/Operation_Tovar (And this thread wouldn't exist.)

Really? When was the last time you had to deal with a computer virus outbreak? Like I had said, in the 90s and early 2000s I worked a help desk where people called because they clicked on attachments and there was clearly signs the PC had been infected. One of the best ways to tell was to run netstat and see the outgoing connections or hook an infected PC to a switch and monitor the outgoing traffic from the switch. This has happened less and less in my experience.

Plus your logic isn't quite sound. Just because botnets exist (and spam) doesn't mean it's all the result of malware. There are a number of ways a computer can be taken over other than a user simply downloading a virus and you're assuming that peoples' passwords getting stolen is the result of malware. A SQL injection on the right website could net thousands of logins and passwords. Users can have their information stolen when nothing has infected their individual terminals.

As I mentioned, the user landscape has changed drastically since 2001. The word has gotten out and even casual users are more aware of potential threats; P2P networks are significantly less common (remember viruses floating on Kazaa?), OS's are better at weeding out threats, people spend more time on mobile devices, etc. It's not to say the threat doesn't exist at all but the "Oops I clicked on a bad attachment" phenomenon is a lot less common, wouldn't you say? There are as many threats on infrastructure (WAPs, SQL injections, etc) as there are threats to individual terminals.

But again, my point wasn't that it never happens just that it seemed odd that it happened to so many Sonic customers at once. It seems odd that my computer and my parent's both get "infected" with malware and the only thing that gets stolen is my Sonic password. The alleged malware authors ignored my bank account password, my stock trading password, my other email accounts, my Facebook account, they only went for Sonic. Kind of odd that such an advanced malware program sneaks on to my computer, my parent's computer (who don't share files or visit too many websites) with a minimal risk and only steals ONE password. Especially when a lot of people from that ISP are complaining about the same thing.

Of course, it's always easier to blame some phantom malware since its always a possibility.

[kgc]

Well, I've been running our system operations since the late 90s and so I'll leave that at that. People continue to click on links in spam, get infected with zero day exploits in [insert application here], fall to phishing emails and even 419 scams from the King of Nigeria or install software downloaded from "questionable" sources. Shoot, recently even major ad networks have been caught with zero day flash exploits. This is a good time for the P.T. Barnum quote.

We've seen a more or less steady stream of exploited accounts for years and the number of accounts that we lock per day ebbs and flows. What has changed is that we've become much more aggressive about tracking down accounts and better at finding accounts being used for things like snowshoe spam. We do not know where the bots are getting credentials but despite many attempts internally have not been able to find a common thread to affected users on our end.

[patty1]

I don't think that is the correct assessment. If it were true, the massive botnets responsible for much of the spam, DoS attacks, ransomeware (cryptolocker) would not exist.

Really? When was the last time you had to deal with a computer virus outbreak?

Considering whom you're quoting, the answer to that question is probably, "Today."

[kgc]

I don't think that is the correct assessment. If it were true, the massive botnets responsible for much of the spam, DoS attacks, ransomeware (cryptolocker) would not exist.

Really? When was the last time you had to deal with a computer virus outbreak?

Considering whom you're quoting, the answer to that question is probably, "Today."

Well to be totally fair, it has been quite a while that I've spent any time disinfecting anything other than my parents computers but I spend my fair share of time dealing with what the infected systems actually go and do every day.

[ankh]

> what the infected systems actually go and do

Ok, I can afford the time and effort and cost to deal with my household computers.
What's retirement and savings for, if not chasing spammers?
(God, the future sure didn't work out like I thought when I was young ...)

Can Sonic refer me to some people Sonic can comfortably work with as consultants to do the work?
(Ideally near where I live, but I can drive to Santa Rosa, got friends there to visit anyhow)

I don't mind doing the worst case you recommended -- establish one known good machine (from someone you'd believe) -- have that person take the hard drives as I pull them from the home machines and get them checked (by someone you'd believe).

I won't mind if a thorough search does, or doesn't, find malware on one or more of the home machines.

But I want to do this in a way Sonic will be satisfied with the work, so if there is a problem, we can show it's been found and fixed -- and if an expert you'd trust doesn't find a problem, that will be taken seriously and some further look done.

I asked in another topic about connecting. I'll do what I can, but want to find out how to do this right.

[tensigh]

I'm sure you've seen a large number of malware infected computers, Kelsey. In my experience, over the past 10 years I've seen a significant drop in the amount of people that fall for the typical tricks, but I don't serve nearly as many customers as you do, so I have to concede the point.

I am quite certain that the issue with my parents and myself is not malware so it will still strike me as odd. Until I can find out exactly what happened I won't be satisfied. This isn't anything against Sonic, it's just good detective work. I'm sure you know what you're talking about but I've dealt with a lot of people that blame viruses or malware for anything where they can't find an explanation, only to find the answer was something else.

Another good trick to search for malware would be packet sniffers on the allegedly infected PC. Depending on your technical knowledge (and patience level) you can do massive packet captures and look for suspicious traffic.

[ankh]

I'll just repeat this one question, then pipe down and wait:

(For those of us with a fixed IP to spare, at least)
Could Sonic set up say a dedicated honeypot for us customers to connect a suspect machine to?
To use once there's some suspicion that some computer on our home network has been infested?

(the question about getting a connection using a known good computer (or one that could be checked) is at viewtopic.php?f=5&t=1311&p=13991#p13991