Slashdot Mirror

>Stuxnet infected a PC, causing it to change the signals it was sending to
>motor speed controllers, thus fouling up a process. Which is why you keep
>your SCADA PCs as far away from the Internet as you possibly can.

Stuxnet actually reprogrammed the PLCs, too. See the analysis at

http://www.symantec.com/connect/blogs/stuxnet-breakthrough

Ahh, process explorer. It was my savior back in the NetBackup 5.x days when MSCS cluster backups would fail and leave gigantic .vsp files laying around, locked and not easily deleted. You know, the ones that showed as 0 bytes in explorer but were actually many gigs. I don't miss doing backups. Especially backups for win servers that were hosting multi Terabyte shares. Stupid poorly designed fileservers, NetApp yay.

http://www.symantec.com/business/support/index?page=content&id=TECH33732

I reported that Symantec were blogging about this back in June

17th June, Symantec's blog:

It has been known for some time that a botnet’s combined computing power could be used for a number of nefarious purposes. We can now add Bitcoin mining to that list.

http://www.symantec.com/connect/blogs/bitcoin-botnet-mining

How does this Infostealer.Coinbit trojan get on to the infected computer?

Infostealer.Coinbit
Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 link

First, DO NOT delete your temp files. There is a varient that not only hides various files (by setting the hidden attribute) but moves the shortcuts to %temp%\smtmp (a hidden directory) . It also reorders the icons.

see:

http://www.emagined.com/security-threat/trojan-fakefrag
http://www.symantec.com/security_response/writeup.jsp?docid=2011-050610-4459-99&tabid=2

Hrummph. 10 seconds on Google and it's here. Even Symantec knows about it.

These stories pop up about one a year. Infection rates are always nearly zero. This was the last "OMG mac virus" story, OSX.HellRTS :

Threat Assessment
Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy

Until evidence to the contrary I'll be treating the one you mentioned the same.

Academic luddites (read non-IT people), much like corporate luddites, will do what other people tell them to in regards to pretty much everything technology.

In this case, there is a very good chance that the MPAA or RIAA or some other anti-freedom group gave Boston a list of signs of illegal downloading among college students. Wireless routers would be at or near the top of this list. Why? Anything that supports networking obviously also supporting pirating songs.

It's like the Java Bear hoax e-mail. If an official looking organization or person or e-mail tells luddities to do something with technology, they do it.

Here is information regarding the only threat of those 13 that is marked as a Virus
http://www.symantec.com/security_response/writeup.jsp?docid=2006-110217-1331-99/

OSX.Macarena
Risk Level 1: Very Low
Discovered: November 2, 2006
Updated: February 13, 2007 1:01:55 PM
Type: Virus
Systems Affected: Macintosh, Macintosh OS X

OSX.Macarena is a proof of concept virus that infects files in the current folder on the compromised computer.

Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Distribution
Distribution Level: Low

No comments.

http://en.wikipedia.org/wiki/Pwn2Own

Pwn2Own contests regularly have Safari/Mac software as a valid winning target.

Is it good data? Maybe not. But the point is that Mac's aren't targeted much because the Windows desktop share is much larger (some figures say 90%). So while they can get viruses, it's not a valuable target for botnets.

Still waiting for the first Mac OS X virus in the wild...

http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=O

OSX.* near the bottom of the list. There's 13 on that list.

I think you need to read the whitepaper on Stuxnet.

It used exploits in Windows to be sure, but the development of this virus depended on much more than just some Windows exploits. A great deal of research and energy went into creating Stuxnet - that same research could be put towards finding exploits in virtually any SCADA system, or any OS. As we all know, the exploits are out there in _nix or Win or OS/X... it's just that no one has had the ambition to search for them yet.

http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=O - looks like there is exactly 17 known ones.

Thing to really worry about though - a good virus sits in the background quietly collecting info on the user and distributing itself to other machines it comes in contact without anyone knowing.

Having watched Mac users - they are no better than Windows users in the sense than when the elevate permissions window pops up they type in their password with no hesitation. Never mind the bugs in the core OS that would let malware run as root without anyone knowing and that is probably a more serious issue.

At least on Windows it says who's bringing up the elevate prompt, puts it on a separate desktop (so malware can't click/key the prompt), and it color codes it for risk - yellow if its not signed - red if its known malicious etc. A good chunk of the malware I've seen on Windows runs in user space, and could be cleaned up with a virus scanner if users couldn't reboot/shutdown their machine without Admin.

Seriously - most malware notices your trying to scan the disk it shuts down the machine - if MS fixed this - these Fake AV programs would be so much easier to clean up.

(alphabetically)

SANS Internet Storm Center (I can't get the graph working, ymmv)
SenderBase
SpamCop (a feed to SenderBase)
Symantec
ThreatPost (TFA)
Websense Monthly reports (December not yet available, Websense is TFA's source)

An observation: spammers celebrate holidays too; it's hard to recover from a series of shutdowns while dealing with family affairs. I hope their holidays were joyful and full of lasting distractions...

See my subject-line above, & these host/domain names, blocked off (via the 0.0.0.0 blocking "IP Address"):

---

0.0.0.0 xtremedefenceforce.com
0.0.0.0 elvis.com.au

---

SOURCE: http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-geeks/

Also, since this thing is allegedly suspected to be a ZEUS variant:

---

PERTINENT QUOTE/EXCERPT:

"A 75GB cache of stolen data shows that the botnet, which is a variant of Zeus, has been used to steal a wide range of information, including tens of thousands of login credentials -- mainly for financial accounts

SOURCE: http://www.computerworld.com/s/article/9158778/Kneber_botnet_hit_374_U.S._firms_gov_t_agencies

---

?

This MAY come in very "handy" as well:

---

ZEUS TRACKER:

https://zeustracker.abuse.ch/monitor.php?filter=online

---

Symantec uses it

---

PERTINENT QUOTE/EXCERPT:

"Sites such as Abuse.ch Zeus tracker have for some time now been doing an excellent job in tracking Zeus command & control (C&C) servers and hosts of Zeus files.

SOURCE: http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits

---

So do I... because it allows you to "keep up/keep current" vs. that botnet C&C servers this thing utilizes.

"Blacklists" (which HOSTS files can function as, but also as "whitelists" too), especially in THIS situation? Work!

APK

P.S.=> So - Simply add those host/domain names, blocked off as shown, to your OWN hosts file (typically located in %WinDir%\system32\drivers\etc, on modern Windows OS, & /root/etc on Linux variants), & what you can't touch, cannot touch (or harm) you - simplest idea for protection in the world! apk

See my subject-line above, & these host/domain names, blocked off (via the 0.0.0.0 blocking "IP Address"):

---

0.0.0.0 xtremedefenceforce.com
0.0.0.0 elvis.com.au

---

SOURCE: http://krebsonsecurity.com/2011/01/white-house-ecard-dupes-dot-gov-geeks/

Also, since this thing is allegedly suspected to be a ZEUS variant:

---

PERTINENT QUOTE/EXCERPT:

"A 75GB cache of stolen data shows that the botnet, which is a variant of Zeus, has been used to steal a wide range of information, including tens of thousands of login credentials -- mainly for financial accounts

SOURCE: http://www.computerworld.com/s/article/9158778/Kneber_botnet_hit_374_U.S._firms_gov_t_agencies

---

?

This MAY come in very "handy" as well:

---

ZEUS TRACKER:

https://zeustracker.abuse.ch/monitor.php?filter=online

---

Symantec uses it

---

http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits

PERTINENT QUOTE/EXCERPT:

"Sites such as Abuse.ch Zeus tracker have for some time now been doing an excellent job in tracking Zeus command & control (C&C) servers and hosts of Zeus files."

---

So do I... because it allows you to "keep up/keep current" vs. that botnet C&C servers this thing utilizes.

"Blacklists" (which HOSTS files can function as, but also as "whitelists" too), especially in THIS situation? Work!

APK

P.S.=> So - Simply add those host/domain names, blocked off as shown, to your OWN hosts file (typically located in %WinDir%\system32\drivers\etc, on modern Windows OS, & /root/etc on Linux variants), & what you can't touch, cannot touch (or harm) you - simplest idea for protection in the world! apk

I guess I found one point of reasoning in the article somewhat contradictory: that "Furthermore, in March 2010, China’s Customs ministry started an audit at Vacon’s Suzhou facility and took two employees into custody thereby providing further access to Vacon’s manufacturing specifications" ... but the first sample of the Stuxnet virus (which did contain a Siemens DLL) was found on June 2009 according to the Symantec dossier http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf referenced in the paper of the article.

This virus may have been first seen in the wild in June 17, 2010, but apparently it's been around before that. Did China really only weaponize it that late in the game, post-March 2010? Or if it occurred before then, the whole March 2010 incident is irrelevant as to China's culpability, but mildly interesting in terms of indicating increased capability. I figure the article's author seems smart enough that he would recognize this so I don't understand if I'm missing something, or he's overly padding his argument with irrelevant-but-interesting datapoints and overlooked this logic, or if I should consider this as disinformation.

Other scenarios that I've wondered about along the way (admittedly more motive-based than evidence-based) :

* Israel routes many attacks or probes (not just this Stuxnet one but perhaps it also) through China (or Russia) because there are a lot of PCs there not-well-protected, their cyber-defense/tracing/auditing is weak(?), and it makes for a plausible cover story given the advanced capabilities, and is less likely to implicate its closest ally (US) and the explanation will serve its closest ally's interests (US fears against China and/or Russia just help with increasing defense budgets in the US thus providing more advanced weapons for Israel.)

* Stuxnet is really a coverup for a previous, perhaps-more-effective sabotage mechanism still-unveiled. Reasoning: as mentioned in the paper referenced by the article, Iran's Natanz's uranium-processing efficiency started to drop in 2008 for reasons still unknown/unrevealed. Let's posit that Stuxnet didn't arrive until later (true given the current evidence.) Iran, having not figured it out the true nature of its vulnerability/ies, now has a culprit that they appear to be eagerly investigating... but the attacker has led them to focus their attention and efforts on a vulnerability that is not the most significant one.

Stuxnet is quite the nasty piece of malware. There isnt anything simple about it.
This is Symantec's summary:

Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power
plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers
(PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.
Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before.
The majority of infections were found in Iran. Stuxnet contains many features such as:
Self-replicates through removable drives exploiting a vulnerability a llowing auto-execution.
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
  Spreads in a LAN through a vulnerability in the Windows Print Spooler.
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
  Spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution
Vulnerability (BID 31874).
  Copies and executes itself on remote computers through network shares.
  Copies and executes itself on remote computers running a WinCC database server.
  Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is
loaded.
  Updates itself through a peer-to-peer mechanism within a LAN.
  Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities
for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be
disclosed.
  Contacts a command and control server that allows the hacker to download and execute code, including updated
versions.
  Contains a Windows rootkit that hide its binaries.
  Attempts to bypass security products.
  Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage
the system.
  Hides modified code on PLCs, essentially a rootkit for PLCs.

The full Stuxnet dossier for interesting reading:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

One who has a large team of talented programmers, carefully designing and building the attack.

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Symantec speculates a team size around 5-10 not including QA (whatever the heck that means).

Personally I think there is probably a "team" of 1-3 people sniggering to and congratulating themselves. (Probably adding "Stupid Americans"). That is if they haven't been shot.

I'll give you talented, though.

It seems that the targeting abilities of the wore were wildly exaggerated. The worm reports back to servers, hmm air gap, that makes no sense. It seems there was a lot of obfuscating built into the worm, specifically to hide how it gain entry past an air gap, and how any new program was accepted on appliance based machines.

I would bet the worm 'bought' it's way in and the external stuff was typical 'COINTELPRO' misinformation.

You're making a lot of assumptions that are simply incorrect.

You really should read the analysis of the worm's function as written up by Symantec's researchers. They published exactly how it bridges the air gap -- a bug in how Windows processes the AUTORUN.INF file permits infecting a machine as soon as removable media is inserted, and does not rely on AUTORUN itself to be turned on. The rest of the infected machines serve as the conduit for delivering updated virus payloads and instructions to the machines that write the USB sticks or CD-ROMs that cross the gap. Assuming the operators of the plant had to perform maintenance or updates (which happens often as existing devices are reconfigured or new ones are brought on line) the updated payloads will find their way across the gap soon enough.

And Symantec wasn't the only company to decompile the worm and figure it out.

Nobody had to 'buy' the worm in. Nobody had to falsify how it got installed. The worm itself provides the evidence of sophistication. If you doubt it, simply get a copy and infect your Windows machine, put in a fresh USB stick, then put the USB stick into an uninfected Windows machine. Now you have your own copy of proof in the form of two infected machines.

Where espionage would come in would have been in studying the nuclear plant, learning what the control system configuration was, how their engineers used removable media to bridge the air gap for ordinary maintenance, then designing a payload that would specifically target their process.

Many of the comments here seem to be unaware of what Stuxnet actually is or how it works. Symantec has a great whitepaper on it that is updated as they learn more. 50 pages of technical detail. Of course you can read the executive summary and at least avoid making the kinds of uniformed comments I'm seeing here.

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Just a Few:

1. "People are so stupid to connect their industrial control system to the internet!"

Stuxnet does not require internet access. It delivers its payload in various ways, and in particular, if an infected USB stick is inserted into a susceptible machine, it will find a machine on that network with the Siemens PLC development environment and infect it in such a way to insert hidden malicious code into the PLC.

2. "Just don't run Windows"

There is some validity to this idea. But the payload was not delievered to a Windows machine, just via one. How many embedded controller development environments require a Windows machine? Try coding a Xilinx FPGA without a Windows box, or just about anything out there without one.

3. "We could have seen this coming"

Most people did see this coming. But they didn't think it was actually plausible to defend against. The Stuxnet worm required a huge amount of resources and detailed knowledge to pull off. Everything from the payload to the infection method. Someone really thought this through. It is a proof of concept of what people generally believed to be only possible in theory.

The fact that government is getting involved here is a bit worrisome. I hope they at least pay attention to the existing specifications already out there to help mitigate some of these threats. NIST 800-82 is a decent read that is free (final public draft) and there are other pay ones out there as well.

The reason why I am kindof annoyed about people's ignorance about Stuxnet is because the biggest lesson learned from it is largely being ignored. 1. That "air gap" protection you think you have is not as good as you think it is. 2. The "insider threat" is worth thinking about, even if you trust your insiders. They may not know they are a threat.

I said stuxnet does not _need_ the PLC (PLD) containing machines to be connected. In reality they may be connected, but disconnecting them will not stop Stuxnet infecting them as it gets in when the PLC programming is updated.

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

For reference a "Field PG" is a machine used to program the PLCs not the actual target of the infection.

Quote:
"Once Stuxnet had infected a computer within the organization it began to spread in search of Field PGs, which are typical Windows computers but used to program PLCs. Since most of these computers are non-networked, Stuxnet would first try to spread to other computers on the LAN through a zero-day vulnerability, a two year old vulnerability, infecting Step 7 projects, and through removable drives. Propagation through a LAN likely served as the first step and propagation through removable drives as a means to cover the last and final hop to a Field PG that is never connected to an untrusted network."

The main part of this that is appalling to me is that they would have software that controls centrifuges available on a network where it could get infected by a wild virus. Although perhaps the virus was instead inserted manually. All you'd need would be a few collaborators (or dupes) in the right places....

Wow. After reading the Symantec Security Response white paper posted elsewhere here, it looks like I was right, sort of.

The virus actually contained a rootkit for their PLC's (sort of quasi-intelligent I/O gathering devices), which is a first for a virus. There are so many different ones out there, how did they know which ones to code for? It looks like someone had to physically steal the plans. (!) Then the infected network waited for code updates from the virus authors (spread via P2P on the infected network). Wow.

Also, I was correct that the target machines are not networked. It got around that by spreading itself to them from infected machines via removable media.

There's no way somebody just threw something like this together on a whim. At the absolute least they had to have very good intelligence about what their targetted networks look like, and could build a good mock-up copy of that network (reconfigurable for various setups) for testing. So it has to be someone whose intelligence service has penetrated Iran. That rules out damn near everybody save one or two suspects...

Here's the relevant section, for those who have read this far:

Industrial control systems (ICS) are operated by a specialized assembly like code on programmable logic controllers (PLCs). The PLCs are often programmed from Windows computers not connected to the Internet or even the internal network. In addition, the industrial control systems themselves are also unlikely to be connected to the Internet.

First, the attackers needed to conduct reconnaissance. As each PLC is configured in a unique manner, the attackers would first need the ICS’s schematics. These design documents may have been stolen by an insider or even retrieved by an early version of Stuxnet or other malicious binary. Once attackers had the design documents and potential knowledge of the computing environment in the facility, they would develop the latest version of Stuxnet. Each feature of Stuxnet was implemented for a specific reason and for the final goal of potentially sabotaging the ICS.

Attackers would need to setup a mirrored environment that would include the necessary ICS hardware, such as PLCs, modules, and peripherals in order to test their code. The full cycle may have taken six months and five to ten core developers not counting numerous other individuals, such as quality assurance and management.

In addition their malicious binaries contained driver files that needed to be digitally signed to avoid suspicion. The attackers compromised two digital certificates to achieve this task. The attackers would have needed to obtain the digital certificates from someone who may have physically entered the premises of the two companies and stole them, as the two companies are in close physical proximity.

To infect their target, Stuxnet would need to be introduced into the target environment. This may have occurred by infecting a willing or unknowing third party, such as a contractor who perhaps had access to the facility, or an insider. The original infection may have been introduced by removable drive.

Once Stuxnet had infected a computer within the organization it began to spread in search of Field PGs, which are typical Windows computers but used to program PLCs. Since most of these computers are non-networked, Stuxnet would first try to spread to other computers on the LAN through a zero-day vulnerability, a two year old vulnerability, infecting Step 7 projects, and through removable drives. Propagation through

There's a lot more detail in the symantec virus "dossier". A very interesting and detailed read.

But of course, I had to dig to find that particular piece of information. Most of the write-ups ignore the question of what host OS/systems are vulnerable. http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-013112-4647-99

It's truly appalling that the great number of discussions are either (a) ignorant of the question of 'host vulnerability', (b) assume that everyone is running Windows; or (c) can't be bothered to determine what hosts are vulnerable. If I were sufficiently paranoid, I'd believe this is part of the continuing conspiracy to make everyone believe that such vulnerabilities are a 'fact of life' for all computers, and not just Microsoft products.

nd then you swallow WHOLE the claim that Iran was hit hard by stuxnet... a claim made by WHO? Verified by who?

Symantec made this crystal clear in their white paper on the worm. Or do you think that Symantec is in the tank for Iran?

As for your rant about amateurs being able to write this worm, it's quite clear you haven't taken even a cursory look at it. Everyone who knows anything about worms who's looked at it has acknowledged that this is the most sophisticated piece of malware they've ever seen. This wasn't written by some script kiddie in his mom's basement.

What amazes me is that you are paranoid to believe western governments can lie

It amazes me that you think they don't.

> Despite the numerous slashdot articles and buzz about it, I'm seeing scant actual details.

That's probably because you're not getting your news at the right place. Here's the detailed technical analysis released last week:

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

It's quite an impressive read.

Admittedly I didn't know much about Stuxnet until after reading more about it and it seems to me just yet another windows virus that hasn't until now been discovered and mistakenly spread via contractors laptops.

Seems to me that this worm wasn't designed for a specific target and is like any other virus.. well that or this is how Skynet starts becoming self-aware and begins manufacturing terminators..

A recent slashdot article linked to a lenghty pdf description of Stuxnet by Symantec. This worm is incredibly complex. It loads itself into memory in a very clever way so that anti viruses can't find any strange behaviour, then checks if there's any newer version installed on the computer, or if it can reach a newer version of itself through P2P in networked computers. After self-updating, it looks for a specific software in the computer, which is used to program the industrial machines and everything that works in an industrial plant (called PLCs). Then it infectes that software in order to add malicious code to the controllers. The ultimate objective is to make them overload the industrial facility they want to attack.

Stuxnet is written in 3 programming languages, including an arcane assembly language; it's the first PLC rootkit and one of the most robust windows rootkits, and according to Symantec, developers needed to replicate the plant's compuetr's layout in order to test their worm (and previously had to develop another virus, just to map their network). It's been under active development for at least 2 years, by a team of 10+ professionals with big funding. I don't think it is just another windows virus.

The first version of Stuxnet (Stuxnet-A), uses a special "autorun.inf", that has an executable at the beginning of the file (which the autorun.inf parser skips). After the executable the "proper" information for the autorun.inf add another "Open" option for the rightclick menu. Selecting this will execute the content of autorun.inf (the malware). read about it here.

The second version (Stuxnet-B or Stuxnet!lnk), uses the zero-day .lnk file vulnerability, that will automatically execute the content, when you browse the content of the USB stick.

See the links for more detail - it's quite fascinating (also from a technical perspective).

The first version of Stuxnet (Stuxnet-A), uses a special "autorun.inf", that has an executable at the beginning of the file (which the autorun.inf parser skips). After the executable the "proper" information for the autorun.inf add another "Open" option for the rightclick menu. Selecting this will execute the content of autorun.inf (the malware). read about it here.

The second version (Stuxnet-B or Stuxnet!lnk), uses the zero-day .lnk file vulnerability, that will automatically execute the content, when you browse the content of the USB stick.

See the links for more detail - it's quite fascinating (also from a technical perspective).

Apparently it has some kind of self-kill logic which tries to ensure it doesn't spread after three "hops", which suggests whoever wrote it didn't want it to become a totally uncontrolled worldwide infection.

Do you have a cite for this? Also is it still this way (given the P2P component discussed in a paper on that subject by Symantec)?

So out of "countries that hate Iran" which of those is most likely to perform an operation that is very likely to be detected and very likely to piss off a large number of random other nations or organizations? If I had to pick an intelligence agency in the world that most resembled a criminal syndicate, the Mossad would be pretty high up the list. Speculation is fun isn't it.

Yet Indonesia has a very large number of infections too. Why are you so focused on Iran? It's not like the virus isn't prevalent in other countries as well. It's also hit India a lot harder than Pakistan.

The fact is we could build conspiracy theories out of this any number of ways. However, the fact is that the virus is programmed to REPLACE ITSELF with a new executable if it finds a newer version. Given the fact that Pakistan has not been hit much but India and Iran both have, we might suggest Pakistan the sponsor. However, I'm still assuming Russian cyber-criminals are behind this.

It's probably about time to mention the fact that the expansion Machine Access Code is in wide use, even if it is not the expansion you like.

Examples;

• UCSF ITFS: Wireless Networking and Security Standards: Legacy host based authorization systems utilizing the machine address code (MAC) may continue to be used until June 30th 2010
• Bluetooth essentials for programmers: 1.2.1: "Identical to the Machine Access Code (MAC) address for Ethernet"
• Source: Computer Crime Research Center, for another user's Ethernet address (known as a MAC or Machine Address Code)
• Book of the Dead, Patricia Daniels Cornwell; "Sandman's IP doesn't correspond to any MAC at the port. That's the Machine Address Code. Whatever computer the Sandman is using to send his e-mails, it doesn't seem to be one at the port,"
• Symantec.com, "When a host wants to join an IP Multicast group, it sends an Internet Group Multicast Protocol (IGMP) join message specifying its Machine Address Code (MAC) address and "
• Valparaiso University, Finding Windows System information, " 5. The Ethernet Address will be listed as the Physical Address. Machine Address Code (MAC)"
• PostgreSQL: A comprehensive guide, Korry Douglas, Susan Douglas; pg 106; "The acronym MAC stands for one of the following: Machine Address Code, Media Access Control, or Macaroni and Cheese"
• [1]
• Temple University, "Please note that you must first register the machine address code (MAC) of your laptop with Computer and Media Services before you can take advantage of this service. "
• Pharmacology Information Technology, "To register your computer, you'll need to know your computer's Machine Address Code (MAC) address, basically the serial number of your ethernet port."
• Chaminade Univeristy, "Examples of information which we receive, and may store, include (although are not necessarily limited to) the Internet protocol (IP) address used to communicate with us; the Machine Address Code (MAC) number of your computer"
• eHow: How to Find the Machine Address Code on a PowerMac

Okay, i used your link and pulled up a 12 page document. I can't get to the mythical page 36

Well, I don't know what to tell you. I have 2 PCs and a Mac, and all three of them bring up a 97-page PDF. Here's that link one more time, with feeling: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf

As for browser vulnerability counts, that's a red herring. We're talking about Flash. Why are you attempting to misdirect me to a discussion about browsers.

Why? Because it's all relative. It sounds to me like you're arguing Flash has poor security and other alternatives (e.g. HTML 5) are better... in which case you have to actually compare Flash to those alternatives in order to justify the statement that they're better.

Bloated in comparison to properly written code

The Flash-based apps currently in the app store don't seem much different in size from native ones. Fickleblox and Chroma Circuit are both ~8 MB. Compare that to native iPhone apps like Solitaire (8 MB), Mini Touch Golf (17 MB), Froggy Jump (9 MB), Bejeweled 2 (10 MB)... they blend right in. And if you're making claims about battery or CPU usage, please actually cite some sources?

Regarding Steve Jobs's famous anti-Flash rant, I think we'll just have to agree to disagree on its merits. I'm not really interested in having a long drawn-out debate over it in this thread, which has been mostly focused on security. Although I can't help but respond to this egregious one:

Again, you make a grand statement and couple it with a misdirection. I don't see where in Thoughts on Flash he says it ships with a fast HTML implementation.

Fifth paragraph: "Apple has adopted HTML5, CSS and JavaScript – all open standards. Apple’s mobile devices all ship with high performance, low power implementations of these open standards." (emphasis added)

I will also concede, however, that he doesn't outright state quite everything I discussed. He says things of the form 'Flash is bad; HTML+JS is good. Flash is bad because it has rollovers; [unspoken implication: HTML+JS is good because it doesn't].' But this is actually a little weasely: the argument is missing its justification unless you assume he also meant the implied part, but I'm apparently not allowed to argue against the implied part because he didn't explicitly state it.

Actually your meme is more of a meme than a fact. According to the April 2010 Symantec Internet Security Report ( http://www4.symantec.com/Vrt/wl?tu_id=Lfsd1271711507050126203 ) the number 2 attacked vulnerability in 2009 was in Adobe products. ... You sure did misrepresent that report, didn't you?

I don't think accurately quoting statistics straight out of a core part of the report is "misrepresenting" it. You're now citing statistics that measure something different, and it's reasonable to disagree about which figures imply what, however.

Which I do: you could argue that number of vulnerabilities is a function of the quality of the product, while the popularity of exploiting any given vulnerability is more a function of the ubiquity of the product. So while Safari had about 6x more vulnerabilities than Flash in 2009, it also had only 5% market share vs. 99% for Flash. Which is the more attractive target?

Another quote from the report was "Browser security features and add-ons should be employed wherever possible to disable JavaScript(TM), Adobe Flash Player . . . ".

So if you disable both JavaScript and Flash, as they recommend... what are you proposing as an alternative? Do you think the HTML video tag can replace everything DHTML/JS and Flash do today?

And regarding buggy, I'll take Microsoft and Apple's word on Adobe Flash's effect on their browser/OS.

I don't know what MS has said about this (link?), but Apple has said a lot of disingenuous and/or outright false things about Flash lately, so I'm not inclined to trust their word, especially when no one else has access to the data to back it up.

It's been 3 years since the iPhone intro and Adobe still does not have a Flash runtime to show that runs fast, doesn't drain batter, etc.

Actually, yes they do. It is fast enough to outperform HTML 5, especially on mobile, and the unoptimized beta only drains the battery 5-15% faster than equivalent HTML content (while delivering up to 4x the framerate).

They've had so many security holes over the past few years I hated installing Flash or Reader on anything.

According to Symantec, Flash and Acrobat are actually more secure than your browser: the two combined had fewer vulnerabilities than Safari, or Chrome, Firefox, or IE. Also fewer than QuickTime or Java.

There were times it took Adobe months to release critical security fixes and the only reason they didn't do it sooner was because they were too fat and lazy.

Care to cite a source? I don't remember reading any reports recently about Flash zero-day exploits. Which is less than you can say for most browsers.

(And as an aside: the Symantec report above also says that Apple took on average 13x longer than other browser vendors to patch their security holes...)

Point is, any computer exposed to the Internet is at risk, and no vendor can claim the high ground here.

Actually your meme is more of a meme than a fact. According to the April 2010 Symantec Internet Security Report ( http://www4.symantec.com/Vrt/wl?tu_id=Lfsd1271711507050126203 ) the number 2 attacked vulnerability in 2009 was in Adobe products. Another quote from the report was "Browser security features and add-ons should be employed
wherever possible to disable JavaScript(TM), Adobe Flash Player . . . ". Also, the number of vulnerabilities is a shell game. You can have one vulnerability, but if everyone uses is then it is a fatal flaw. Trying to do some cheese-ball comparison to throw people off the scent is a neat trick, but it didn't work. You sure did misrepresent that report, didn't you?

And regarding buggy, I'll take Microsoft and Apple's word on Adobe Flash's effect on their browser/OS. Adobe is NOT listening or they would have been working their ass off for years to fix it. It's been 3 years since the iPhone intro and Adobe still does not have a Flash runtime to show that runs fast, doesn't drain batter, etc. If Adobe is listening then that is all they are doing because they are not FIXING it.

Adobe's problems can not be solved by hardware. They have buggy, crash-prone, security hole riddled bloatware.

The security hole statement is more of a meme than fact. Symantec reported that, in 2009, Flash had fewer vulnerabilities than any major web browser, including Chrome, Safari, and even Opera... In fact, if Apple wants to play the holier-than-thou game regarding security, they might want to get to work: Safari had 94 reported vulnerabilities, nearly 6x Flash's 16, and the second-worst of all browsers. Safari also had by far the longest lead time before patching: an average of 13 days, vs. ~1 for basically every other browser. And that's not even getting into all the holes in QuickTime and their PDF reader...

And regarding "buggy"... if there are bugs you know of in Flash, Adobe is listening -- so please, file issues when you spot them. But really, if you think Flash is beyond help in this area then I can't even imagine where that leaves most browsers :-)

If you force users to click a button, the same button, in the same place, over and over and over again when there is no real need to do so, all you do is condition them to click a button and ignore the useless UI.

Every day I launch Visual Basic 6.0 from my start menu, and every time it gives me the same UAC warning that it will be run with Admin privileges. If I had to stop and determine the correct button every time it would be a total pita. If UAC presents me with a different dialog or presents it under a different set of circumstances it still gets my full attention, but if I open VB6.EXE...I've already read the dialog once and know what is happening. I've also discovered that using Norton UAC's option to disable the dialog after you've seen it once is also not the best solution because you have no cue if some apps are started admin or not.

Users don't want to authorize a program to either have complete control of their computer or not run. Those are shitastic options

When UAC presents you with a box suggesting that a program needs admin privileges, most of the time it's because the program is trying to do something that explicitly needs those privileges. There's no other option at that point: if you run it under limited privileges the program will fail (or not be very useful).

Just my 2cents...

False assumption. The endpoint PC is compromised in way more cases than the middleman router.

Encryption alone buys us nothing. Or wait -- it buys us key manangement hell.

Perhaps you should read what I was replying to before you start flaming me.

Yes, and that's what we should advocate. Everyone build a secure encrypted network. Ready.....GO!

I was merely replying to the general sentiment here that 'oh noez! the networks are compromised!!!111'

Anyone with half a brain knows that any effective security posture is done with defense in depth on the perimeter along with good endpoint security and user awareness.

( further reading for the interested http://www.symantec.com/connect/blogs/its-all-about-endpoints )

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xv_04-2010.en-us.pdf
Targeted attacks focus on enterprises
Targeted attacks using advanced persistent threats (APT) that occurred in 2009 made headlines in early
2010.6 Most notable of these was the Hydraq Trojan (a.k.a., Aurora).7 In January 2010, reports emerged
that dozens of large companies had been compromised by attackers using this Trojan.8 While these attacks
were not novel in approach, they highlighted the methods by which large enterprises could be compromised.

http://www.informationweek.com/blog/main/archives/2010/01/significant_wor.html;jsessionid=KDF2YBU4HXNKLQE1GHPCKH4ATMY32JVN

http://manageddatacenter.searchdatacenter.com/taxonomy/taxkey;root_1387_1332_204/DC-category.htm
Current FBI estimates indicate that malicious software and attacks targeting identity theft cost American businesses and consumers more than $50 billion a year. (note BUSINESSES)

The point being, enterprise is vulnerable. It isn't just the home user who is targeted, nor is it just the home user that is compromised. Malware costs corporate America billions every year. How many billions is debateable - one alarmist estimate places it at hundreds of billions, and others pooh-pooh that with overly conservative estimates.

Fact is, enterprises are compromised almost every day.

And that antivirus program would be susceptible to many types of viruses that modify system files. This particular virus that it detects (W32.Wecorl.a) does change svchost.exe:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-110306-2212-99

What McAfee should have is a better way of quarantining critical system files (replace with known good copies, have a robust patch/repair process for system files, have a more stringent fingerprint detection, etc). Maybe a whitelist of known good md5sums for system files (of course, this would have to be updated with every version of those files ever released in any patch by Microsoft).

here's the hash anyway: 76D08CAB8B28C5F447D47519454F0D94

I didn't know symantec was located in the Netherlands.

Trying to make a diskimage when truecrypt is active i get a vss error like

Volume Shadow Copy Service error: Unexpected error ... 0x80070057

invalid parameter

dismouting the truecrypt device and everything went ok.

somthing like:

http://www.symantec.com/connect/forums/shadow-copy-components-not-working-various-vss-writer-failures-no-vss-writer-errors

searching now i see it is documented:

http://www.truecrypt.org/docs/?s=issues-and-limitations
"The Windows Volume Shadow Copy Service is currently supported only for partitions within the key scope of system encryption (for example, a system partition encrypted by TrueCrypt or a non-system partition located on a system drive encrypted by TrueCrypt). Note: For other types of volumes, the Volume Shadow Copy Service is not supported because the documentation for the necessary API is available from Microsoft only under a non-disclosure agreement (which is impossible to comply with because TrueCrypt is open source).
"

Maybe it is solved now.

For this to be effective, either the website needs to be highly publicized, or the user needs to be stupid or in a panic. I can't image the web site can be publicly known for long; virus maintainers have a hard enough time keeping their private servers up and connectable. I wonder how the virus convinces the user that their private history will be available for peruse by their friends/coworkers/family?

Symantec has some information on the virus: HTTP Infostealer Kenzero Activity: Attack Signature - Symantec Corp.

There are several good online virus scanners. They will ask you to download a small plugin, but I've used them with great success, without having to install applications.

http://housecall.trendmicro.com/
http://security.symantec.com/sscv6/home.asp

Also, two arguments against what is often suggested:

1) Virus scanners aren't for everyone. Some are extremely intrusive, often with their own "innovative" interfaces that make them bulky and impossible to manage for novices. Some will hijack your email applications, not tell you exactly when they block or delete something, and can also hinder web surfing speeds. If you don't know how things work already, having a scanner will make things even more confusing. Add subscription fees, and I say the whole thing isn't worth it.

2) No, I don't think "knowing your software" is a good way to tell if something is legit. Seriously, Windows alone will update itself and install weird things, as do most large software suites these days. They give ambiguous names to critical components, and to think we would know them unless they were dangerous is a bit much.

If you know what you're doing, I'd say you can avoid most issues by just being careful and knowing the signs (of danger and of contamination).

If you don't (or helping someone who doesn't), then I say dumb down the apps so things are simpler and safer. Like migrate to gmail, make FireFox or Chrome the default browser, and just setup all the bundled security features to their appropriate settings (windows firewall etc).

Well you might as well provide more information on what the command identifiers are... Symantec does;
http://www.symantec.com/connect/blogs/trojan-found-usb-battery-charger-software

Discovered: September 29, 2009
Updated: September 30, 2009 8:32:32 AM
Also Known As: W32/Autorun.worm!a758e0e7 [McAfee], W32/Rimecud [McAfee], W32/Autorun-AUP [Sophos], ButterflyBot.A [Panda Software]
Type: Worm
Infection Length: 109,056 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

W32.Pilleuz is a worm that spreads through file-sharing programs, Microsoft instant messaging clients and removable drives. It also opens a back door on the compromised computer.

Currently, W32.Pilleuz has been most commonly referred to as the Mariposa or Butterfly botnet.

Source: http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99

check out the "ease-of-use of the Zeus crimeware toolkit":
http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits
In the YouTube video at 1:48 you can see the ZuesBuilder gui

All GUI archive managers require a separate "Extract" command (that preserves execute permission), that is different from the default action that is to view a file (without giving it an execute permission even if it is present in the archive).

I have to admit I only tried "tar xvf" to verify that permissions were preserved. Nevertheless, you really think you couldn't get people to actually extract an archive?

For anyone but total newbies it should be obvious that the user should NEVER run anything he downloads unless he is installing some software that is not in a repository -- as root, as his own user or as anyone else.

Yeah, that users won't run crap is well justified.

And because I ran out of words in that sentence before links, here are some more: 1 2 .

To put those into context, those are all links from Wikipedia's "Timeline of Notable Computer Viruses and Worms" from the last decade, including the only two entries on that page from 2009 and 2010. Most of the above had a noticeable amount of mainstream press coverage at the time, and the list includes names like ILOVEYOU, Sobig, MyDoom, and Storm.

Sure, they aren't the scariest worms out there, and over the last few years they haven't been the most damaging. But at the same time, if I got to bet whether a manually-spread trojan is worthwhile, I know which side of that bet I'd take.

Personally I would just turn them into traditional #! scripts with "interpreter" doing what a file manager would, and file manager refusing to execute anything in them unless they are executable.

The .desktop files contain rather more information than just what program to run. How would you deal with that? Specially-formatted comments in the script? Pass the script a command line argument?

Besides, it's not like running scripts without execute permissions is a new concept. "source foo.sh", ". foo.sh", "perl foo.pl", "python foo.py", etc. IMO are all comparable to Gnome looking into the .desktop files on boot to see what to run.

All GUI archive managers require a separate "Extract" command (that preserves execute permission), that is different from the default action that is to view a file (without giving it an execute permission even if it is present in the archive).

I have to admit I only tried "tar xvf" to verify that permissions were preserved. Nevertheless, you really think you couldn't get people to actually extract an archive?

For anyone but total newbies it should be obvious that the user should NEVER run anything he downloads unless he is installing some software that is not in a repository -- as root, as his own user or as anyone else.

Yeah, that users won't run crap is well justified.

And because I ran out of words in that sentence before links, here are some more: 1 2 .

To put those into context, those are all links from Wikipedia's "Timeline of Notable Computer Viruses and Worms" from the last decade, including the only two entries on that page from 2009 and 2010. Most of the above had a noticeable amount of mainstream press coverage at the time, and the list includes names like ILOVEYOU, Sobig, MyDoom, and Storm.

Sure, they aren't the scariest worms out there, and over the last few years they haven't been the most damaging. But at the same time, if I got to bet whether a manually-spread trojan is worthwhile, I know which side of that bet I'd take.

Personally I would just turn them into traditional #! scripts with "interpreter" doing what a file manager would, and file manager refusing to execute anything in them unless they are executable.

The .desktop files contain rather more information than just what program to run. How would you deal with that? Specially-formatted comments in the script? Pass the script a command line argument?

Besides, it's not like running scripts without execute permissions is a new concept. "source foo.sh", ". foo.sh", "perl foo.pl", "python foo.py", etc. IMO are all comparable to Gnome looking into the .desktop files on boot to see what to run.