Slashdot Mirror
Slashback: Slammer, Frames, Pop-Ups
FedEx should take notes. nweaver writes "We have completed our preliminary analysis of the Sapphire/Slammer SQL worm. This worm required roughly 10 minutes to spread worldwide, scanning at a peak rate of over 55 million IP addresses per second, making it by far the fastest worm to date and nearly two orders of magnitude faster than Code Red. It infected at least 75,000 victims and possibly considerably more. The remarkable speed was due to the use of a bandwidth-limited scanner. There were also two bugs in the random number generator. Copies of our analysis are available from CAIDA, Silicon Defense, and UC Berkeley."
"Sir, this patent application needs to filled out in ink. Not Crayon." We recently posted that the company SBC was calling in the chips on patents it holds which the company claim cover certain types of navigation links found on many web pages. Dan Gillmor writes "Noticed the link to Cringley's piece. Well, I did ask readers for prior art and got quite a bit, some of which I've posted..."
Speaking of SBC, theodp writes "The SBC Intellectual Property folks are back in the news, this time for donating a $7.3 million virus screening patent to the University of Texas. While patent donations are one of the latest twists on corporate philanthropy, the practice has aroused the curiosity of the IRS as a possible tax avoidance scheme."
I wonder how much they'd feel justified in writing off if they donated their web patent portfolio to the FSF.
Can we call this an on-again, off-again relationship? Albanach writes "It seems the BBC who had pioneered Ogg Vorbis broadcasting on a serious scale have abandoned Ogg indefinitely. They say other work commitments make Ogg support no longer a priority. Their statement can be read here"
What, and let all my pigeons escape? FedeTXF writes "We already love pop-up blocking in Mozilla and some other related browsers, now Blogzilla is reporting a great trick to get rid of embedded ads (banners and iframes) using plain CCS and the always amazing Mozilla flexibility and openness. Go check this page if you are anxious to see how to set it up."
Did you have your video camera trained on Columbia? Finally, Child of Apollo writes ""For anyone who has recorded video or taken photos that they believe may be of aid in the investigation of the Space Shuttle Columbia accident, NASA has established a special location on the Web where Internet users may upload their media files to be reviewed by NASA." Although sad news all around, thanks to pleasant for the link."
Here's the late-breaker. fonixmunkee writes "looks like SDF will return soon. a message stating that they negotiated a new contract graced the single page in the "members area" of the temporary www.lonestar.org, but did not cite who specifically with. a few different ideas were tossed around for hosting, so only time will tell with who. i also just today got an e-mail from the Washington State Attorney General's Office that offered a small ray (read: none) of hope for assistance with SDF's run-in with NWLink. (NWLink breached SDF's contract.) hope all is well soon." This is good news, especially so soon after SDF got the rug yanked from under them.
Is that Mozilla trick valid CSS syntax? I've never seen anything like it before.
Read the paper, it's good, short, well written, and has some important insights. The most amazing statistic from the paper is that the doubling time for the virus was about 8 seconds. Within ten minutes it had covered the entire 'net.
I'm still waiting for the paper describing why systems like Bank of America's ATM's were shut down. Whatever the case, we are sure to see more worms like this in the future, with the possibility of serious damage.
thad
I love Mondays. On a Monday, anything is possible.
I do. I think it's a great browser, and it's better at rendering CSS than IE is in some cases (scrolling overflow anyone?)
But it's waaaaaay too slow to load. IE6 loads in about 1/4th of a second, where Mozilla 1.2 takes about 6-7 seconds. That's really my only beef with it - other than that I like it a lot.
The reason that this works in Mozilla is the filename and location: that's the proprietary part. There is no reason that you cannot include similar code to this on your page for, eg, hiding that pesky Geocities banner. True, not all browsers support this, but it should work for all Moz-based browsers and (I think) IE 5.5+ - though I havn't tried it with IE =) -Trav
I should really get around to creating a sig.... Nah - too lazy =)
Actually, I'd be really interested in seeing some stats on browsers that hit slashdot. Granted a large percentage of regular posters are running mozilla, opera, netscape, whatever, I bet there is a very high percentage of MSIE users hitting slashdot.
Anybody got any numbers?
"Seems like it would be a lot easier just to use a popup stopper instead. This is what I did with IE until I installed mozilla."
One neat thing you can do with IE is call it as an ActiveX control in Visual Basic. I'm by no means a programmer, but I was able to download the HTML into a text buffer, edit the buffer, and then display it in the IE/ActiveX Window. The idea was (eventually) to write a parser that had a few rules about omitting certain lines of HTML. Something along the lines of "remove any line that refers to opening windows on page load or on aexit."
So why didn't I complete it? I didn't know how! Heh. Seriously, I'm not much of a programmer, and I didn't have the drive to write the parser necessary to do that. The main problem is that I would have had to have re-written a lot of IE's interface. I probably had a month or so (at my ameteurish pace) to go before I could get that in workable shape. And then what?
I do hope somebody comes along and implements a feature simmilar to what I described in a browser. (Preferably Opera.) I'd rather filter out HTML than wait for new features to pop up every time somebody discovers a new way to be annoying.
It will be interesting to see how 'independent' the investigation ends up being. If its like the 9/11 investigation we will know there is something they need to hide.
My top pick to head the committee would be Ted Postol of MIT. I doubt he is the administrations pick. Although the Democrats in Congress might possibly get a clue and select him as one of their picks.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Opera, Opera, Opera, and the chant goes on.
If you hate popups, AND enjoy a fast browsing experience (esp load times!), it can't be said enough times: give Opera a whirl.
I know the concept of paying for decent software seems foreign to some here, and your favourite new Flash site of the week may not display 100%, but for everything you say you don't like about IE and Moz, Opera has them beat pants down.
It's gotten so bad at work that I'm regularly screaming at my machines every time I'm forced to surf the web (stupid default IE installs).
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Sapphire/Slammer got around that by being small enough to fit into a single packet(!) so that it didn't have to wait for a return message, but that small size sharply limited its possible payload.
:)
Slammer was under 400 bytes as it was. Now, won't most IP networks pass 1500 or so byte packets without fragmenting? That's a lot of extra room to toss in a nasty payload. Maybe all we need to do is convince MS to force their buffer overflows to require at least 1500 bytes
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
My question is, why not use XPath instead of coming up with a chinsy alternate-but-similar notation for selecting nodes in HTML? XPath is a w3 property... why not be consistent? They are trying to retrofit HTML to XML anyway, and IE lets you select nodes in scripts using XPath. (I thought it was part of the DOM standard, but I can't find it - I guess it's an MS extension.)
I guess it would cause some of the CSS syntax to be incompatible with new versions. But that should be solvable by having a well defined way of specifying which version of CSS a CSS file or section is, like you can with javascript. You can specify language="JavaScript1.0" or "Javascript1.2" or whatever to load a JS engine that conforms to that version's specifications (which, unfortunately, conflict in some cases).
I often think that these web standards have all evolved in the wrong order. HTML came before XML and DOM. CSS came before XSL. Bleah.
-If
Run a pencil-and-paper RPG campaign with your far-off friends: Gametable!
It would probably have taken very little extra work to add an arbitrarily large payload to it, built as a second module. Leave the original scanner blasting away with the small packets, since most of them won't succeed in infecting a machine, but have a newly-infected machine contact the machine that infected it to fetch the second payload (and then forget where that one came from, to make later back-tracing harder).
I doubt you'll see a detailed white paper about Bank of America's system; most big companies would consider that kind of thing proprietary, though almost any large financial company would have put together a large team to spend several days of argument, wrangling, and recrimination to find out what happened and make sure it doesn't happen again, but you'll only see a technical explanation if they decide that's the best public-relations move. Most of the guesses I've seen on the net (or at least the ones that sounded plausible to me :-) are that they were probably just using internet-based VPNs to support those ATMs, and got flooded out by the worm's volume, but didn't actually get infected. Hard to say whether the parts that got flooded were the little ends near each ATM, the big end near the bank, or somewhere in the middle like some ATM network service provider. Remember that 10-15000 IP addresses makes a much bigger target than a single IP address, so if there's anywhere that their connections are all visible, the traffic flood could be pretty heavy.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
EMBED[SRC*="ads."] { display: none ! important }
EMBED[SRC*="ad."] { display: none ! important }
Works pretty well.
mund freud.
The main Warhol Worm / Flash Worm papers were concerned about worms that had some level of efficiency and coordination of their targets - first scan for targets over a long period of time, then take 10,000 zombies and give each one a partial list of targets to attack, and hauling around the list of targets turns out to slow the process significantly, in return for increased efficiency. This one just used random search and let it rip, so it didn't need the overhead of using a list, though it's possible that the perpetrator had some set of targets pre-planned, as opposed to just taking an 0wnzr'd Korean proxy server and spraypainting Korea with it to start off the process.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I don't think so. The shell and IE use some shared components that are loaded with the shell itself (the Windows common controls). Unless you have Active Desktop enabled (and I don't), the HTML parsing engine is not yet loaded when the shell itself initializes. And I know that because I've profiled it.
IE is basically three things: the common controls, the HTML parsing engine and a few shell extensions (which you can turn off). The EXE is just a stub.
Now, some people consider the whole common controls thing to one of the Evil Monopolistic Practices, when it really is an excellent alternative to having 18 different "widget" sets to choose from and having two thirds of them double over and die because glibc happens to be an older (or newer) version.
In fact, if you've ever run an alternative shell you'll see why this "loads with the OS" is just FUD, because IE runs at the same speed. And no other process in the entire system uses the HTML parser.
I understand "loads with the OS" to be something like a WDM driver, a kernel-space service or something like that. But that's just me.
The user style sheet I use does the following:
- Link styles:
- Links to Slashdot are bold and Slashdot-green.
- Links to mozilla.org have a 16x16 red-dino logo next to them.
- Links to goatse.cx are brown and crossed out.
- javascript: links are green.
- mailto: links have an envolope icon next to them.
- Borders for image links. Solid blue for unvisited links, dashed purple for visited links.
- Hide all reset buttons.
- Before each named anchor, display the name in the format [#foo], but make it 80% transparent so it doesn't get in the way of the actual text of the page.
- Ignore the effects of blink and marquee tags
The CSS code for most of these is on http://www.squarefree.com/userstyles/.I also use the "test styles" bookmarklet to create temporary, site-specific user style sheets. My most common temporary user style sheets hide visited links (useful on sites that serve random image links every time you load them), make all text lowercase (useful for reading all-caps text), and change the color of visited links (useful for sites that use the same color for unvisited links).
The shareholder is always right.
The original actually tried to do something. It logged into SQL Server using the SA account and a blank password (if someone was dumb enough to leave that...) and then emailed the schema (and data, maybe, I didn't actually test it, just read it) to it's author, set up a new account with it's own password, changed the sa account's password to that password, and then looked for any other SQL Server on the net.
unfortunately (or fortunately, depending on how you look at it), this scanning for other servers slowed the server down so much that it was noticable if you were in the room with the machine. It sounds to me like someone saw what a load it was putting on the net and the machines infected and decided to cut out the section that gathered the database information and just let it spread freely, assuming it would lock up the net the way it did.
I'm not completely certain that this is the same worm, but it sounds like it.
The truth doesn't care what I think.