(Link provided by Micha-san, our Japanese-German friend and colleague. Domou arigatou Micha-san!)
August 2005 Archives
Back in the early days of the World Wide Web, when Internet Explorer was but a few lines of code long and Mozilla was maybe only a word without meaning, Opera was already flying high.
Altough less known a fact, Opera was the first serious web browser available for the PC - and this is my humble opinion - still one of the best web browsers out there, even if the undisputed star now is Firefox.
These days, Opera is turning 10 years old, and besides the online party, contests, free mp3's and free drinks - not, they are also giving away free registration codes.
A great reason to try Opera 8 and maybe to become less dependent on that horrific collection of bugs which is Internet Explorer(tm).
Brian Krebs from Washingtonpost has an interesting story in his weblog, "Security Fix".
Quite different from most of the other news on Farid Essebar which just quote one another, Brian includes an interview with David Taylor, a security expert from University of Pennsylvania in Philadelphia, who was able to find Diabl0 on IRC before getting caught, and chat with him.
Read the full story.
Diabl0 needed IRC to control his bot armies, which he "rented" to his friend "Coder" in Turkey. Despite obfuscating the server IP and other login information in the worm's code, finding them was trivial for any serious antivirus researcher. From there, accessing the IRC server and locating Diabl0 and Coder proved to be a simple enough task with the help of FBI and Turkish/Moroccan authorities.
I wonder if we are going to see a decrese in the number of bots relying on IRC to receive commands from their masters.
According to some reports, the author of the Bozori worm has been arrested earlier today in Morocco.
Nothing on Google news yet - will update the post as the reports start to come in.
[Updates]
30.08.2005 12:20PM (GMT+2) - IRC Session with Diablo0 - Excerpts from an IRC session with Diabl0 by David Taylor.
27.08.2005 08:46PM (GMT+2) - Webpronews - The article mentions a $250,000 ransom in this case, which is incorrect according to my current knowledge.
27.08.2005 11:54AM (GMT+2) - An interview I gave for HWUpgrade.it (Italian) - 'Dallo scorso anno abbiamo potuto assistere a numerosi arresti di virus writer e ciò non può che essere un fatto positivo; sta diventando sempre più difficile scrivere un virus e poterla far franca' ci ha dichiarato Costin Raiu. By Marco Giuliani.
26.08.2005 11:29PM (GMT+2) - VNUNet - The Moroccan is believed to be the author of the initial worms and Ekici paid him for the code, Louis Reigell of the FBI's Cyber Division said in a conference call. He couldn't say how much was paid for the worms. It is common for worm authors to sell their creations.
26.08.2005 10:22PM (GMT+2) - The FBI PR - With the help of Moroccan authorities, Ministry of Interior Turkish National Police , and valuable assistance from Microsoft Corporation, these individuals were arrested yesterday without incident. Arrested in Morocco was Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker "Diabl0." Arrested in Turkey was Atilla Ekici, aka "Coder," a 21-year old resident of Turkey. Both individuals will be subject to local prosecutions.
26.08.2005 8:40PM (GMT+2) - CNN - "Farid Essebar, a Moroccan who used the screen name "Diabl0," and Attilla Ekici of Turkey, who used the moniker "Coder," were arrested in their home countries by authorities who cooperated with U.S. investigators in tracking the origins of the Mytob worm and its damaging variant, Zotob."
26.08.2005 8:36PM (GMT+2) - Washington Post - "Moroccan authorities, working with the FBI, arrested Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker “Diabl0.” Arrested in Turkey was Atilla Ekici, aka “Coder,” age 21. Both individuals will be subject to local prosecutions, the FBI said."
Hi, the name's Costin and I am a Linux user.
On a second thought, I'm not sure "user" is the right term. In the Windows world, calling somebody an "user" is the same as calling them stupid. But to be honest, I'm not a sysadmin either, nor a developer. Oh well, I guess I'm a Linux user after all.
I use both Linux and Windows, and when the time allows, other operating systems such as the recently announced MacOSx86, or Darwin for PCs. I've used Solaris in the past, on PCs and SPARC's, as well as a handful of other operating systems: AIX, HPUX, VMS, Unicos and Ultrix to name just a few. Maybe not the average Linux/Unix user, but I'm no addict either.
Recently, I've been doing a lot of work with Fedora Core 4, on AMD64. This is mostly related to downloading high amounts of mail, processing and then storing a huge amount of text in a SQL database. Detection of new viruses is of course the main purpose here, as you might have suspected. Of course, with such disk intensive applications, one of the most important factors is the type of the file system.
In my case, the setup implies the storage of about 2 million files of ~16K in average (e-mails), as well as some very large files, not many, but 6GB+ (virtual machine images). In both areas there is heavy access, with new files being added and older files being deleted. Most of the time, the large files grow even larger. So, what to use?
In the Linux/Unix world, the choice of file systems is pretty much the following:
- ext2 - older, reliable file system but with no journalling
- ext3 - ext2 on steroids
- ReiserFS 3 - blinding fast file system, directly supported by the new kernels
- ReiserFS 4 - even faster, but still new
- XFS - developed by SGI, for their supercomputing purposes
- JFS - based on the defunct IBM HPFS (OS/2), now open source
- FAT32 - a relique from the Microsoft world
- NTFS - the WinNT file system, supported in write by recent Linux kernels (sic)
Of these, only some support journalling, which is a very desirable technique which not only avoids long consistency checks during reboot but increases the overall reliability. So there goes ext2 and FAT32, which despite high compatibility, would be too much of a nuisance during the unavoidable crashes.
Yes, ext3 is good, stable and reliable, but way too slow for the type of computing I'm doing in the lab.
What to say about NTFS? Well, it _is_ possible to use it in Linux but write support is limited and the whole NTFS in Linux project is currently in a deep stage of sleep, so there goes NTFS as well.
I've been using ReiserFS 3 quite happily for a while, before I've started to hit some problems. In my case, it was related to security contexts under SELinux. One evening I've spent about 2 hours trying to figure out why Squid stopped being able to access parts of its cache on one of my ReiserFS 3(.6) partitions. It turned out that due to some unknown reasons, the security contexts on the Squid cache folder simply disappeared after a while. Moving the cache to an ext3 partition solved the problem. Strange. Besides, ReiserFS is very CPU intensive - I'm already trying to squeeze the most of the CPU for other things. No doubt the file system is very fast, possibly the fastest of the batch, and the algorithms build into it are marvellous. On the other hand, it doesn't seem to work well with security contexts and SELinux, at least for me. Maybe I'm doing something wrong, maybe I'm not doing something I should be doing. I don't know; it just doesn't want to play like the nice kid it is supposed to be.
How about ReiserFS 4? Again, YMMV. When heavily used on my AMD64 machine, the machine hangs every now and then. Indeed the CPU is getting _very_ hot, and it may not be out of question that it is getting even hotter because of the intensive ReiserFS 4 computations, but the system just doesn't crash with ext3. And, as it will be seen later, nor does it crash with XFS and JFS. So, there goes ReiserFS 4, despite having the wonderful feature of knowing how to stick even more data in the unused slack space between the end of a file and the physical end of a cluster.
So this leaves us with JFS and XFS. I've tested both, and I must say both performed very well. No crashes. No security context problems. Speed. Especially speed!
So, which one to use? Well, your choice - I'm using both.
Right now, I'm especially inclined to praise XFS, but JFS isn't bad either. Both reach close to the disk's native transfer speed and the CPU load is acceptable. However, only the XFS defragmentation tools are available on Linux, which is essential in my case.
If you're doing some heavy Linux computing and so far you've thought that ext3 is enough, it doesn't hurt to try XFS or JFS.
Oh, and one more thing - I'm storing my entire virus collection on an XFS partition. (it is on a machine with no net connection and encrypted disks, so don't bother) There's an awful lot of files in there, small, big and lots of directories. Until using XFS, I've been having all types of problems with NTFS; don't even think about FAT32. XFS handles the job admirably.
Finally, the most wonderful thing conclussion that you can draw from the above is not really about XFS being as good as JFS and better than ReiserFS. No - it is about _choice_. You have the choice to try and see which one suits your purposes best.
I wish I'd have had this choice in Windows as well.
Anybody out there porting XFS and JFS to Windows?
The debate over the right to so-called irresponsible disclosure continues.
Several days ago, the FrSIRT published the code for a 0 day exploit in a less popular Internet Explorer plugin, 'msdds.dll'. FrSIRT claims to have received the exploit from an anonymous source.
Microsoft issued a statement on this bug, in which they are saying:
Microsoft is investigating new public reports of a possible vulnerability in Internet Explorer. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time. Microsoft is aggressively investigating the public reports.
Besides the above statement, Microsoft was reported to be actively criticising the way the vulnerability was disclosed. I tend to agree with them on this issue and in general.
For instance, about a week ago, Dr. Peter Bieringer (pbieringer at aerasec.de) reported a vulnerability in Kaspersky AntiVirus Unix/Linux File Servers that can be used to obtain local root access. Oops! Being a local exploit, the impact of this is not too severe, however, it still is a serious issue for any security company. Dr. Bieringer reported the vulnerability to our TS, and waited until a patch was released before going public. This allowed us to investigate the matter, to produce the patch, to properly test it and release it to the public. Then he went ahead and posted a public note about his findings. This is responsible disclosure.
On the other hand, there is no doubt that irresponsible disclosure - highly praised by some supporters of the freedom of speech and such who lack any perception at all - is here to stay.
Whenever this happens, especially with severe vulnerabilities, the first to suffer from it are the users; either somebody writes some malware which uses the vulnerability to spread, or cybercriminals begin using the exploit to gain access to confidential data. The company at fault suffers as well - they have to rush to come out with a patch, most of the time without sufficent testing. I remember an older statistic, during the '90s, which said that for every three bugs you fix, a new one is added. My coding experience falls in line with these numebers.
The minor advantages of irresponsible disclosure thus become irrelevant in the light of the many negative ways in which the information can be missused. I even dare saying that irresponsible disclosure is a direct and premeditate way to harm the users and the developer of the software in question. And premeditation in any type of crime offers no excuse at all towards the actions.
So let's not confuse the freedom of speech with irresponsability and the premeditated crime with infantile stupidity.
Oh, and almost forgot. Is there any reason at all to use Internet Explorer to browse the web these days?
"May we live in interesting times", says a Chinese bit of wisdom. The technological advances, the rapid evolution of software and hardware - there is no doubt we DO live in interesting times.
Fraud and crime has been with humanity since the very beginning. I will not debate the issue of good vs evil here, but I will touch a little bit on the side of computer malware.
Yesterday, it came to my mind that the evolution of malware is conditioned by three major factors:
1. Technological advances
2. The bad guys coming up with new methods of attack
3. The evolution of security technologies
Actually, there is another factor which may be less obvious, but one that for sure affects the evolution of malware:
4. The social dynamics
During the past years, the evolution of malware was conditioned mainly by the Technological advances, point one in the list above. Basically, I'm talking about the widespread access to the Internet and the proliferation of Internet-bourne malware. Points two and three have been there and played a secondary role - people upgrading from 2000 to XP, firewalls, IDSes, better heuristics, all these have affected the way malware is written an deployed on the Internet.
Wednesday, August 17th, people woke up to the chaos of Botori. On CNN, millions of people could watch the worm do its deeds, crashing Win 2000 machines. The renowed antivirus expert Kevin Mitnick provided a statement on the worm; I won't be getting there this time, though.
What is interesting with Botori is that while CNN was broadcasting chaos, there were virtually no reports on Smallpot. Zero, nada, nil, null. Of course, since the Sasser incident, it's almost impossible to do port 445 connections over the Internet. In Romania, they are probably completely blocked at ISP level. So, how could Botori cause an outbreak when it can't spread over the Internet?
The clever readers have by now guessed the answer - Botori causes _local_ outbreaks, whenever it can reach the critical mass. The worm is not able to reach many machines over the Internet because in these days everybody's firewalled. However, local networks have no firewalls - when an infected laptop is brought to a network with say 50 Win 2000 machines, chaos erupts. This is why small companies and the casual Joe Internet user weren't affected. On the other hand, big companies, running large networks of computers around the world, practically their own reduced versions of the Internet, were hit badly.
After years of learning the hard way, people have secured themselves behind their impenetrable firewalls, filtering all e-mails and ripping all executable content. Everybody felt secure and confident nothing bad could happen. So, the blow from the inside was even worse as it was totally unexpected.
Couple of years ago, the Internet was a large community with no walls. But people have started to put walls between their neighbourhoods and now malware can't easily go just about everywhere. However, there are still no walls in the neighbourhoods and when a worm is let loose in a big area, it can for sure wreak chaos.
The fact that the worm was designed to mainly target local networks is a proof to the fact that the author understands point four - Social Dynamics. And we can be sure the worms of the future will consolidate on this ground.
Interesting times, indeed.
It was innevitable. Despite Apple's best efforts (the conspiration theorists will diagree to that but anyway), an Intel (x86) version of Mac OS X, aka Tiger has made it to the net. The original distribution DVD is locked to a specific set of hardware, which includes checking the presence of a special chip in the system as well as the presence of SSE3 instructions.
Apparently, somebody found a way around these checks and produced not only tutorials on how to crack the protection, but also ready-to-use VMWare images:
tiger-x86.tar.bz2 - 1,319Mb
A few months ago I have predicted that Apple is likely to tie its operating system in some way to hardware, such as going from scratch with a 64 bit architecture - AMD64 or EM64T, or by relying on a special hardware card to for some of the existing Intel user mass to also buy their machines while switching from the Windows world to something which has less problems with malware, at least for now.
Even if I do not agree that Apple is willingly producing an "easy to crack" x86 MacOS X to induce user interest into its operating system, I think it is safe to assume that they are testing the market and they have considered the ideea of challenging Microsoft domination of OS market.
But in all cases, with the increasingly user dissastisfaction with Windows and the further delay of Vista, Apple's timing is nothing but perfect.
There is a heated debate over the so called right to irresponsible disclosure.
Michael Lynn, a security reseacher who used to work for ISS before the whole story, discovered a very serious security problem in Cisco's IOS class of operating systems for their popular routers and network firewalls. Lynn started by working with Cisco to patch this vulnerability, as any white hat would responsibly do, giving the company a chance to patch before the bad guys find out.
Apparently, somewhere during this process Cisco panicked. And they panicked so big that they've decided to completely bury the story and never allow anybody to speak of it. Lesson number one for Cisco: don't panic yet, it is just about to get worse.
Seeing that Cisco panicked, Michael Lynn did the right thing to do - from the point of view of some people, or the worst thing in the world - from the point of view of other people, which was to go ahead and speak about this terrible secret at the BlackHat Briefings conference last week in Las Vegas. Even more panicked by the panicking Michael Lynn, Cisco went ahead and destroyed all the original BlackHat Proceedings CDs, ripped Lynn's presentation from the printed conference proceedings and threatened just about everybody in the unlikely case the researcher decides to speak about this unfathomable truth. Lesson number two for Cisco: if the rabbit is out of the hat, be it even a Black Hat, the worst thing to do is to claim there is no rabbit.
When the time came up for Mr. Lynn to go ahead and present at BlackHat, he started by speaking on the subject which was imposed to him by the conference organizers, his ex-employer and Cisco, which is about some rather common and not so groundbreaking wireless vulnerabilities. In a striking proof of anarchy, the mob at BlackHat started yelling and demanding the Cisco IOS presentation. Encouraged by the crowd, or better said, left with no other choice, Michael Lynn went on, and on and on to Cisco's despair. And so we come up with Lesson Number Three for Cisco: never underestimate the mob.
The rest will be decided in a long series of trials, of which the company which has already been named a lot of times in the post will most likely have most to loose. The right for responsible, or irresposible disclosure is maybe less important in this story. What is important, in my personal opinion, is the base reason for which everybody is so scared, panicked and out of control. Which is the following: the Internet is so dependant on Cisco hardware that a coordinated attack using the unspeakable vulnerability that Lynn discovered may bring it down. Which brings me down to the last and final lesson in the post, to nobody in particular: diversity.
Choose your hardware wisely, and don't rely on a single brand. If you have the budget to buy the no 1 hardware out there, buy one which is just as good and a little bit less expensive. Or if you have just about the budget to buy no 3, add a few more bucks and buy no 2. If your entire company network is based on routers from company X, buy a few from company Y as well. Of course, be sure to test their interoperability in the first place. Finally, when the unspeakable happens, don't panic. Just upgrade that flash and carry on.
