Sunday 30 March 2008 at 11:39 pm
...work, work, and more work have been taking up most of my time. By that, I mean that I'm logging anywhere from ten to sixteen hours every day, six days a week on this project. I haven't forgotten about anyone, and I haven't given up, I've just been running myself ragged.
To those of you waiting on the Steampunk Traveler's Journal over at
Brass Goggles, it hit the post yesterday, so keep an eye open.
Many of you are probably asking "What's been happening lately that isn't related to work?"... the answer to that question is "Not a great deal," I'm afraid.
Lyssa and I locked down a wedding date: 25 October 2008. We'll be getting married in Pennsylvania, but that's all the information that we can release right now because it's all in the planning stages.
Yesterday morning I called up
Speakeasy to crank up my bandwidth to the next level (3.0 mbps down, 768 kbps up) but unfortunately there is 14,200 feet of cable between the Verizon central office and my apartment (I can see the former from my balcony, incidentally). This means that the signal attenuation is such that I can't get such bandwidth without dropping completely off the Net a couple of times every day, which is pretty much a show stopper. I could possibly run a cable modem link through my firewall and
route connections down the appropriate links but I'll have to investigate the costs of doing so more thoroughly first.
What I have had time to do lately was go out with
Lowmagnet, who happens to be in town this weekend to visit everyone. We met up at
Teaism in Dupont Circle for dinner and tea last night, and spent the evening eating surprisingly tasty food for a DC teahouse (call it one and one-half flareguns, I'll write a real review later). We hung out until Silicon Dragon and Loan arrived, spent more time hanging out and talking, and then parted ways to hit up
Spellbound. I have to admit, I wasn't terribly crazy about the guest DJ - none of us were, in fact. It seems that the first thing he did after taking position behind the sound system was turn the volume all the way up and keep it there for most of the night, in direct contravention of one of the reasons I actually go to Spellbound (namely, the fact that one can still hold a conversation over the music). We wound up leaving around 0100 this morning to head for home and get some sleep, as a result. A number of photographs were taken last night, which I'll probably link to as soon as Lowmagnet puts them up.
Okay, I'm now incoherent and need to get to bed. More when my brain comes back online.
Monday 24 March 2008 at 11:36 pm
The borders of the United States are monitored carefully by US ICE, Immigration and Customs Enforcement. Their stated primary task is to protect the country from crime and terrorism (in no particular order) by policing the borders, preventing anything shady from getting in, and generally trying to make everyone feel safe that they keep Them safely away from US citizens. Last week deputy chief of the local border patrol Joe Giuliano spoke to a group of 200 or so residents of
San Juan Island, which is technically part of the state of Washington. It turns out that periodic citizenship checks are performed on passengers riding the ferryboats to and from the island, just in case anyone is trying to sneak into the country that way, and it has the locals a little concerned. Giuliano also told a story about
ongoing realtime monitoring of radiation sources happening on US highways, in particular along
Interstate-5. The story he told had to do with a car tripping a radiation detector positioned near the Bow-Edison exit of I-5; the agent watching the radiation detector gave chase, pulled the car over inside of a minute, and searched the vehicle.
What the agent discovered was not a dirty bomb or a nuclear device headed for the off-ramp but a housecat undergoing radiation treatment for cancer; the residual radiation tripped the detector. This isn't as out there as it sounds - it's happened rarely to
human patients as well, but think about this: They were traveling at 70 miles per hour on a busy highway. That's one sensitive detector.
Then again, this might not surprise some of you. This is the same country that recently
turned a British author away on grounds of 'moral turpitude'. Sebastian Horsley was flying into the United States to attend the release party of his book
Dandy In the Underworld
on this side of the pond. Horsley is notorious in England for living the life of a modern-day dandy - in particular, sex, drugs, and tailored clothing are his thing (in comparison to life in the US, one might suppose that it was the
tailored clothing that was offensive). It is known that having any drug offenses on your record are grounds for denial of entry to this country; Horsley has a quarter-century old arrest for possession of amphetamine sulfate in England (for which he was given a conditional release) and has been clean for three years.
I find it ironic that one can learn how to chop cocaine, cook a hit of smack, watch someone shot execution-style, and see a man's bare ass on prime time television in this country, but living it up (not necessarily in a healthy manner, let me add - while the possible consequences of Horsley's lifestyle are on his head and his alone I cannot in good conscience condone many of his actions) can get one turned away from a business trip. So far as I know, even
Hunter S. Thompson didn't run into anything like this, and the excesses of his lifestyle are legendary. I guess it's because Thompson was into guns as well as drugs and raising hell - that's more socially acceptable, one supposes.
Wednesday 19 March 2008 at 10:05 am
Presenting the short story
Wikihistory, by Desmond Warzel.
Wednesday 19 March 2008 at 09:21 am
Every once in a while a news article about
attempts to crack US military and government systems coming out of China or the Middle East hits the 'wires; rumors of groups of systems crackers belonging to the Air Force/United Nations/Department of Homeland Security/Microsoft/the Illuminati regularly make their rounds at hacker conventions. Military data nets are increasingly becoming targets of crackers from abroad, safe from prosecution and extradition because it's so difficult to start legal proceedings against someone you don't even know, let alone can grab by the scruff of the neck (police dramas and
MLATs to the contrary). It's not just the military that's coming under packet fire either, government think tanks and defense contractors are also feeling the burn of intruders clawing at their firewalls and sticking their fingers into their e-mail servers. There's just one thing: This has been going on for the better part of twenty or more years. I don't think that it's slowed down any, and it's not about to stop.
Cracking machines that belong to high profile organizations like NASA has been a rite of passage for crackers since the early 1990's, if not earlier. The data nets of the Federal Bureau of Investigation have been cracked from time to time, verifiably dating as far back as the mid 1980's. Hell,
Gary McKinnon proved what the government's known since
Cliff Stoll bopped them over the head with it -
their security sucks.
As if this wasn't enough, there's a non-zero probability that, even though
the attacks are coming from Chinese nets, it might not be China that's behind them. A major component of warfare in the modern day is posturing and propaganda - power believed is power claimed. Just because a group of crackers posted to a website someplace that the Chinese government funded their infiltration of someone's data network does not mean that they were telling the truth. Just because the Chinese government has declared that they're training and deploying cadres of net.warriors does not mean that a) they are actually ready to do so, and b) that they were telling the truth, either. Just because a network was taken down by a flood of network traffic does not necessarily mean that a DDoS attack was behind it, it could just as well have been a cracked file server loaded up with movies and warez and posted to a busy IRC channel.
Moreover, an infiltration attempt coming from behind the Great Firewall of China doesn't mean that China was to blame - bouncing through someone else's machine to cover your tracks is a tactic so old that it's had children, grandchildren, and an affair with
Captain Jack Harkness.
My point is this: By crying that the sky is falling, useful
OSINT gets buried under an avalanche of press releases and rehashes of the same news article. Yes, bad stuff is going on that involves government and military networks. Yes, there are cadres of systems crackers out there - this is nothing new. Yes, there are real attacks going on - what happened in Estonia is proof of that (as well as verified reports of
SCADA exploits in the wild). However, throwing blame around is not necessarily the best thing to do - it can create false leads and waste the time of the people trying to stop attacks and figure out what's really going on. It also makes buying snake oil products to cover one's ass an attractive option, which not only does the buyer a great disservice but makes the infosec community as a whole look bad. Arguably, the one thing worse than having no security at all is thinking that you're secure when in fact your threat model is completely wrong and your countermeasures do nothing against attacks currently extant on the Net.
Also, remember this:
Never underestimate the power of one person with too much free time on their hands.
Wednesday 19 March 2008 at 08:31 am
..and I don't mean the finance company.
I know this is late in coming, but real life has a better framerate sometimes. Anyway, a security research outfit called
Secure Medicine, following in the footsteps of security researcher
Gadi Evron raised some interesting questions about the current generation of biomedical cardiac implants in use these days, such as
pacemakers and
LVADs (left ventricular assist devices). Due to the fact that these devices are remotely controllable to a certain extent via wireless data link
they are vulnerable to compromise by attackers and may be manipulated. This sounds asanine, but LVADs are implanted deep within the thorax and as such require major surgery to make even minor adjustments to. The main modules of pacemakers are closer to the surface of the body but still require minor surgery if they're going to be worked on. Wireless control methods make it possible to tweak the functional parameters of these devices without having to open the skin and reach inside, which I think we can all agree is a good thing. However, as with many products security was the last thing the engineers had in mind when the designs hit the manufacturing plants. Under laboratory conditions, the security researchers were able to reprogram an implantable defibrillator to deliver what would be a lethal jolt to an adult human.
Not good.
Of course, they're quick to point out that this required $30kus worth of equipment in a fully equipped laboratory, but if you've spent any time in the infosec community at all, how much money you can throw at a project doesn't necessarily define what can happen, but sheer brainpower does. Case in point:
Hacking RFID chips, which you don't need a lot of equipment for, only basic tools and some freely available software like
RFIDiot. It's not too difficult to find RFID developer's kits on the open market for pennies on the dollar, and it's only a matter of time before develkits for medical implants start showing up.
Two manufacturers of cardiac implants, St. Jude Medical and Boston Scientific, went on the record stating that their products incorporate certain security technologies that would preclude anyone from compromising a device, but declined to state what they were. Of course, not knowing what kind of security is in place means that the countermeasures are immediately suspect - if no one's examined them, how can you trust them? It seems reasonable to hypothesize that the infosec community will probably start performing security audits on medical devices within the next couple of years as a result, especially given to the fact that some are designed with long range communications capability so that they can be remotely monitored.
Tuesday 18 March 2008 at 8:43 pm
Sir Arthur C. Clarke, famous for writing novels such as
2001: A Space Odyssesy and
Rendezvous With Rama died today at his home in Sri Lanka. Clarke was 90. A prolific author during his lifetime, he penned over one hundred texts, science fiction and otherwise. Clarke had been confined to a wheelchair since the year 1995 due to the onset of
post-polio syndrome, an affliction that plagued another famous author some time ago, one Robert Anton Wilson. Clarke is also widely credited for the invention of something we take for granted today, telecommunication satellites in geostationary orbit around the planet, in an essay published in the magazine
Wireless World in the year 1945 - so detailed an essay, in fact, that it was accepted as prior art when Bell Labs attempted to patent their designs years later.
Others will remember Clarke for what are now referred to as his three laws, quoted here:
- When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.
- The only way of discovering the limits of the possible is to venture a little way past them into the impossible.
- Any sufficiently advanced technology is indistinguishable from magic.
We'll miss you, Arthur. See you beyond the edge of Time. If you run into Robert and Isaac, give them our best. And beep L. Ron's nose for Anonymous, Anonymous'll get a kick out of it.
Monday 17 March 2008 at 12:15 pm
At the Duke University Medical Center, biologists have been working with
zebrafish, a common aquarium fish with unusual properties, namely,
they can regenerate damaged limbs and organs, including fully functional eyes and
hearts. They can re-grow an entire fin in approximately two weeks' time assuming that the fish is otherwise healthy. As it turns out, very small pieces of
RNA (ribonucleic acid, which is involved in the synthesis of proteins, as well as controlling the state of certain genes) control whether or not the regeneration mechanism is active or not. If a particular micro-RNA strand, designated miR-133, has a low concentration in a particular zebrafish, the fish's metabolism fires up and cells begin to replicate to re-form the injured organ or limb (if a fish's fins can properly be called limbs).
This is important because it is believed by many in the fields of cellular biology and medicine that human bodies have the same innate capacity for regeneration that less advanced forms of life have. The problem is that, if such a capacity exists, it is deactivated in the human genome. If it doesn't exist, then the technical challenge of implementing it is on the table. Due to the fact that micro-RNA is found in a great many forms of life (I'm not conversant enough in the topic to state definitively if it's in all forms of life on this planet, so I'll not paint too wide a swath with this particular brush) and cellular replication is pretty much the same across all species, the same (or a similar) mechanism to that in zebrafish may be at work in humans, meaning that there very well could be a way to enable the ability to re-grow or regenerate badly damaged organs or limbs. Only time will tell.
Friday 14 March 2008 at 1:28 pm
More under the cut...
Wednesday 12 March 2008 at 8:51 pm
I just found out that an old buddy of mine from the Pittsburgh goth scene, Howard Gobioff,
died of lymphoma today after a protracted battle.
I lost track of Howard after he graduated from CMU in 1999 and moved away from Pittsburgh not long before I left IUP. Hell, I was at his going-away party that night. It seems that he made good, and I'm really proud of him: Employee #40 at
Google, a key engineer on the Google File System project, and generally all over the place.
They're having a memorial for him at
Ceremony.
I hope that you accomplished everything you were here to do - you were still young, which is why I kind of think that you did. Now you're older than all of us. I'll light a candle for you.
See you beyond the edge of Time.
Wednesday 12 March 2008 at 09:17 am
I had a really interesting post about last weekend about halfway done and ready to post when the worst of all possible things happened: My workstation at work flamed out in a serious way. It's still in pieces all over the office and not operating because the RAID array - the disk mirror set up to prevent data loss in the event of a failure - blew up along with everything else. Systemware all over the place is corrupt, and I can't do much else other than log in as the root user and try to track down everything that's been damaged and replace it. I'll get to that in a minute, though. First things first, and this time in that order.
Alphonse (Lyssa's workstation at home) blew up this weekend, also. Lyssa had been complaining that the mouse would work sporadically and that USB storage devices (including the USB drive I bought for her to back stuff up), which were symptoms that Windbringer's old shell had been having late last year after a number of crashes due to overheating while in the field.
I kept telling myself that Alphonse hadn't been rebuilt in several years, running Windows XP and all that, and suggested that a reinstallation might fix the problem because a driver might have gone bad.
Off to Microcenter to pick up some RAM and a new hard drive. Later on, back to Microcenter to pick up a new motherboard because the brand-new install of XP kept having the same problems. The rebuild didn't work, and when a computer's USB ports start acting up, it can mean only one thing: The motherboard's going, and can only be replaced. Even later on, back to Microcenter to pick up a network card because the drivers Asus included for the on-board ethernet interface on the P5K don't work. Neither do the ones from their website. Windows XP SP2 doesn't have them on the install disk, either. At some point in the past year someone bought out the company that manufactured the ethernet chipset for that particular model, switched the guts of the chips themselves, and didn't bother telling anyone. Thus, Asus' drivers didn't work, they didn't bother releasing drivers that did work, and judging from what people are saying about this particular mainboard on Asus' forums and elsewhere, there are a lot of angry people calling for the LARTing of executives. Disabling the on-board ethernet interface from the BIOS and throwing in a Linksys 10/100baseT NIC did the trick last night - Alphonse is back online and Lyssa's transferring her data over to the new drive with the help of a (now operational) ATA-to-USB interface. The hell of it is, once we got Al on the lab network and ran Windows Update, the first hardware fix that came down was drivers for the on-board NIC. Surprise surprise.
Then, my box at work blew up yesterday when I was right in the middle of working on something reasonably important. I could boot it back up and get the drives to mount, but waiting for the drive mirror itself to finish synching takes hours, something that I didn't have many of. Also, and this is very important, if a mirror is resynching and the box crashes in the middle of the process (which happened twice yesterday), you can pretty much take it to the bank that the file system inside of the mirror will be corrupted.
I've spent most of this morning trying to repair my workstation, and the best I can manage is logging into the console. So much of the systemware's corrupted that I'm probably going to have to rebuild everything. As if that weren't enough, it's a fight to get anything accomplished because systemware randomly crashes, and the entire machine won't power down unless I pull the power cable (it's ignoring the power switch, too, did I mention that?) I've thrown in the towel. Time to put in a purchase request for a new box at work and hope that I can salvage something of the data on the drives.
Friday 07 March 2008 at 09:52 am
Last week, a group of information security researchers released a whitepaper detailing
a practical data extraction attack on DRAM after the power's been cut. Unfortunately, Applebaum et al didn't release the source code for the utilities they used in the lab. One Wesley McGrew read the paper and decided to apply the scientific method by reproducing their experiments. This required developing utilities to extract data from powered-down DRAM from scratch
which he's done and released the source code for. The source is mostly in C with some in-line assembly. It's dense and you really have to understand what's going on when a machine boots up - I don't understand all of it myself right now.
McGrew used a bootable USB key for his experiments and a copy of the open source bootloader
syslinux to implement his attack. It requires zeroing out the entire USB key to ensure that data dumped is easily distinguishable from the deleted data that piles up on storage devices over time and partitioning it in a particular manner so that his RAM dumper can walk through the memory field and know where to put what it finds. Oddly, he used two different partition types (type 40, which was used for Venix 80286, and type 41, which is used in PPC PreP Boot disks; both are fairly unusual, but I guess they saw use at some point in the past) to denote partitions that had not been used and had been used to store data, respectively. Obviously, you need a USB key larger than the amount of RAM in the machine being attacked (but you can buy a 4GB USB key for as little as $15us these days, so this isn't really a hurdle). Going through the results can be as simple as running a copy of strings over the data, or as complex as breaking out a hex editor and walking through the memory field images page by page.
Even more interesting, he was able to do this using VMware OS images, so if you want to try this at home it should be pretty easy. I might play around with this tonight to see what happens.
If nothing else, his research explains the basics of using syslinux nicely, a package which is notoriously confusing.
Just in case, I've uploaded a mirror of msramdmp:
Download?
Friday 07 March 2008 at 08:22 am
I hate posting one-liners but this is too funny to pass by.
The mysterious author of XKCD
weighs in on the death of Gary Gygax.
Thursday 06 March 2008 at 09:39 am
Updated the
.plan file from hell. As always, there are parts that are probably not safe for work.
Thursday 06 March 2008 at 09:08 am
Early today
someone threw an improvised bomb at a US military recruiting station, whereupon it went off some time later and caused minimal damage to the structure. Witnesses watched an unknown man on a bicycle ride by and throw the device, housed in a green ammunition box probably purchased on the surplus market, at the building. The New York City bomb squad reports that the device was technically classed as a
low explosive, which means that technically it didn't burn fast enough to really be considered an explosion. The device was made using black or blasting powder they say, which strongly supports this assertion. New York City, to its credit, had everything under control before morning rush hour. Interestingly, and I haven't seen much word about this in the news, this isn't the first time that it's happened; this is the third time in as many years and someone's set off a small explosive device in the heart of New York City. Specifically, two such devices were thrown at the Mexican consulate, and two were thrown at the British consulate during those incidents.
Thankfully, no one was hurt and property damage was minimal.
Wednesday 05 March 2008 at 09:55 am
It seems as if we're losing heroes (or at least, people perceived as heroic) left, right, and center these days. People that are put up on pedestals by people (or more often by marketing execs and television networks) are slowly and steadily being knocked from their lofty perches in the public eye and cratering when they hit, sometimes never to dig themselves out. About six years ago (probably a bit more, because I remember reading his book when I was still at IUP) a guy named Mike Warnke published what was ostensibly his autobiography, in which he described being the leader of a satanic cult 1,500 strong, lived his life drinking, using heroin, and generally daring death to claim him before turning his life around after what was described as an abusive stint in the US Army. The Christian and Catholic communities praised it to the skies and beyond. There's just one thing:
His book was entirely fabricated, something that most of those communities will probably never forgive him for, not only because it impacted their credibility but because everyone that once admired him felt as if they'd been betrayed. A few years later, ex-football player Michael Vick
was tried and convicted on charges of organizing and profiting from dogfighting contests and cruelty to animals. Yet another author, Margaret B. Jones, held up by Oprah Winfrey (who seems to be the authority on books that people need to read these days) as another sterling case of someone turning their life around
was outed as a fraud when the sister of the author (whose true name is Margaret Seltzer) rang up the publisher and said that Jones/Seltzer wasn't an ex-gang banger but really a fairly well to do soccer mom from the San Frenando Valley. Hell, even the Food Network isn't immune -
they just fired Robert Irvine for falsifying most if not all of his professional history.
The reasons for fabricating one's history as a step toward becoming a name that everyone (well, at least a certain set of someones out of everyone, which seems to be enough for some poeple) are obvious: Fame, recognition, marketing deals, money, and a little face time on national television. If you're slick and nobody looks at your CV too closely it's possible to get away with it for years on end (Irvine did) but the key is to drop out of sight and run with what you've got before the hammer falls. In short, the profit from such a scam makes the risk worth it.
Some people, though, are just screw-ups, like Vick. Don't tell me that he didn't know that dogfighting was illegal. You don't need to be Perry Mason to see the complete lack of professional bouts of pit bull terriers tearing each other apart on national television, put two and two together, and realize that this is a) cruel, and b) very illegal.
However, I can't help but think about this more carefully. First of all, what, exactly, is a hero? Someone you'd look up to, right? Someone who has qualities or abilities that you admire, or that you see to some extent in yourself. Someone that can do things you can't, sometimes - ask Superman all about that. I have to wonder how much of the time "someone that can do things you can't" really means "someone that's gained a measure of public notoriety for what they've done" - in other words, someone that's in the news media often enough that people recognize them on sight for what they've done. Someone that's been seen by thousands to millions doing what it is that they do. The key to this seems to be that they've been seen by many, and as such will be remembered by about as many. Who would recognize the name of a bad Shakespearian actor in the 21st century if he hadn't gotten his break wearing a corny yellow shirt and black trousers and spoke with what is now a trademark stop-and-go intonation?
My point is this: People hold other people in high esteem because they do something public and noteworthy. They play football. They have a television show. They have a blog that gets thousands of hits every day. They've spoken at conferences and conventions and are known in their fields. This has the unfortunate side effect of coloring how people see them: Because they're in the public eye they can do no wrong because they're never
out of the public eye, which is not true. Just because you see someone on TV for two hours a week does not mean that it is the limit of their existence; they go home, have a beer, read the paper, swear a blue streak if they cut themselves opening a can of catfood, and probably flag off the idiot that cuts them off on the highway (as Spider Robinson put it, idiots are in front of you on the road; maniacs are behind you). They're also not perfect - celebrities are human beings, with their own foibles, follies, and yes, let's call them what they are, flaws.
If we're going to have any heroes in this world, looking to the television isn't the right place. Heroes in the
dictionary definition of the word are people who are distinguished by dint of their ability and are known for bravery or particularly noble deeds. These aren't really things that we're going to find on television these days because television makes most everything shown bigger, brighter, and more of what it is, kind of like cocaine. When your medium lends itself to developing fictions that are all of these things, the real heroes are overwritten or drowned out by the technicolor images.
Heroes are local. Sometimes they're ordinary people thrown into extraordinary situations who come out on top. Sometimes they're the people who do the right thing because it's the right thing, and not because they're likely to get anything out of it. People who, for lack of a better term, care 'just because'.
You don't have to be a star to touch people's lives. You just have to be there and interact with people (which is a twitchy thing these days when text and instant messages, e-mail, and websites are the most commonly used modes of communication). If someone needs help, offer to help. If someone's crying, offer them a shoulder. If someone's off by themselves, walk over and say "Hi." If something's broken, try to fix it. The people who do these things embody the ripple effect, the phenomenon in which affecting one thing also affects to some extent everything connected to the first. Connections are strange: You never know how far they're going to go or what's on the other end. A wise man once wrote,
"but maybe you touch one life and the world becomes a better place to be", and he's absolutely correct. You don't need fame or fortune, you just need to act. Change, real change, doesn't come from CNN, it comes from four feet in front of your nose every time you get out of bed and go outside.
Wednesday 05 March 2008 at 07:46 am
You know you work for a tech company when there are more bags of coffee beans in the freezer than there are forms of real food.
Tuesday 04 March 2008 at 1:12 pm
Word is slowly seeping into the gaming community that
Gary Gygax, the inventor of Dungeons and Dragons, went beyond the veil early today. Reports are sketchy - the usual newswires don't have anything yet, but it's been said that he died quietly and was surrounded by family.
EDIT:
Official news release here.
Mr. Gygax, thank you for everything. You've given thousands, if not millions of people over the years hours without number of fun and taught many how to imagine. My heartfelt condolences go out to his family and friends.
See you beyond the edge of Time, perhaps.
Tuesday 04 March 2008 at 11:31 am
It seems as if malware evolves just as fast as biological diseases anymore. Earlier this year, it was made public that batches of flu vaccine were probably ineffective against this year's upper respiratory plague that I've complained about more than enough lately (my apologies to house Laurelinde, though - Lyssa and I will bring over something tasty soon for you). Around the same time,
a new strain of rootkit called Mebroot hit the Net that infects the Master Boot Record of boxen it's installed into. It compromises the machine below the level of the operating system because executable code referenced by the MBR is executed before the OS has a chance to spin up. The interesting thing about this new rootkit is that it's using a very old technique - it replaces the Master Boot Record of the system drive.
MBR-infecting viruses have been around for better than fifteen years. It doesn't even have to edit the registry, any systemware, or the boot.ini file, so software that checks the integrity of the file system will miss these alterations in all probability. The ntoskrnl.exe hook that causes the kernel-mode portion of the rootkit exists for only a short period of time, and will be wiped out when the Windows kernel finishes loading itself into memory, so you can't look for changes to the nt!Phase1Initialization call. It doesn't store any files in the filesystem, either; instead it references absolute sectors of the disk to store other parts of itself, completely avoiding the NTFS drivers and consequently avoiding detection by scanning the system drives. In fact, it touches so little of the contents of kernel memory space that it's damnably difficult to suss out. The only thing that Mebroot has to hide is the altered Master Boot Record, and it does so by overriding only two routines of the Windows disk.sys driver.
As if that weren't enough, this little beastie goes well out of its way to avoid being noticed by host-based firewalls and IDSes - it implements its own network stack at layer 3 and above of the
OSI model. By operating just below the level of the stack that personal firewalling software operates with an entirely different network subsystem, it can sneak past packet monitoring and filtering software running on the host (but not elsewhere on the local network, I hasten to add).
I have to admit, I admire the design of this badboy. Whomever designed it seems to know exactly what they're doing and has an unhealthy amount of knowledge about the architecture of Microsoft Windows.
Now, what does it mean to Joe and Jane User on the Net? The Mebroot rootkit isn't being used by professional crackers to compromise corporate hosts, it's being used by professional scammers with a dedicated web server loaded with remote exploits for various and sundry applications. Their MO seems to be, trick someone into going here, pop them, install the rootkit, and then they can do whatever they want with those machines. Mebroot has its own networking functionality, so it can hypothetically go out and download whatever other nasties the designers feel like, such as botnet agents, spambots, or anything else. Current strains of Mebroot are detected by a number of AV packages, thankfully, so all hope isn't lost if you do get hit.
As always, be careful what links you click on from your e-mail, and run an up to date antivirus package all the time.
Monday 03 March 2008 at 2:13 pm
After a long and unfortunately tiring week, I limped my way home after work to be greeted by Lyssa and Laurelinde, who had been kind enough to put dinner together. Lyssa's been on a jerk chicken kick lately, not that I'm complaining, it's one of her best dishes, and often just what I need after dealing with.. well.. work. Afterward we packed up the leftovers and set about gathering clothing and laundry, for we'd be vacationing (sort of) at Laurelinde's place for the weekend.
You see, there's something that you need to know about the apartment complex that Lyssa and I live in: They gouge you on laundry. $1.75us for a single load of laundry in either the washer or dryer adds up when one's amount of laundry is frequently in excess of twelve loads.
I'm a clothes horse, in case you haven't figured that out. I donated a lawn trash bag full of stuff to Goodwill back in December and I still have enough clothing that I can go a month between washes without re-wearing anything.
At any rate, when Lyssa and I really do have to do laundry, it is inordinately expensive, doubly so when one of the washers decides to cut out about halfway through the wash cycle and not inform anyone, which means re-washing the clothes to get the soap out of them. Laurelinde was kind enough to offer to us her basement and washer/dryer combo, so the three of us shoveled most of our wardrobes into the TARDIS after dinner, and we set out for Maryland.
One of the things that Lyssa and I have been trying to accomplish for a while was to walk out of our lives for a weekend, go off someplace, and do... stuff. Nothing in particular, no plans, no agendas. The three of us wanted to take a weekend to do artistic-type stuff, what with Lyssa painting, Laurelinde drawing, and my doing a lot of writing lately for
a project or two on the side, in addition to studying for class, a not insignificant task because the weekly readings are often in the neighborhood of 200 pages, plus homework and practice sets. So this gave us a chance to hole up and do our respective things undisturbed for hours on end. It's a little like a vacation because no one can find you easily.
More under the cut...
Saturday 01 March 2008 at 8:58 pm
Has anyone recieved spam in their Google Mail accounts from 'William Griffin' that comes in the form of an invitation to an event (in the Google Calendar sense)? If so, have you found that it's inserted itself into your Google Calendar (if you have one) even though you haven't accepted or declined it, but deleted it instead?
I received such spam earlier today, read through it, and rather than click "yes/no/maybe" deleted the invitation. Just a few minutes ago, I discovered that it had inserted itself into my public Google Calendar because it sent a text message to my celllphone.
Most unusual.
I'm half-afraid that this is part of a Firefox exploitation attempt, or an attempt at manipulating Google's
AJAX implementation. This is probably because I've been reading a lot of whitepapers lately about Gmail account hijacking; I have no evidence at all, so this is all purely speculation. Still, I'm curious about how widespread this is.
Anyone?
