I want a tarpit option for FreeBSD's ipfw, the same way there is for Linux. It'd be nice to do something to slow this thing down...not that it's easy to tell this worm apart from everything else cluttering up my firewall logs.
Keep in mind that all you have is my word that nothing's been changed (nothing has, but that doesn't mean you should trust me). I'm open to suggestions about verification (md5s of original files, maybe?).
...funkiest of all, dynamic display of an image pulled off the web based on keywords extracted from each sentence -- hey, turn all your web pages into slide shows today!
Sweet Zombie Jesus, I did not spend my time turning off animated gifs, turning off Flash, stopping those stupid "download this plugin" buttons from popping up, using Google instead of Antarti.ca's let's-fly-over-the-web-in-a-low-flying-fighter-jet search engine, and running search-and-destroy missions on the remaining dancing baloney just to turn every web page into a goddamned sentence-by-sentence Powerpoint(tm) presentation!
In the name of Tim Berners-Lee, who the hell comes up with this crap?
I'm not so sure. It's an attractive thought, but I'm worried that a) no one has gone after such a small population before (as were infected by Witty, I mean), b) the results are pretty fucking spectacular, c) crackers will look for similarly small populations affected by the next remote hole in program X, and d) that could well be Linux or FreeBSD.
I guess -- and this is a pretty shameful thing to admit -- I had always counted on a certain security by obscurity (of platform, in this case). A case like this makes me realize that's pretty slim hope...which I should have realized, deep down, long before.
I take your point about falling sky; I was just reacting to the story, and your (and other) sober second thoughts are good tonics for that initial panic.
You're right about the hardware firewall, or at least a second firewall; really, I should be treating the cable modem as just the beginning of a DMZ, rather than the outside of my only firewall.
And although I didn't phrase it well, things like this do make me worry about the future of the Internet. I guess it's just life -- there are cute little bunnies and then there are foxes (gimme a break, I'm tired and that's the best metaphor I can come up with) -- but it sucks that the Internet is becoming this minefield.
This leads to the conclusion that firewall/AV software should be included as part of the baseline system, whether with the operating system or as an additional package at system build time.
Yep -- but how would that have helped here? The thing wasn't a virus spread by email -- the first thing to see the packets would have been the firewall, which is what keeled over.
Also it leads to the conclusion that user-assisted updates are useless and only automatic updates can effectively patch fast enough to block worms of this sort.
One other thing that might help is something like OpenBSD's systrace. Basically, it limits what syscalls you allow programs to have. What about something like a firewall that said, "Whoa, suddenly your firewall is calling bind() 80 times more than usual -- better check it out"? (I realize that's kind of a crappy, faux-geeky example, but you can see what I'm getting at, and anyway surely this could be made much more intelligible to regular users.)
This is one of the most depressing stories about the state of the Internet that I've read in a while.
Jesus Christ, if you read that and weren't frightened, you're dead inside.
The highest packet rate they saw was more than 23,000 per hour, sustained for at least one hour. The worm came out one day after eEye announced the vulnerability. It just went ahead and started erasing the hard drive, rather than just grep for passwords or credit card numbers. And this thing targeted and 0wned people who cared about the security of their computer!
If you've read nothing else, check out the conclusion:
It is both impractical and unwise to expect every individual with a computer connected to the Internet to be a security expert. Yet the current mechanism for dealing with security holes expects an end user to constantly monitor security alert websites to learn about security flaws and then to immediately download and install patches. The installation of patches is often difficult, involving a series of complex steps that must be applied in precise order.
The patch model for Internet security has failed spectacularly. To remedy this, there have been a number of suggestions for ways to try to shoehorn end users into becoming security experts, including making them financially liable for the consequences of their computers being hijacked by malware or miscreants. Notwithstanding the fundamental inequities involved in encouraging people sign on to the Internet with a single click, and then requiring them to fix flaws in software marketed to them as secure with technical skills they do not possess, many users do choose to protect themselves at their own expense by purchasing antivirus and firewall software. Making this choice is the gold-standard for end user behavior -- they recognize both that security is important and that they do not possess the skills necessary to effect it themselves. When users participating in the best security practice that can be reasonably expected get infected with a virulent and damaging worm, we need to reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem and turn our attention toward both preventing software vulnerabilities in the first place and developing large-scale, robust and reliable infrastructure that can mitigate current security problems without relying on end user intervention.
I was thinking the other day about all the precautions you need to go through with a Windows box just to get a new install up-to-date; I was smug, and thinking that a Windows box without a firewall was like a person without a skin: no protection from infection, no way of stopping the most basic of attacks.
And now reading this I feel that smugness just draining in a really hideous way. I use Linux and FreeBSD...what of it? I realize there is still a big difference between Unix and Microsoft, between a local and a remote exploit, between an ordinary user account and root. But I'm no longer convinced those differences are enough: there's a thousand programs available on my machines, and all that stands between me and 0wnership is a programming error and someone who decides that, you know what, seven thousand hosts is worth it.
Nothing more to say at this point...I'm still staring uneasily at the blinking cable modem lights, wondering when it'll be my turn.
I was thinking this a couple of days ago when I had to clean out some viruses at work. I Googled, and was able to find a few such systems.
The first was mentioned in a blog, and uses F-Prot, which is FAIB for home/personal use.
There's also Knoppix STD, a security/vulnerability live CD that includes ClamAV. Doesn't look like they're using the Captive NTFS driver, though, so not sure how well that'll work compared to one that does, like...
BitDefender, which seems to be All That And More. It uses Captive, has ClamAV, and I'm pretty sure it's GPL'd, too. (The company does make commercial/proprietary products too.)
These take care of viruses. I'm not aware of any spyware-removal programs that run under Linux, which is a shame. It really would make it easier to boot from the CD, sip coffee for 15 minutes, then go back to Windows with that fresh feeling...
Another vote for freezing here, if you've got nothing to lose. I had a hard drive die at work, and while we were pretty sure there was everything had been backed up I decided to try freezing anyway -- partly to be sure, partly out of curiosity.
I had the same behaviour as you: you get working data for a while, then you start getting errors and you need to put it in the freezer again. I was surprised at how well it worked, though.
No word from the guy whose drive it was; should've got him to check his code and see if it was suddenly filled with buffer overflows or something.:-)
Weird -- I remember reading an announcement on this subject on Usenet back when I was in university. What's more, I was able to google for the original article from January, 1991:
Hello. I just wanted to inform the netland that a direct nerve to transistor interface is finally operational. The invention was privately announced 1 month ago, but is now out in the public. It is possible now to grow a nerve over a silicon substrate in a way that the nerve has a capacitive connection to a FE-Transistor built into the substrate. The signal to noise is good enough to resolve the bandwith of a usual neuron. For more information, watch out for an article of the university of Heidelberg in an upcoming issue of 'Nature'. Welcome to Cyberspace.
Henrik Klagges Scanning tunnel microscopy group at LMU Munich
I was extremely impressed at the time, but I never did see anything more about it. Ah, the days of being young and believing everything you read on alt.cypherpunk...
DM Contact Management, mentioned in the article as one of the targets of the lawsuit, was also mentioned in this article from November about a guy getting arrested for sending threatening letters to spammers.
Advanced Botanicals Inc's contact page can be found here. They're listed on this page as having different products refused entry to the US for false labelling.
------- Forwarded message follows ------- From: lsi <stuart cyberdelix net> To: focus-virus securityfocus com Subject: how to filter the Novarg virus Send reply to: stuart cyberdelix net Date sent: Wed, 28 Jan 2004 17:35:57 -0000
I have devised a near-bulletproof Novarg filter.
The following regular expressions trap this virus dead, no matter what subject line, message body, or filename it uses:
If expression body matches "UEsDBAoAAA*" Move [virus folder]
If expression body matches "TVqQAAMAAA*" Move [virus folder]
This is because the worm is in fact the same program with many disguises. However the program looks the same when encoded with MIME. Therefore, the above are basically 'MIME sigs' which work just like a virus signature in a regular virusscanner.
So to find it we merely filter on the MIME strings above, which are the first 10 bytes of the MIME content section.
For users without enterprise-class content filters (such as me), these two regexp's work like a silver bullet.
(That two different sigs are required suggests there are two versions of the virus in circulation.)
No silver bullet for auto-notification messages, unfortunately:(
Wow...that offer could be right out of Heinlein. Shame he's not around...I think he'd like the little interludes like this as much as the exploration itself.
...at least, I'm pretty sure it is. I was having the same problems as he was: interface would not pick up DHCP or IPv6 route unless it was in promiscuous mode. I managed to get in contact with Jung-uk Kim, who was working on the sk0 driver, to test some patches, and they worked perfectly.
Looking at FreeBSD's CVS site, it looks like the patch has just been commited. My thanks again to Jung-uk and the rest of the FreeBSD team!
This isn't my worst mistake, but it's probably my worst series of
mistakes.
My wife had bought an iMac from her last job, and it had always given
her problems -- random crashes and the like. It finally occurred to me
last year that maybe we should replace it.
I assembled a new computer for her based around a K7S5A mobo and Athlon
2600. Worked fine, but the Athlon would only run at 1600MHz instead of
2100. Stupid me, I hadn't checked the mobo specs to see what it
support. I Googled and eventually became convinced that a BIOS upgrade
would do the trick.
The first upgrade went well enough (ie, didn't destroy anything), but
the processor was still only running at 1600MHz. Oh, and the USB
stopped working...pretty important, since her keyboard and mouse were
USB and I didn't have any PS2 keyboards around. Fuck. So I decided to
reflash with another version, and this time it really got fucked: the
POST stopped right after detecting RAM -- simply wouldn't go any further
no matter what. Tried everything I could but couldn't get it working.
Googled again and found that maybe if I got another K7S5A, pried
the flash chip off it, put it into the dead one, booted, pried out the
working chip, put the dead chip back in and flashed it, it'd work.
Well, fuck that noise. I was pretty upset by this point; I do this for
a living (!) and couldn't believe I'd screwed up so badly. (My wife was
very understanding, thankfully.)
I decided to upgrade to an Asus. After checking specs carefully, I
bought an A7N8X-VM and brought it home. I assembled everything carefully,
then plugged it in to check the POST. Everything seemed fine when I
started to wonder why I smelled melting plastic.
The case's front USB connectors were all individual plastic connectors,
not one monolithic block of plastic. I'd hooked 'em up wrong, and I
watched, horrified, as the insulation on the two USB connectors bubble
and fuse.
Now, when I assemble a computer, I don't touch the front USB connectors
unless it's got a monolithic connector. And whenever I turn on a
newly-assembled computer, I leave the case open and hover over it,
sniffing deeply until I've made sure nothing is on fire.
I just downloaded everything for -rc3 last night, compiled before going to bed, and was going to copy bzImage into place right now. And now this.
Me: How many fingers do you have on your right hand? Linus: What? Me: Oh, how I have prepared for this moment. The coding, the studying, the kernel crashes, never seeing the sun... Linus: What the hell are you talking about? Me: My name is Saint Aardvark the Carpeted. You killed my kernel. Prepare to die. Linus: How the hell did you find me? Did Darl send you? Me: My name is Saint Aardvark the Carpeted. You killed my kernel. Prepare to die. Linus:...All right, I can see you're upset. How much would it take to clear this up? Patches? A syctl named after you? The head of Alan Cox? Me: My name is Saint Aar-- Linus: Stop saying that! Guards! Me: --killed my kernel. Linus:What do you want? Me: I want my -rc3 kernel back, you son of a bitch.
I used to work on helpdesk at an ISP, and one day I got kicked an email sent to my boss from one of our customers. Seems the guy had come across a company (sorry, can't remember their name) that was advertising traceable email: use their technology and you'd get to see who read it, from where, using what email client, and so on, and it would work no matter what client they used: Outlook, Eudora, webmail, whatever. He was a bit upset that his ISP would allow this kind of privacy-destroying technology to reach their customers...
The company offered a free demo, so I got one of their emails sent to me. Turns out they wrapped the email message in javascript: it would display the message just fine, with the usual HTML dancing baloney, but sure enough it would ping their server with your IP address, local time, email client, blah blah blah. Sure enough, something like this did work in Outlook Express, webmail, and Eudora. But strangely enough, it didn't work in Mutt.
I wrote my boss back with what I'd found and ways to get around it: use a browser where you can turn off javascript, or use a text-based email client, etc. Maybe I'm just being cynical, but despite the guy's (legitimate, I agree) concerns about privacy I'd be surprised if he took any of my suggestions.
Slashdot Mirror
I want a tarpit option for FreeBSD's ipfw, the same way there is for Linux. It'd be nice to do something to slow this thing down...not that it's easy to tell this worm apart from everything else cluttering up my firewall logs.
Cool! How?
http://saintaardvarktehcarpeted.com/mirror/playfai r.tgz
Keep in mind that all you have is my word that nothing's been changed (nothing has, but that doesn't mean you should trust me). I'm open to suggestions about verification (md5s of original files, maybe?).
Sweet Zombie Jesus, I did not spend my time turning off animated gifs, turning off Flash, stopping those stupid "download this plugin" buttons from popping up, using Google instead of Antarti.ca's let's-fly-over-the-web-in-a-low-flying-fighter-jet search engine, and running search-and-destroy missions on the remaining dancing baloney just to turn every web page into a goddamned sentence-by-sentence Powerpoint(tm) presentation!
In the name of Tim Berners-Lee, who the hell comes up with this crap?
I guess -- and this is a pretty shameful thing to admit -- I had always counted on a certain security by obscurity (of platform, in this case). A case like this makes me realize that's pretty slim hope...which I should have realized, deep down, long before.
You're right about the hardware firewall, or at least a second firewall; really, I should be treating the cable modem as just the beginning of a DMZ, rather than the outside of my only firewall.
And although I didn't phrase it well, things like this do make me worry about the future of the Internet. I guess it's just life -- there are cute little bunnies and then there are foxes (gimme a break, I'm tired and that's the best metaphor I can come up with) -- but it sucks that the Internet is becoming this minefield.
Yep -- but how would that have helped here? The thing wasn't a virus spread by email -- the first thing to see the packets would have been the firewall, which is what keeled over.
Also it leads to the conclusion that user-assisted updates are useless and only automatic updates can effectively patch fast enough to block worms of this sort.
One other thing that might help is something like OpenBSD's systrace. Basically, it limits what syscalls you allow programs to have. What about something like a firewall that said, "Whoa, suddenly your firewall is calling bind() 80 times more than usual -- better check it out"? (I realize that's kind of a crappy, faux-geeky example, but you can see what I'm getting at, and anyway surely this could be made much more intelligible to regular users.)
This is one of the most depressing stories about the state of the Internet that I've read in a while.
Amen.
The highest packet rate they saw was more than 23,000 per hour, sustained for at least one hour. The worm came out one day after eEye announced the vulnerability. It just went ahead and started erasing the hard drive, rather than just grep for passwords or credit card numbers. And this thing targeted and 0wned people who cared about the security of their computer!
If you've read nothing else, check out the conclusion:
I was thinking the other day about all the precautions you need to go through with a Windows box just to get a new install up-to-date; I was smug, and thinking that a Windows box without a firewall was like a person without a skin: no protection from infection, no way of stopping the most basic of attacks.
And now reading this I feel that smugness just draining in a really hideous way. I use Linux and FreeBSD...what of it? I realize there is still a big difference between Unix and Microsoft, between a local and a remote exploit, between an ordinary user account and root. But I'm no longer convinced those differences are enough: there's a thousand programs available on my machines, and all that stands between me and 0wnership is a programming error and someone who decides that, you know what, seven thousand hosts is worth it.
Nothing more to say at this point...I'm still staring uneasily at the blinking cable modem lights, wondering when it'll be my turn.
The first was mentioned in a blog, and uses F-Prot, which is FAIB for home/personal use.
There's also Knoppix STD, a security/vulnerability live CD that includes ClamAV. Doesn't look like they're using the Captive NTFS driver, though, so not sure how well that'll work compared to one that does, like...
BitDefender, which seems to be All That And More. It uses Captive, has ClamAV, and I'm pretty sure it's GPL'd, too. (The company does make commercial/proprietary products too.)
These take care of viruses. I'm not aware of any spyware-removal programs that run under Linux, which is a shame. It really would make it easier to boot from the CD, sip coffee for 15 minutes, then go back to Windows with that fresh feeling...
Sorry, "horizontally scaled databases"? What's that? (Genuinely curious.)
I am now blessing your keyboard...
I had the same behaviour as you: you get working data for a while, then you start getting errors and you need to put it in the freezer again. I was surprised at how well it worked, though.
No word from the guy whose drive it was; should've got him to check his code and see if it was suddenly filled with buffer overflows or something.:-)
I was extremely impressed at the time, but I never did see anything more about it. Ah, the days of being young and believing everything you read on alt.cypherpunk...
Advanced Botanicals Inc's contact page can be found here. They're listed on this page as having different products refused entry to the US for false labelling.
http://saintaardvarkthecarpeted.com/mirror/Doc-100 -A.pdf
LOL...Oh man, I laughed until I began to weep.
Wow...that offer could be right out of Heinlein. Shame he's not around...I think he'd like the little interludes like this as much as the exploration itself.
Looking at FreeBSD's CVS site, it looks like the patch has just been commited. My thanks again to Jung-uk and the rest of the FreeBSD team!
Thanks for the tip -- I had originally turned off scoring for Habeas, but I felt like I was giving in. Didn't occur to me to look for a common URL...
I am now blessing your keyboard...
My wife had bought an iMac from her last job, and it had always given her problems -- random crashes and the like. It finally occurred to me last year that maybe we should replace it.
I assembled a new computer for her based around a K7S5A mobo and Athlon 2600. Worked fine, but the Athlon would only run at 1600MHz instead of 2100. Stupid me, I hadn't checked the mobo specs to see what it support. I Googled and eventually became convinced that a BIOS upgrade would do the trick.
The first upgrade went well enough (ie, didn't destroy anything), but the processor was still only running at 1600MHz. Oh, and the USB stopped working...pretty important, since her keyboard and mouse were USB and I didn't have any PS2 keyboards around. Fuck. So I decided to reflash with another version, and this time it really got fucked: the POST stopped right after detecting RAM -- simply wouldn't go any further no matter what. Tried everything I could but couldn't get it working. Googled again and found that maybe if I got another K7S5A, pried the flash chip off it, put it into the dead one, booted, pried out the working chip, put the dead chip back in and flashed it, it'd work.
Well, fuck that noise. I was pretty upset by this point; I do this for a living (!) and couldn't believe I'd screwed up so badly. (My wife was very understanding, thankfully.)
I decided to upgrade to an Asus. After checking specs carefully, I bought an A7N8X-VM and brought it home. I assembled everything carefully, then plugged it in to check the POST. Everything seemed fine when I started to wonder why I smelled melting plastic.
The case's front USB connectors were all individual plastic connectors, not one monolithic block of plastic. I'd hooked 'em up wrong, and I watched, horrified, as the insulation on the two USB connectors bubble and fuse.
Now, when I assemble a computer, I don't touch the front USB connectors unless it's got a monolithic connector. And whenever I turn on a newly-assembled computer, I leave the case open and hover over it, sniffing deeply until I've made sure nothing is on fire.
Me: How many fingers do you have on your right hand? ...All right, I can see you're upset. How much would it take to clear this up? Patches? A syctl named after you? The head of Alan Cox?
Linus: What?
Me: Oh, how I have prepared for this moment. The coding, the studying, the kernel crashes, never seeing the sun...
Linus: What the hell are you talking about?
Me: My name is Saint Aardvark the Carpeted. You killed my kernel. Prepare to die.
Linus: How the hell did you find me? Did Darl send you?
Me: My name is Saint Aardvark the Carpeted. You killed my kernel. Prepare to die.
Linus:
Me: My name is Saint Aar--
Linus: Stop saying that! Guards!
Me: --killed my kernel.
Linus: What do you want?
Me: I want my -rc3 kernel back, you son of a bitch.
I used to work on helpdesk at an ISP, and one day I got kicked an email sent to my boss from one of our customers. Seems the guy had come across a company (sorry, can't remember their name) that was advertising traceable email: use their technology and you'd get to see who read it, from where, using what email client, and so on, and it would work no matter what client they used: Outlook, Eudora, webmail, whatever. He was a bit upset that his ISP would allow this kind of privacy-destroying technology to reach their customers...
The company offered a free demo, so I got one of their emails sent to me. Turns out they wrapped the email message in javascript: it would display the message just fine, with the usual HTML dancing baloney, but sure enough it would ping their server with your IP address, local time, email client, blah blah blah. Sure enough, something like this did work in Outlook Express, webmail, and Eudora. But strangely enough, it didn't work in Mutt.
I wrote my boss back with what I'd found and ways to get around it: use a browser where you can turn off javascript, or use a text-based email client, etc. Maybe I'm just being cynical, but despite the guy's (legitimate, I agree) concerns about privacy I'd be surprised if he took any of my suggestions.
I'm happy to report thatThe Floating Head of Ayn Rand made it too. Congratulations to everyone at NASA and A=A!