Slashdot Mirror
Day in the Life of the Internet Storm Center
An anonymous reader writes "Network World Fusion has an
article about the Internet Storm Center's inner workings.
The writer follows the ISC during the day of the MyDoom-O outbreak (the one that hit Google et al.).
The article talks about running W2K in
vmware on top of SuSe Linux. A practice very common in malware analysis to isolate yourself from various ill effects of the malware. Other open
source software receiving a mention in the article is everybodies favorite packet analyzer Ethereal."
Windows 98 has largely been ignored by the virus writers for the past two years... The worms this year that took down my school districts entire network of w2k machines didnt harm the windows 98 machines at all!
Nothing on that link tells you how the product works.
The closest I read was "Deep Freeze instantly protects and preserves original computer configurations" which reads to me that it's kind of like Ghost, except it keeps an image local on the HDD?
If so, I'd shy away from phrases like "Completely invulnerable to hacking".
XP's system restore feature gives you the same functionalities, if it's used properly (of course, it never is). I'm in the habit of making a save point before I do anything that could potentially bork my machine (testing some new driver tweak, etc), and have rolled back successfully on more than one occasion.
I don't need no instructions to know how to rock!!!!
only if you are crazy enough to run wine with elevated privilages.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
From the article:
"It's amazing how these virus writers get such small code," Ullrich says. "They should be working for some of the commercial code vendors."
Why not: s/should/could
And for the conspiracy-minded: s/working for/commanded by
Really twisted addon to the latter: s/code vendors/anti-virus vendors
Another episode in "preaching to the converted".
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
True.
However, if anyone out there is running a honeypot as a hobby or are new to setting them up, some good advice on a more secure Windows configuration can be found here. Specifically, it details how to cripple DCOM using a hex editor and reconfiguring other networking services. Good advice, even if you don't use their product. Be careful, you may lose some desktop functionality.
See, I have this co-worker who constantly fucks up his machines. He's supposed to be a programmer/analyst/tech support guy just like me (small company, you wear a lot of hats), but everytime something comes up, I have to handle it because his computer is broken.
"I can't build a working EXE, my Visual Studio is screwed up!" "I can't dial into that customer, because my modem isnt working" "I can't VPN in because my computer crashes when I fire up the Cisco client".
He's incompetent, but I'm dubious he's this incompetent. I traded him the machine in my office when I got a new one, everything worked perfectly. A week later, his VPN and Visual Studio are broken. I really dont have the time to keep rebuilding his machine for him. Of course, he claims he doesn't know how to reinstall Office or VStudio, etc..
I think he does it so he won't have to do actual work. I end up doing everything because he always has an excuse. When he's on site, his laptop is broken, so he has to phone in all the code changes he wants, I have to do it, cut an EXE and email it out. Of course, it's double bonus for him. Anything he fucks up on site, he can just blame me for, since I'm actually doing the work remotely.
It's pissing me off, and it makes our company look like a bunch of morons. My archetypal PHB thinks he's just the cats ass because he comes in "early" every morning (he shows up at 8:45 to drink coffee and read the paper, we open at 9. Sheesh).
Anyhow, this sounds like a decent product. I'm downloading the evaluation version now. I'll reinstall his machine one last time, ghost it, install this. Next time I hear "I can't dial in because my modem is screwed up", I'll reboot his box and it'll be fixed.
I don't need no instructions to know how to rock!!!!
And it'll work fine for that, as long as the asshat isn't insane enough to actually hack deepfreeze. But this is exactly what this product was made for, and it works wonders for keeping machines alive after a virus storm or freak driver accident.
Hope it works out!
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
From the article...
Like previous versions of MyDoom, this one too seems to be listening on certain ports for commands. Ullrich pings each port, but the virus does not react.
That's a neat trick.
I guess they mean "ping" as in "connected to a TCP or UDP port in some manner", and not the usual "send ICMP ECHO_REQUEST", which I don't believe has anything to do with "ports".
Ah, journalism.
What were the skies like when you were young?
It's pretty good. I couldn't get around it in Windows after they blocked real mode programs. Before that I had to crack the BIOS password and then boot Knoppix, then delete key files. And sometimes the fucker still came back.
So from my independent analysis, I'd say DeepFreeze is good. I haven't done any code-tracing, though, so I don't know if some buffer overflow would ruin the whole thing. It wouldn't surprise me, though.
Closed source is what it is.
My other car is first.
This is just a guess, but from the (very limited) description on the site - particularly the bit about only needing 2 Mb of drive space - I suspect than rather than keeping a rollback log, instead it redirects all writes elsewhere and somehow fools the system into combining them
I don't really know if that makes sense, but basically what I'm saying is I think instead of allowing changes to the stuff that's already on the drive, instead it makes the system write the changes to a "scratch space", as it were, and when it comes to read back files, it takes that into account... when you reboot, it wipes the scratch space (which just contains the differenced versions of the files)
The difference between the two methods is the differencing system doesn't take any "extra" space, as anything you're saving/installing you'll be taking into account in your HD space, whereas a changes log could grow huge, fast, and take up a lot of unaccounted-for-by-the-user-space
Wow.. reading this back, it's a really mangled and incomprehensible way of explaining a simple concept. I should write manuals for a living!
Curiosity was framed. Ignorance killed the cat.
This is something like the third article where someone has posted that link, then it has been modded up as informative.
Maybe a lot of Slashdotters don't pay attention when they Mod, but it smells to me of some organised trolling.
I'd guess organised trolling - responses pointing out the NSFW link have been modded down too.
The first word that caught my attention was the word "handler".
To paraphrase Dave Aitel, "handler = someone without a CS degree".
$ans is all about cash. That is why their classes are packed to the brim, so people can watch powerpoint presentations...
(yes I have attended one)
Half of the SANS hardening guides were ripped straight from the US government (NSA/DISA STIGs). No credit given either btw.
Just to add to what the others have said, my father also runs a school computer lab, and I fix things for him when I come home to visit every couple months. He is a drafting teacher close to retirement and knows CAD software inside and out but less so when it comes to administrating the network etc, although he is still picking things up. Oh and the school district's computer people are incompetent.
We use DeepFreeze in the lab and it works very well. I have yet to find or hear about any way for the student to mess up the machine as long as it boots off of the drive that DeepFreeze is installed on. Hanging out in script kiddy channels I heard a lot of people asking how to hack DF, but no one had any answers, other than boot disk. So if you disable booting from CDROM and floppy in the BIOS and use a BIOS password, then short of opening the case or figuring out your password, there is really no way that the user can mess things up.
-jackson
That's what I always thought.
Just last week at my college I thought I'd throw a knoppix disc and not use their 2 year old installation of Windows 98. Knoppix was slow as fuck with the little amount of RAM it had, so I thought I'd install it to the hard drive so it would run faster, DeepFreeze is on this machine, when I reboot win98 will be right back where it was, right? Wrong. I hope nobody finds out that I did that or I'll get banned from using the college network... again. DeepFreeze wasn't deep enough...
By the way, to see if DeepFreeze is on the computer: Ctrl-Alt-Shift-F6