Aparently this all started when a kernel developer (Rusty Russell) attempted to resolve some race condition in the module unloader and ended up porting all user space module loading stuff (insmod etc) into the kernel. Now insmod can be written in 20 lines of c (while it was over 2000 lines of code).
You can read all about this in an interview with Rusty Russell at Kerneltrap.org.
Apart from everyone complaining and joking about the strength of the average user's password i read nothing about the actual worm this is about.
The worm comes in using port 445 (this is the samba over TCP port) and tries some simple passwords (the most effective being the empty password). After the infection the worm drops the file dvldr32.exe in the startupfolder so that next time the machine is restarted the worm/virus will be installed onto the machine.
What the worm does is: - Start scanning and infecting other random ips, it does this on a very high speed (i.e. 100's of ips per minute) - Installs WinVNC (a vnc server for windows) that allows remote control, see the vnc webpage. - Connects to some private IRC servers and joins a channel with some high ascii chars in the name (chinese?) and a password. The IRC server is modified so that it does not give back any information to the client, but anyone on IRC can request the ips of all the infected machines. When i tested this there were about 8000 infected machines on IRC (8000 was the IRC client limit so there are probably alot more infected machines out there).
Note that this is quite a big threat as even passive attackers can get ips of infected machines by watching their logs for connections to port 445. Most of the machines making such connections to you are either machines in your local network or infected machines (unless you do alot of samba over tcp/ip over the internet).
One can easily access the harddisks of these machines using the Admin$ share (which you know has no or only a simple password) either to get files from the users or computer or get a copy of the worm itself (it's located in \winnt\system32 folder and named dvldr32.exe). Once you have a copy of the worm you can obtain the vnc password using some good old reverse engineering tricks (which i will not give out here because that would help out scriptkiddies just a little bit too much). I tried out the password i obtained using this analysis on one of the hosts that scanned me and guess what the guy was doing on his pc, yep he was downloading porn using KaZAA.
From the looks of it this worm has already infected alot of machines. I get about one connection attempt to port 445 every 2 hours.
For some more info about the worm checkout the antiy website
Let's see how long it takes before all ISPs block their vnc (5900) and their microsoft-ds (445) ports to stop the worm or microsoft issues a security update that forces strong passwords upon users or asks for permission everytime something new is put into the startup folder.
There is a Dutch site that provides a similair service, the owner of some of the sites it linked to (PCM) filed a court order to try and stop them but the judge ruled it was legal to do this. Hope the US judges will rule the same way. You can find some info on this in English at: Under the Going dutch subtitle
I put sign.exe thru IDA and identified the checksum algorithm. I found out that the only thing that goes thru the checksum is 35 35 00 then 0E DA is skipped and then the rest is put thru. The algorithm is a simple crc alike algo that adds the chars xors with the length and rotates some bits. You can find a perl program i wrote to calculate the checksum for a given range at: this location.
That by agreeing to this disclaimer you loose the right to sue us crap was copied straight from the disclaimers i used to see at sites distributing copyrighted material. Ofcourse the courts will just laugh at borland, like they will lough at owners of sites with similair disclaimers.
On the university where i study all students got access to a number of unix systems (SunOS not Linux) and what happend was a huge number of hack attacks from those machines. Simply because students downloaded DoS and other 'hacker' tools.
Also they installed things like eggdrop that drew attention from people on IRC. Because of all this miss-use these servers are now limited to internal university traffic.
In practise the network admin will be better of with some windows boxes that get their states restored after each reboot from an image. Give students anything more powerful and they can do a lot more damage.
Oh shoot. Since everyone is shouting his/her favorite lightweight WM: how 'bout blackbox?
It's the one WM we got running really fast on the uni's student server, beats KDE handsdown.
Then again,... whatever.
I liked it anyway. If you want a real fast one, I suggest you try various different WM's (see the responses - including BlackBox, of course;-) and see which one suits you best.
--Bel.
PS: Yes, I have a habit of stating the obvious:)
There will always be someone that has to program these machines to do something usefull. It's nice of it not to break up, but what good is that if all it does is serving some static ibm default content.
I mean how do they want to implement the you can't fuck it up thing? Do only the IBM techs get the root password or do you get a restore CD like with computers you buy from dell or hp?
The second i read the mail about multiple files i understood what Patrick was going to do. Putting information in filenames is a very old trick that was used to get around file system quotas for a pretty long time. But it is pretty stupid of Mike not to include a clause that filenames themselve are also data.
Kinda funny that you mention Wietse here, as his sources were once trojanned (by someone who hacked the main distribution ftp site). So besides trusting the author, trusting the system the file came from is a requirement as well.
In my post i mention such an 'operating system': the calculator that's not part of your computer but a very simple piece of electronics made in taiwan. And after they capture your keystrokes of the one time number it generated it'll be useless anyway.
This technology is nice but too bad it runs on your windows computer, now it'll be even more interesting for people running things like sub7 and other trojans to 0wn your windows box, so they can generate their own 1 time credit card numbers from your program (they can find your password with the keylogger).
A better solution would be a system similair to what my local bank gave me: a device that looks like a calculator protected by a pincode that allows you to digitaly sign things. A few modifications and a device like this could generate your one time credit card numbers. Now that would be a secure solution!
With some thought this device could do away with passwords etc as well. Now we only have to hope they'll opensource the technology...
I mean why should owning or publishing this source code be a crime? Owning a CD-Burner is legal and you can use that to break copyrights too. You can even use a pen to break copyrights. What should be illegal is using this program to decrypt DVD's and copy them. But then again i'm not a lawyer.
Slashdot Mirror
Aparently this all started when a kernel developer (Rusty Russell) attempted to resolve some race condition in the module unloader and ended up porting all user space module loading stuff (insmod etc) into the kernel. Now insmod can be written in 20 lines of c (while it was over 2000 lines of code).
You can read all about this in an interview with Rusty Russell at Kerneltrap.org.
Apart from everyone complaining and joking about the strength of the average user's password i read nothing about the actual worm this is about.
The worm comes in using port 445 (this is the samba over TCP port) and tries some simple passwords (the most effective being the empty password). After the infection the worm drops the file dvldr32.exe in the startupfolder so that next time the machine is restarted the worm/virus will be installed onto the machine.
What the worm does is:
- Start scanning and infecting other random ips, it does this on a very high speed (i.e. 100's of ips per minute)
- Installs WinVNC (a vnc server for windows) that allows remote control, see the vnc webpage.
- Connects to some private IRC servers and joins a channel with some high ascii chars in the name (chinese?) and a password. The IRC server is modified so that it does not give back any information to the client, but anyone on IRC can request the ips of all the infected machines. When i tested this there were about 8000 infected machines on IRC (8000 was the IRC client limit so there are probably alot more infected machines out there).
Note that this is quite a big threat as even passive attackers can get ips of infected machines by watching their logs for connections to port 445. Most of the machines making such connections to you are either machines in your local network or infected machines (unless you do alot of samba over tcp/ip over the internet).
One can easily access the harddisks of these machines using the Admin$ share (which you know has no or only a simple password) either to get files from the users or computer or get a copy of the worm itself (it's located in \winnt\system32 folder and named dvldr32.exe). Once you have a copy of the worm you can obtain the vnc password using some good old reverse engineering tricks (which i will not give out here because that would help out scriptkiddies just a little bit too much). I tried out the password i obtained using this analysis on one of the hosts that scanned me and guess what the guy was doing on his pc, yep he was downloading porn using KaZAA.
From the looks of it this worm has already infected alot of machines. I get about one connection attempt to port 445 every 2 hours.
For some more info about the worm checkout the antiy website
Let's see how long it takes before all ISPs block their vnc (5900) and their microsoft-ds (445) ports to stop the worm or microsoft issues a security update that forces strong passwords upon users or asks for permission everytime something new is put into the startup folder.
There is a Dutch site that provides a similair service, the owner of some of the sites it linked to (PCM) filed a court order to try and stop them but the judge ruled it was legal to do this.
Hope the US judges will rule the same way.
You can find some info on this in English at: Under the Going dutch subtitle
I put sign.exe thru IDA and identified the checksum algorithm. I found out that the only thing that goes thru the checksum is 35 35 00 then 0E DA is skipped and then the rest is put thru. The algorithm is a simple crc alike algo that adds the chars xors with the length and rotates some bits. You can find a perl program i wrote to calculate the checksum for a given range at: this location.
Good luck with your project,
Gijs
That by agreeing to this disclaimer you loose the right to sue us crap was copied straight from the disclaimers i used to see at sites distributing copyrighted material.
Ofcourse the courts will just laugh at borland, like they will lough at owners of sites with similair disclaimers.
On the university where i study all students got access to a number of unix systems (SunOS not Linux) and what happend was a huge number of hack attacks from those machines. Simply because students downloaded DoS and other 'hacker' tools.
Also they installed things like eggdrop that drew attention from people on IRC. Because of all this miss-use these servers are now limited to internal university traffic.
In practise the network admin will be better of with some windows boxes that get their states restored after each reboot from an image. Give students anything more powerful and they can do a lot more damage.
Oh shoot. Since everyone is shouting his/her favorite lightweight WM: how 'bout blackbox?
... whatever.
;-) and see which one suits you best.
:)
It's the one WM we got running really fast on the uni's student server, beats KDE handsdown.
Then again,
I liked it anyway. If you want a real fast one, I suggest you try various different WM's (see the responses - including BlackBox, of course
--Bel.
PS: Yes, I have a habit of stating the obvious
On our university we could all send in our pictures that were then turned into a huge mosaic hanging in the main hall. No need for the Net at all!
Guess they'll be going after Google pretty soon , with them buying 4,000 non windows pcs.
There will always be someone that has to program these machines to do something usefull. It's nice of it not to break up, but what good is that if all it does is serving some static ibm default content.
I mean how do they want to implement the you can't fuck it up thing? Do only the IBM techs get the root password or do you get a restore CD like with computers you buy from dell or hp?
The second i read the mail about multiple files i understood what Patrick was going to do. Putting information in filenames is a very old trick that was used to get around file system quotas for a pretty long time. But it is pretty stupid of Mike not to include a clause that filenames themselve are also data.
Kinda funny that you mention Wietse here, as his sources were once trojanned (by someone who hacked the main distribution ftp site). So besides trusting the author, trusting the system the file came from is a requirement as well.
In my post i mention such an 'operating system': the calculator that's not part of your computer but a very simple piece of electronics made in taiwan. And after they capture your keystrokes of the one time number it generated it'll be useless anyway.
A better solution would be a system similair to what my local bank gave me: a device that looks like a calculator protected by a pincode that allows you to digitaly sign things. A few modifications and a device like this could generate your one time credit card numbers. Now that would be a secure solution!
With some thought this device could do away with passwords etc as well. Now we only have to hope they'll opensource the technology...
I mean why should owning or publishing this source code be a crime? Owning a CD-Burner is legal and you can use that to break copyrights too. You can even use a pen to break copyrights. What should be illegal is using this program to decrypt DVD's and copy them. But then again i'm not a lawyer.
Or is that too commercial for an opensource OS?