WillErwin.com

While I’m not an Apple fanboy, I have recently begun starting to like the company. Their latest release of Mac OS X - Leopard is based off of the BSD kernel, which I am a fan of (see FreeBSD). Although I don’t own a iPhone (I’m a BlackBerry fan right now), I probably will own the next generation iPhone when 3G, GPS and improved battery life are implemented. I recently heard rumors of a new Apple device that is supposed to be very cool and will blow all other products out of the water. Of course, this interested me, so I had to find out more.

Not much is known about this new device, but it looks like it’s going to be an Ultra-Mobile PC (UMPC) with the Apple touch screen keyboard. This new Apple device has not been sighted out and about the Apple campus or even in the area normally designated for testing new Apple products, suggesting that it’s still in the software and hardware design period. Once it’s physically spotted outside Apple’s secretive labs, we may see an actual product release of 6-8 months, closely following other new Apple product introductions.

Being as how I’m stranded in Aspen, Colorado due to heavy snow, I thought I’d give a shot at taking a first hand look at the underpinnings of the Storm worm. Since I’m not on my home Internet connection, I’m not worried about any possible repercussions that may occur. I’m quite pissed off that my once (and possibly former) beloved Kaspersky failed to detect the latest packing of this virus, even with heuristics enabled. I went ahead and submitted the virus directly to Kaspersky so they can update their signatures (which they have).

I’ll get on a separate tangent for a moment, but a big and reasonably well known antivirus firm shouldn’t have to rely on someone like me to find and submit new viruses. That’s just sad, really. Hell, it’s a widely distributed and known URL from which I obtained the file from, can’t you whip up some code to auto download those new files and add signatures? Do I have to do that for you also? Come on now.

Anyways, back to the issue at hand, Storm. I first want to make sure that everything on this laptop is backed up somewhere else and that there is no personal information saved, such as passwords, because this laptop will soon become my sandbox. After I’m done reverse engineering Storm, I’ll have to format this laptop and do a fresh OS install. (And I’m installing XP on this machine, not that dreaded Vista). Doing this on a virtual OS or in a full sandbox would be best, but I don’t have that kind of software available on hand.

First off, I’ll need something to inspect all the Internet traffic packets which are entering and leaving my system. Back in the days the tool we used to use was EEye’s Iris, but the free software Wireshark, which is based off Ethereal will work, since my Iris license has long expired.

Update: Now that I’m back home, I’m going to actually create a full sandbox via a virtual OS in VMWare. Also, Kaspersky’s web filter now blocks the compromised Storm pages, along with detecting the virus. You’re welcome.

*An interesting note is that the image above is actually used on compromised Storm machines.

As I’ve been fortunate enough to be able to celebrate the holidays and Christmas with my family, I’d like to take a minute and say “thank you” to all the soldiers, alive and fallen, who are not able to be with their family this Christmas season. Thank you for all you’ve done and given up. Our thoughts and prayers are with you.

There’s a few interesting articles which talk about antivirus applications getting weaker over time, which I believe is true and will continue to be true. Modern day virus writers have many more techniques up their sleeves than they used to.

I find it quite interesting to see the techniques used to get around things such as firewalls, antivirus programs and the like. I’m not going to say I’ve seen it all, but I’ve seen a lot of it and a lot of what is going on today was only in the beginning stages back in the late 90’s and early 2000’s.

I refer to this period, as during this time I had a contact whom had access to the underground scene’s 0-day code and techniques which were used and would pass on this information to me so that I could get a better understanding, and eventually try to help thwart it. While on that note, that same contact that I had then is now working for the US government in trying to protect your freedom. I wish him the best of luck in his future endeavors.) I think it’s important that I mention that the underground group that my contact was involved with may have been indirectly a part of a similar group which was responsible for the attack on the root DNS servers and the demise of one of the largest IRC networks, DALnet, though I can’t confirm any of that.

Antivirus companies have gotten a lot smarter, though they’re still not smart enough, along with the security of the OS and software getting better in general also. This is a game of cat and mouse, or a game of chess. The antivirus corporations make a move and the virus writers make a move to counter it. I believe that ultimately, this is a game that cannot be won. Resistance is futile. (If you get that joke, congrats)

When I speak of the antivirus companies getting smarter, I’m talking about things such as scanning with heuristics along with putting code into a sandbox to be tested and identified, which they used not to be able to do. There’s a good article over at Secureworks about the Pushdo trojan, which has some techniques that I’ve never seen before, and I actually applaud them for using them - hard drive serial numbers which can also be identified if the host is running on a virtual drive or server. Having hosts run their own http server is nothing new, in fact I’ve even seen code for viruses that run off of peer-to-peer networks such as Kazaa, along with IRC. The thing with running a virus off of port 80 is that it’s legitimate traffic - it’s traffic that you use for every day website browsing, so you can’t just close the port off. You’re going to have to either detect the virus file on you’re machine, or detect and filter out the port 80 packets. I think the former is done easier than the latter.

Another new thing that is being done is hacking a persons’ DNS. An article over at Dark Reading talks about this. While I personally use OpenDNS, the hacking and filtering of a persons DNS is something that I’ve never heard of before this. I find that this is an extremely innovative and effective move and attack and I also applaud whoever first thought of this. This is really going to give antivirus companies something to mull over because now they’re also going to have to add in some sort of DNS detection into their software.

I could go on for hours about the things I’ve seen and at one point in the past, I tried to help out and battle against such trojans, and I successfully uncovered and closed down several IRC botnets. However, there’s only so much that one person can do, and this is a game of chess that can never be truly be one. Although I don’t have any contacts in the underground scene anymore, and I’m glad I don’t since the scene has changed from being done for personal achievement to working for financial gain, I attempt to keep track of what is going on through some of the websites I mentioned above.

In conclusion I’d like to recommend an antivirus software which I’ve found, is the very effective and likely to detect viruses and malware, Kaspersky antivirus. While common sense is the most effective protection, Kaspersky works well along side that. With a large deployment of virtual software and OS’s, along with the federal mandate that many things be compliant with IPv6, I think the next few years will prove just as interesting, if not more. I see down the road that things will get much tougher for antivirus companies, and I truly hope that they’re able to keep up with these ever-changing threats.

The development team for Internet Explorer reached a new milestone yesterday and IE8 now fully complies with the Acid 2 test. If you’re not a web developer, then you probably don’t know what that is. Let’s just say that it’s a big milestone to have reached and I applaud Microsoft for their efforts, even if I do hate Vista.

Shareaza 2.3 has been released. Many changes have been made, as I’ve looked at the code repository at least every other day. If you haven’t used Shareaza, I recommend you give it a try. It’s a multi-network P2P (peer-to-peer) file sharing service, meaning it connects to multiple networks (Eg: Limewire, Bearshare, Edonkey, Bittorrent) so you are able to find a large amount of download sources.

You may also want to use the X-Ray Security Filter rules along with Shareaza, as this will greatly decrease the number of fake files that you may find.

Although version 2.3 has not been officially announced on the Shareaza webpage, you can download it here, via SourceForge. Also be aware that the Shareaza team has lost the Shareaza.com domain and it has been taken over by a malware company. Please only use the official http://shareaza.sourceforge.net/ domain.