Wednesday, January 20, 2010

Apology virus writers

For someone who retired a year remembered for the financial crisis for someone - the epidemic of influenza. For me the year was unusually rich in various kinds malvar as a template completely, and really worthwhile that wrenched me out of the usual cycle of events. In any case, it's time to take stock of "work" virus in 2009 and make projections for the future.

To begin, as usual, with the unpleasant: the myth of the invincibility of computers from Apple, and, respectively, and their operating system (for individuals who spent the past ten years in a bomb shelter, do remark - an OS for Macintosh computers called MacOS) shattered. In 2009 was created the first "apple" botnet, discovered multiple vulnerabilities in the operating system itself, and in the third-party applications.

Sami attack, I'll say straight, does not represent anything interesting - Unix architecture is conservative, and, if desired, players can browse the Internet, you can easily rewrite the exploit of five years ago under the "modern" MacOS. If to look to the past, we must natknemsya the vulnerability in FreeBSD, discovered as much in 2005. And now, four years later, this error is found in MacOS 10.5.6. Multiple integer overflow allows an attacker with the help of special system calls, i386_set_ltd and i386_get_ltd, increase the privileges of a local user computer. Vulnerable to this scourge were only the owners of Macintosh processor companies Intel: in fact, as we know, the forerunner of Pentium chips in their virtual memory according to two descriptors table, or rather - LDT and GDT.

Generally in the world there are three types of tables of descriptors, namely: the interrupt descriptor table, the local descriptor table and global descriptor table. Local Table (LDT - Local Descriptor Table) is in itself a gateway problem, challenges and segment descriptor. Each segment is unavailable problem, if its description in no GDT, or in the LDT, since the local descriptor table is described in the global descriptor table (GDT - Global Descriptor Table). Accordingly, employing the above-described function i386_get_ltd and reporting in the description (see listing), the call option is the maximum possible size, we are able to copy the memory dump of the kernel to user environment.

#include
#include
int i386_get_ltd (int start_sel,
union descriptor *descs, int num_sels);

It's funny, because in the past year the company Intel failures toppled a clod: the scandal of unfair competition from AMD, a relatively weak start Core i7 (but it seems to me that peak sales of the new processor will occur in late spring of next year - Windows 7 at this time will have time to win significant part of the consumer market, and the requirements of the OS, though democratic, consistent with the relatively small number of personal computers). And all would be nothing, if in 2008, Russia's famous hacker Chris Kasperski has not provided the public vulnerability in absolutely all the processors the company. (And Chris, among other things, lad - in addition to the above-described opening, he found a really obscene number of errors down to a fundamental error in the DNS (!)) On its report on HITB not write except that lazy - really, how about if even processors contain errors? And, according to Chris, half of them are not going to fix the company.

Linux, surrounded by the aura of inaccessibility, as was the length and breadth investigated. Brad Spangler (Brad Spengler) found a vulnerability in the kernel module grsecurity, available in kernels 2.6.30 and below. I wonder these things event for two reasons: first and most obvious - is not often we are pleased with vulnerabilities in the most proletarian OS (this is due to the fact that Linux-based distributions are not as common as a family of operating systems Windows, and attention, of course, they paid much smaller, with only a narrow circle of specialists), and second - it is virtually unnoticeable mistake, because Brad, on his own admission, found it quite by accident, when studied the code, digging in a completely different direction.

Bug found in dereferencing pointer to function tun_chr_pool () file / drivers / net / tun.c, and is to initialize some variable sk (see listing), which can be set equal to zero. Then it is checked by the compiler so that if it really is zero, then the assembly error is returned to us. In the process of optimizing GCC calmly carve a block if (! Tun), considering that the value of this variable has long been given that would allow an attacker to read and write data at 0h000000000.

struc sock *sk = tun->sk;
...
if(!tun)
return POLLER //here the compiler displays an error message

But at the time, deviate from the correct operating systems and look sensational in the early years of the worm Conflicker (alias downadup, kido, etc), which for four days, according to statistics, has infected 10 million (!) Computers. In terms of virus writers, the code is, quite frankly, does not shine, but the creators of non-standard approach to the problem of propagation of the worm, his original method of protection and interaction with the "masters" certainly deserve respect.

Microsoft Corporation in October 2008 released a patch covering the buffer overflow MS08-067 in the service "Server". Naturally, people who regularly update the operating system became the first victims of the attack. Also, do not surprise me, and that pockets of the epidemic occurred in the post-Soviet countries - in fact, as you know, we absolutely can legally buy any version of Windows for ten thousand rubles, thereby depriving themselves of the opportunity to receive critical updates in a timely manner. The worm took advantage of this well - he sent to the computer user a specially crafted RPC-request, causing a buffer overflow in the function call wcspy_s library netapi32.dll. Next - matter of technology: the computer running the code-loader, successfully merging malvar. Next, the worm through the interception of API-calls, responsible for contacting DNS, blocking almost all known antiviral URL (containing the title of sophos, kaspersky, nod, avira, etc.) And spread itself to other computers connected private intranet (if the victim had a ) by brute force the password to the standard system ball $ ADMIN, then calmly sends itself on unsuspecting users.

Longtime reception viruses to external flash-drives has also changed - downadup obfusifitsiroval file autorun.inf, filling his "garbage" that allowed the successful pass defense most antiviruses. Excess "code" slightly increases file size, allowing the invisible stuff there a single line that launches the malicious code on the user's machine.

Most virus writers to admit a serious mistake, rigidly fixing the IP address of the domain, where the worm has to send all harvested information. Creator conflicker entered originally, namely - to teach a worm to use 250 different domain names, of course, not written in the body of the virus. Advance can not say exactly where the worm sends the information: a specific algorithm, depending on the current date, generates the name of the new management of domains, where and sent later. There he is, as follows: first, the worm goes straight to google.com (or any other search service), which receives the current day and month. At the same time generated a list of domains where the worm will download additional files required for him to continue "life". As seen, the worm uses a completely standard methods, and one can only wonder, how did not think about before.

Also year was successful and the beautiful break-ins. Known resources Runet vkontakte.ru been as much to two burglaries, which resulted in the loss of confidential information. The attacker took advantage of an error in the currently fashionable flash-applications, and then successfully "merged" the order of 150 thousand logins and passwords from users register an account. And earlier this year a resource to all who wish to quietly spread the Trojans again stealing e-mail-address of the victim. What to do with such a huge database of email addresses, to explain, I think not.

In my opinion, in the near future, the main target for hackers, "hatskerov" and other representatives of "progressive youth" (on how to write virus serious uncle, was written above) will be mobile phones. The development of wireless access systems (Well, tell me, who now surprise wi-fi or 3G? And in the near future we will be pleased with wimax and more ...), and weak protection of communicators carelessness of users who think that "mobile phone" can not hack, will be a good to rise. Moreover, about 46% of references to the notorious "VKontakte" is generated from mobile platforms. A recently established botnet of Apple iPhone proof of this. Time to buy Kaspersky Antivirus Mobile or other anti-virus solution for handheld devices, to redouble the vigilance (read: be paranoid), and carefully monitor their phone, checking it for suspicious content.

As an epilogue to tell you a most amusing story: Russia (the first time in the world!) Found a Trojan in the ATM (yes, you are not mistaken, it was at the ATM), which would collect sensitive information about users. How it all came to an attacker, and has remained a mystery, but, taking into account the fact that the ATM - is a kind of safe, that is accessible only by representatives of the bank employees and the manufacturer's tech support, it can be concluded that there was insider, intimately familiar with original architecture computer (the code was perfectly sharpened under the platform, suggesting the presence of certain specifications), and transmit all the collected information to the attacker. So be vigilant, paranoia in our time no one hurt.

"Get Money for Clicks" NameDrive.com - Fastest Growing Domain Parking Company in the World.

The fight against piracy - a utopia?

While the world celebrated Christmas and New Year, fighting against piracy are not sitting idly by. As, however, and the pirates, who continued to download and distribute copyrighted content, despite the holidays. Let the new year once again to look at which has already become a familiar standoff holders and thrifty consumers - in the light of recent news from the "front".

Which began the year was marked by news from France, just relevant to the fight against the illegal distribution of content protected by law. There, however, has not been anything out of the way - only a government of France had postponed putting into effect an anti-piracy law "three strikes", allowing the disconnection from the Internet those French citizens who were last seen in the downloading of content prohibited. Let me remind you, the law provides for the delivery persons noticed in violation of copyright warnings. If after two acts of illegal copying protected content the user will be decided at the third attempt, then it will disconnect from the Internet. The reason for cancellation, according to an authoritative edition of the Ars Techica, lies in the fact that the French National Commission for Informatics and Freedoms (CNIL) has concluded that the law might violate a number of inalienable rights of French citizens. And as long as there is no confidence in solving this problem, because the new law does not enter.

What exactly did not like the commission in the bill? The fact is that in its present form the law requires to obtain information about the actions of subscribers from providers that offer pirates to access the World Wide Web. CNIL therefore interested in technical details of getting information from service providers - namely, how to be chosen from all users of potential violators, what data are collected, they are archived and stored, etc. Depending on the information provided on these issues, the commission may either approve, or "wrap" a new anti-piracy laws. But in any case, a thorough study of all aspects of work with the user data from the commission will take at least several months.

In general, in civilized Europe, putting the question as the rights of the offender, no one is not surprising. It is sad to observe this, but we have a bill of this kind are unlikely to have caused any additional questions from anyone else. However, it is not about that. Protection of personal data of potential offenders - certainly not the only one of those problems to be faced by proponents of copyright in the early stage of implementation of such laws. It is obvious that the technical difficulties encountered in the way of the first versions of anti-piracy legislation will be overcome. What's next? Will the similar laws really stop piracy?

There is no definite answer. However, the fight - it is always a process, against the desire to download anything "on a freebie" to win the final victory, apparently, quite impossible. Therefore the laws - just one way to make the pirates even more inventive and resourceful. However, it is true not only about anti-piracy laws, but virtually everything the law.

"Get Money for Clicks" NameDrive.com - Fastest Growing Domain Parking Company in the World.

Intrigue Mail.Ru

Site Mail.ru is one of three largest portals Runet, so that attention is paid to him, entirely justified. At the end of last year around Mail.ru launched a massive plot. Its essence was as follows: Mail.ru search engine has long been one of the most popular in RuNet, but few people know that their own search engine at Mail.ru was not. Portal use search technology "Yandex", with the trademark "Yandex" it was not mentioned. Instead, the largest search engine Runet received only a few deductions from advertising.

By the end of 2009-the first such situation no longer organize ambitious Yandex, which demanded the "divorce" from Mail.ru. In response, the administration Mail.ru began negotiations with Google, which has long sought a foothold in Russia's market. It was assumed that the search service Mail.ru had to go to the engine Google, as well as displaying search results ads from contextual advertising system AdSense. Moreover, the draft contract with Google meant that Mail.ru able to use as search Google (without mentioning his brand), and its own technology. Perhaps it was their joint application.

I recall that at the time, Mail.ru has already had its own search engine development - GoGo (gogo.ru). GoGo as a standalone project company Mail.ru was launched in June 2007. Search engine proved to be quite successful. Sam domain gogo.ru Mail.ru was acquired in 2000. Development of the project was conducted in 2006 under the leadership of Mikhail Kostin, who is also known as the creator of the search engine "Sic!". Investment in the project amounted to approximately $700 thousand

December 31, 2009 the first "Yandex", as promised, took off their search from Mail.ru. However, the agreement with Google for various reasons does not work at full strength. As a result, today Mail.ru uses its own search for GoGo, however, contextual advertising for it gives Google. However, it is possible that the engine Google still be used soon. "Yandex" has completely withdrew from Mail.ru - no searching, no content.

This story has another background. In 2008, Google was trying to conclude a strategic cooperation agreement with the company Rambler. Google search was to be placed on the main page Rambler. This contract was part of a deal to sell the American Internet company of contextual advertising "Runner", owned by Rambler. However, summing up "turnkey" deal was blocked by Russia's Antimonopoly Service. Antimonopolschiki referred to the "opaque ownership structure of the buyer" (ie Google).

However Runet and Russia's media business immediately rumored that the real reason for the ban was the negative attitude of Prime Minister Vladimir Putin for Russia's deployment on the popular site of a foreign search. This is indirectly confirmed by the shareholders Rambler, but the officials, of course, denied.

Now officials Mail.ru vying claim that the decision to use the company's own search has no political background and is dictated solely by commercial considerations. A senior manager Mail.ru and previously denied the Russian authorities' desire to intervene in the negotiations Mail.ru and Google.

"Get Money for Clicks" NameDrive.com - Fastest Growing Domain Parking Company in the World.