Because they want strong encryption banned. If they were actually using it themselves, then, well, that just doesn't work. Besides, it's illegal to exploit security flaws, which means we can safely assume it will never happen like good little ostriches.
Here's my preliminary analysis of Admin.dll (using strings and nmap):
It modifies registry keys related to TCP/IP (apparently it blocks incoming SYNs... evidenced by nmapping cracked boxen), Explorer (to unknown effect), and a few other things. Most notably, it turns on extension hiding.
It contains an SMTP client, and possibly a server, and a hard-coded email which I have yet to really take a good at, except to note the javascript line that opens a file called "readme.eml" (an attachment?).
It creates an account called "guest" and adds it to the Administrators and Guests groups.
It may also be making modifications to system.ini and other.ini stuffs in the WINDOWS directory.
It contains the actual propagation code. I'm not sure if this includes the TFTP server or not.
I have downloaded Admin.dll from three infected machines and they have different MD5 sums. I do not know if this code is mutagenic or not.
Well until someone can develop an easily crackable, but strongly tamper-evident form of encryption, existing cryptographic techniques must necessarily be construed as equivalent to the gamut of everything from envelopes to lead-lined welded steel crates, simply because the alternative of "no encryption" is equivalent to a postcard. Think of it this way: right now you can either send email in invincible crates (PGP or GPG encrypted), on a postcard (cannonical form), or via a secure private postal service (encrypted VPN). Under those circumstances, does it make sense to ban encryption, which is at the heart of the only two viable forms of secure transmission? The idea of mandatory backdoors has also been suggested in Congress, which I find so short-sighted as to be beyond laughable and into the realm of sickening. Bugtraq has proven time and time again that if a backdoor exists, someone will find it, and most likely, it will be someone who wasn't supposed to find it. Key escrow is probably a compromise that would pass at this juncture and achieve the goal of allowing law enforcement access to encrypted materials without making said materials generally insecure. However, the ultimate goal is to stop crime, including the crimes we consider "terrorism". We must remind ourselves that police are not an end in themselves, but a means to an end (OT - I think if you asked a politician to define what is meant by "terrorist", I could demonstrate that certain police forces in the United States meet that politician's criteria).
Obviously, the problem at hand is that hijacked planes were deliberately flown into buildings. The use of encryption is pretty far removed from the act of hijacking a plane. I think a better solution would be to redesign airplanes so that it is impossible to get from the passenger cabin to the flight deck without a) leaving the plane, b) depressurizing the passenger cabin, or c) something else at least as undesirable for the would-be hijackers. Those are solutions that will stop hijackers. Banning strong encryption or giving law enforcement more power to pry will only cause hijackers to find another way to talk to each other, and then laugh at us for giving up on privacy.
It would seem to me, then, that renaming or moving tftp.exe out of c:\winnt\system32 would keep this thing from majorly screwing you.
Also, bear in mind that removing IIS and installing Apache would keep this thing from majorly screwing you, with the added bonus of shielding you from any other worm that exploits IIS.
As far as this particular worm is concerned, though, your suggestion would work.
All I know is what's in my Apache logs. The worm tries to run a 'dir' command via cmd.exe. If it thinks that succeeded, it then runs a 'tftp' command via cmd.exe with parameters to cause it to fetch Admin.dll. After that, it requests Admin.dll directly. I'm not terribly familiar with how IIS is supposed to handle direct requests to DLLs, but I imagine it treats them as server-side logic, rather than static content. If that's the case, then the DLL gets executed and the worm does its business. I've got some work to do, but I'll be taking a look at that DLL later today, like after work. Findings will be posted.
When the dir command succeeds (or rather, when the worm believes it has succeeded), the next request has a tftp command embedded in it which attempts to install a file called Admin.dll. Following that, there is a request for the dll itself, which presumably kick starts the worm.
Most people who go to a youth detention center often times become criminals as adults.
I find this assertion a little backward. I would be more inclined to believe that people who did things as kids that land them in juvie will continue to do those things as adults, and land in jail.
You know, I think the is the only comparison between hacking and sex that ever actually made sense. There is a good point in the parent comment. Why it was modded down is far beyond my comprehension.
To restate: There are quite a few examples of things which are illegal for kids, and in some cases for anyone, to do. Kids do them anyway, in some cases, simply because they are illegal and doing them would be rebelious.
For a strict definition of deterministic, this is true. However, by deterministic I mean some algorithm that will produce the same results for anyone who uses it. An examples that comes to mind is one which uses a PRNG seeded with previous day's trading volume on NASDAQ, combined with say, the New York Times. Use the sequence of psuedo randoms as an index of some sort into the New York Times for the day you send the message and get your pad from the newspaper. That's an algorithm that will produce the same results for anyone who uses it. Strictly speaking, though, it wouldn't be a good OTP because the newspaper is English text and English text has a non-random distribution of letters in common usage.
It's gone. That glowing feeling I normally get when I realize that a hard drive twice as big as my current one will cost half as much because one four times as big is now on the market... just isn't there today. The handful of comments that are already on this story are saying that it's not time for regular mundane tech stories, and to a degree. But a part of me is glad that life is moving on, and that the horrifing news is no longer supplanting the mundane news. In time, we'll all have that glowing feeling produced by Moore's law. People have died and property has been destroyed, and I'm sad about that just like many other people. On the other hand, terrorism only fails by failing to induce terror, so I say bring on the 160GB hard drives and 2Ghz processors and the 1 cubic centimeter webservers.
The trouble with one-time pads is that in order to use them you have to either be generating the pad deterministicly at both the sending and receiving end, or you have to somehow communicate the pad. While the pad itself and the data it hides may be undecipherable, the "infrastructure" required to use it is not.
Perhaps the tech could be developed to feel braille with a mouse.
This is actually a great idea. How about a mouse with a dot-matrix like Braille pad, say, right between the buttons, that produces the Braille character that matches the character under the pointer. Don't forget your patents!
how come in libraries and schools etc. there's always Braille on the signs?
Every time I see those restroom signs with "Men" and "Women" written on them in Braille, I can't help but chuckle at the thought of some blind guy in desperate need of a commode searching frantically for those signs so that he can find the appropriate bathroom. They just seem so useless... no better really than having Braille on a billboard on the roadside.
It's been my experience that expressways, which are completely devoid of bikes, will back up for hours twice each day, enough so that it takes two hours to drive 15 miles from O'Hare to the Loop (this is Chicago I'm talking about). And it's not slow moving objects that cause the jam, it's the presence of so many cars. Meanwhile on the street grid, when there is no traffic jam, cars and bikes both ride smoothly down the road, each at their own speed.
Drivers like to blame traffic jams on everyone but themselves, blame the smoggy air on "all those cars" while maintaining one of their own, complain about the price of gas, and sit back and watch their asses grow from lack of exercise. Be a part of the solution: ride a bike.
Slashdot Mirror
Signatures which can be trusted would require strong encryption.
Because they want strong encryption banned. If they were actually using it themselves, then, well, that just doesn't work. Besides, it's illegal to exploit security flaws, which means we can safely assume it will never happen like good little ostriches.
Right, so...
.ini stuffs in the WINDOWS directory.
Here's my preliminary analysis of Admin.dll (using strings and nmap):
It modifies registry keys related to TCP/IP (apparently it blocks incoming SYNs... evidenced by nmapping cracked boxen), Explorer (to unknown effect), and a few other things. Most notably, it turns on extension hiding.
It contains an SMTP client, and possibly a server, and a hard-coded email which I have yet to really take a good at, except to note the javascript line that opens a file called "readme.eml" (an attachment?).
It creates an account called "guest" and adds it to the Administrators and Guests groups.
It may also be making modifications to system.ini and other
It contains the actual propagation code. I'm not sure if this includes the TFTP server or not.
I have downloaded Admin.dll from three infected machines and they have different MD5 sums. I do not know if this code is mutagenic or not.
Well until someone can develop an easily crackable, but strongly tamper-evident form of encryption, existing cryptographic techniques must necessarily be construed as equivalent to the gamut of everything from envelopes to lead-lined welded steel crates, simply because the alternative of "no encryption" is equivalent to a postcard. Think of it this way: right now you can either send email in invincible crates (PGP or GPG encrypted), on a postcard (cannonical form), or via a secure private postal service (encrypted VPN). Under those circumstances, does it make sense to ban encryption, which is at the heart of the only two viable forms of secure transmission? The idea of mandatory backdoors has also been suggested in Congress, which I find so short-sighted as to be beyond laughable and into the realm of sickening. Bugtraq has proven time and time again that if a backdoor exists, someone will find it, and most likely, it will be someone who wasn't supposed to find it. Key escrow is probably a compromise that would pass at this juncture and achieve the goal of allowing law enforcement access to encrypted materials without making said materials generally insecure. However, the ultimate goal is to stop crime, including the crimes we consider "terrorism". We must remind ourselves that police are not an end in themselves, but a means to an end (OT - I think if you asked a politician to define what is meant by "terrorist", I could demonstrate that certain police forces in the United States meet that politician's criteria).
Obviously, the problem at hand is that hijacked planes were deliberately flown into buildings. The use of encryption is pretty far removed from the act of hijacking a plane. I think a better solution would be to redesign airplanes so that it is impossible to get from the passenger cabin to the flight deck without a) leaving the plane, b) depressurizing the passenger cabin, or c) something else at least as undesirable for the would-be hijackers. Those are solutions that will stop hijackers. Banning strong encryption or giving law enforcement more power to pry will only cause hijackers to find another way to talk to each other, and then laugh at us for giving up on privacy.
It would seem to me, then, that renaming or moving tftp.exe out of c:\winnt\system32 would keep this thing from majorly screwing you.
Also, bear in mind that removing IIS and installing Apache would keep this thing from majorly screwing you, with the added bonus of shielding you from any other worm that exploits IIS.
As far as this particular worm is concerned, though, your suggestion would work.
All I know is what's in my Apache logs. The worm tries to run a 'dir' command via cmd.exe. If it thinks that succeeded, it then runs a 'tftp' command via cmd.exe with parameters to cause it to fetch Admin.dll. After that, it requests Admin.dll directly. I'm not terribly familiar with how IIS is supposed to handle direct requests to DLLs, but I imagine it treats them as server-side logic, rather than static content. If that's the case, then the DLL gets executed and the worm does its business. I've got some work to do, but I'll be taking a look at that DLL later today, like after work. Findings will be posted.
When the dir command succeeds (or rather, when the worm believes it has succeeded), the next request has a tftp command embedded in it which attempts to install a file called Admin.dll. Following that, there is a request for the dll itself, which presumably kick starts the worm.
I'll take a look at Admin.dll later today.
Pose a rhetorical question:
Would it make sense to ban envelopes in the postal system?
No, he said they become criminals as adults... after juvenile detention. Not the same.
Most people who go to a youth detention center often times become criminals as adults.
I find this assertion a little backward. I would be more inclined to believe that people who did things as kids that land them in juvie will continue to do those things as adults, and land in jail.
You know, I think the is the only comparison between hacking and sex that ever actually made sense. There is a good point in the parent comment. Why it was modded down is far beyond my comprehension.
To restate: There are quite a few examples of things which are illegal for kids, and in some cases for anyone, to do. Kids do them anyway, in some cases, simply because they are illegal and doing them would be rebelious.
Don't mod this comment up. Mod the parent up.
Dude! Dude! Dude! Dude! Dude! Dude! Guess what? Ok, so I was in this computer...
I didn't know that McViegh was a suicide bomber.
He's dead, ain't he?
For a strict definition of deterministic, this is true. However, by deterministic I mean some algorithm that will produce the same results for anyone who uses it. An examples that comes to mind is one which uses a PRNG seeded with previous day's trading volume on NASDAQ, combined with say, the New York Times. Use the sequence of psuedo randoms as an index of some sort into the New York Times for the day you send the message and get your pad from the newspaper. That's an algorithm that will produce the same results for anyone who uses it. Strictly speaking, though, it wouldn't be a good OTP because the newspaper is English text and English text has a non-random distribution of letters in common usage.
A one-time pad needs a good bit of randomness in it. CD data is not random.
It's gone. That glowing feeling I normally get when I realize that a hard drive twice as big as my current one will cost half as much because one four times as big is now on the market... just isn't there today. The handful of comments that are already on this story are saying that it's not time for regular mundane tech stories, and to a degree. But a part of me is glad that life is moving on, and that the horrifing news is no longer supplanting the mundane news. In time, we'll all have that glowing feeling produced by Moore's law. People have died and property has been destroyed, and I'm sad about that just like many other people. On the other hand, terrorism only fails by failing to induce terror, so I say bring on the 160GB hard drives and 2Ghz processors and the 1 cubic centimeter webservers.
The trouble with one-time pads is that in order to use them you have to either be generating the pad deterministicly at both the sending and receiving end, or you have to somehow communicate the pad. While the pad itself and the data it hides may be undecipherable, the "infrastructure" required to use it is not.
My sig says it all.
It is unconfirmed whether that plane crashed or was in fact shot down, but it is known to have been a hijacked plane. (NY Times)
Sarcasm, man... sarcasm. Learn to see it and be a smarter man!
Perhaps the tech could be developed to feel braille with a mouse.
This is actually a great idea. How about a mouse with a dot-matrix like Braille pad, say, right between the buttons, that produces the Braille character that matches the character under the pointer. Don't forget your patents!
how come in libraries and schools etc. there's always Braille on the signs?
Every time I see those restroom signs with "Men" and "Women" written on them in Braille, I can't help but chuckle at the thought of some blind guy in desperate need of a commode searching frantically for those signs so that he can find the appropriate bathroom. They just seem so useless... no better really than having Braille on a billboard on the roadside.
Oh, and another thing... how slow is slow? I typically ride just under the speed limit (25 mph speed limit, my speed: 22-24 mph).
It's been my experience that expressways, which are completely devoid of bikes, will back up for hours twice each day, enough so that it takes two hours to drive 15 miles from O'Hare to the Loop (this is Chicago I'm talking about). And it's not slow moving objects that cause the jam, it's the presence of so many cars. Meanwhile on the street grid, when there is no traffic jam, cars and bikes both ride smoothly down the road, each at their own speed.
Drivers like to blame traffic jams on everyone but themselves, blame the smoggy air on "all those cars" while maintaining one of their own, complain about the price of gas, and sit back and watch their asses grow from lack of exercise. Be a part of the solution: ride a bike.
Correction:
Cars cause traffic jams. Bikes ride past them. It's a 30 minute ride for me to get to work during rush hour by bike. By taxi it's upwards of an hour.