Damballa researchers share some techniques for getting a better picture of botnets — and targeted attacks
By Kelly Jackson Higgins
Senior Editor, Dark Reading
Is that malware found on your client machine the sign of a targeted attack or a routine bot-herding run? How do you know for sure?
Botnet hunters from Damballa are using some traditional network monitoring techniques to determine the size and scope of botnets — information that can even help distinguish between a direct attack or a random bot recruitment.
â€œWe are working on ways to better [calculate] the numbers of these botnets with some accuracy,â€ says Christopher Davis, director of threat analysis for Damballa. Davis and Damballa chief scientist and co-founder David Dagon will discuss their companyâ€™s botnet research techniques at Black Hat D.C. next week.
Damballa researchers basically reverse-engineer the malware code that arrives at one of their customerâ€™s client machines, and then study how it communicates with its command and control (C&C) server. Then, using a DNS cache-inspection technique, combined with tracking the C&C serverâ€™s IP packet identifier in TCP/IP, they can take more accurate counts of the number of bots, C&C servers, and the potential scope of a particular botnet.
Better get rid of those HD-DVDs soon.
HD DVD Format on Death Watch
Author: THOMAS K. ARNOLD and ERIK GRUENWEDEL
Posted: February 14, 2008
The format war has turned into a format death watch.
Toshiba is widely expected to pull the plug on its HD DVD format sometime in the coming weeks, reliable industry sources say, after a rash of retail defections that followed Warner Home Videoâ€™s stunning announcement in early January that it would only support the rival Blu-ray Disc format after May…
…Toshiba had been pitching its discounted HD DVD players toward the standard DVD crowd as well as high-def enthusiasts, noting in its ad message that the new players would make DVDs look a lot better as well. And as a last-ditch effort the company ran an ad during the Super Bowl â€” a 30-second spot that reportedly cost $2.7 million.
But in the end, sources say, the substantial loss Toshiba is incurring with each HD DVD player sold â€” a figure sources say could be as high as several hundred dollars â€” coupled with a series of high-profile retail defections, have driven the company to at last concede defeat.
â€œAn announcement is coming soon,â€ said one source close to the HD DVD camp. â€œIt would be a matter of weeks.â€
Feel free to use this to give to your Valentine. I did.
If you send an email to firstname.lastname@example.org with your .WAV attached, it will convert that .WAV to .MP3. Here’s some more.
send email to:
email@example.com – WAV to MP3
firstname.lastname@example.org – MP3 to WAV
email@example.com – Word, Excel, PowerPoint to PDF
firstname.lastname@example.org – PDF to Word, Rich Text Format
iPhone@pdfonline.com – Visio, Word (including the 2007/.docx kind) to PDF & supports multiple file attachments.
(Ignore the “iphone” in the address, as it works from any device or computer, but only supports files up to 1 MB in size. )
At first i was like “Oh shit, a bunch of crap is about to fall out” then i got close enough to realize that it was just a badass painting…
that’s a dog in the bottom left.
Just how rampant is piracy in PC casual gaming? In a startling installment of his regular Gamasutra column, Reflexive’s director of marketing Russell Carroll (Wik, Ricochet) reveals the 92% piracy rate for one of his company’s games, and what worked (and didn’t work) when they tried to fix it.
â€œIt looks like around 92% of the people playing the full version of [the pictured] Ricochet Infinity pirated it.â€ Itâ€™s moments like those that make people in the industry stop dead in their tracks. 92% is a huge number and though we were only measuring people who had gotten the game from Reflexive and gone online with it, it seemed improbable that those who acquired the game elsewhere or didnâ€™t go online were any more likely to have purchased it. As we sat and pondered the financial implications of such piracy, it was hard to get past the magnitude of the number itself: 92%.
In the casual games space, where the majority of the industry is tied to an internet-distributed product, piracy is a common problem. Search for any casual game through Google, add the word â€˜crackâ€™, and the search engine will help you find and illegally acquire every casual game you can imagine.
One way to fight the search-engine facilitated piracy is to work to remove the ever-expanding number of links to illegal copies, but in many cases improving the Digital Rights Management (DRM) system to be more secure can be more effective as it renders a large number of those links obsolete. This is tricky to be sure, because improving the security must be done without making the DRM so onerous that it keeps honest customers from purchasing games.
Reflexive, where I work, is in a peculiar position in this regard. Whereas most of the casual games industry licenses their DRM from a vendor, Reflexive has its own in-house DRM. Over the years it has undergone many improvements, including several changes made specifically to combat piracy.
With that background, my penchant for actual numbers, and a lot of help from Brian Fisher, Reflexiveâ€™s king of number crunching logic, letâ€™s tackle the question of the 92% piracy rate on Ricochet Infinity. Could we realistically assume that stopping piracy would have caused 12 times more sales?
I know a lot of you guys use ImgBurn. The new version was just released yesterday (the previous version, 188.8.131.52, was released 4/12/07). The change log is gigantic. Among it are the ability to create and burn audio CDs, HD-DVD discs, Blu-Ray discs, the usual insane list of bug fixes, language files for localization, and a ton more. The user interface has been improved, too. Go get it!
There is a new local root exploit found in linux kernels 2.6.17 to 184.108.40.206. Here’s a proof-of-concept, which basically works as a “passwordless su”.
I have tested the exploit on a few systems I manage, and it just plain works on a number of them. The distros I have around that are vulnerable are:
- Fedora 8
- CentOS 5/5.1 (and therefore presumably RHEL as well)
- Debian Etch
- Ubuntu 7.10
On one oddball Debian Etch system the exploit segfaulted, but to me that doesn’t rule out that the hole is still there. On older boxes (tested on a couple Debian Sarge systems), the kernel is too old to have the vulnerable vmsplice feature.
The hole is patched in 220.127.116.11, but compiling and installing that on a production system really isn’t a viable alternative.
I’d hate for this to turn into a flamewar on Linux security, or how dangerous a local root exploit really is. It’s there, it’s not the end of the world in any way, but it very much needs fixing. I am really interested in hearing if anyone has seen patched kernels for the main distros, or when they show up. Most of the vulnerable systems I have don’t have any users on them (other than people who have root access “the normal way”), but I currently have a couple of machines locked down (sshd stopped or normal users disabled). Both of those are Debian Etch, and those guys generally are quite snappy in providing security updates.
Even with strike over, Heroes seems grounded until next season.
February 11, 2008 – While the strike looks just about over, Heroes fans shouldn’t expect new episodes in the immediate future. The news filtering out seems to confirm that the NBC superhero hit won’t be back until this fall, despite writers almost certainly going back to work this week.
The reason for the delay seems centered around issues unique to Heroes from both a production and structural standpoint. Heroes creator Tim Kring told ew.com last week that he felt that they could probably only finish three more epsidoes of the series if they attempted to film more to air by the end of this TV season in May.
Heroes is formatted in large story arcs, the next of which is called “Villians.” Doing just three more episodes this season would mean either making that story much shorter than intended, or making the audience wait several months for the story to conclude in the fall. Says Kring to ew.com, “With a show like Heroes that’s so strongly serialized, and given what we wanted to accomplish with the new storyline, to come back with just three episodes could be creatively dangerous.”
In what can only be classified as yet another crushing blow to the embattled HD DVD camp, rent-by-mail giant Netflix has just announced its intention to only stock Blu-ray titles in the future. Netflix justified its decision by pointing out the fact that most Hollywood studios seem to be converging solely around the Sony-backed format — a fact that’s all too familiar to Toshiba and friends. With both Blockbuster and now the ‘Flix having eschewed HD DVD for BD, it’s gonna get harder and harder to even find a place to rent those former discs in the first place, let alone one that has a decent selection.
Update: It looks like all hope is not lost for HD DVD renters. Not only does Blockbuster Online still carry titles in the endangered format, but Netflix should continue offering a limited selection of discs until current stock is phased out around the end of the year.
Leopard finally gets its second patch, and boy does it fix a lot of stuff. The first patch hit back in November, with test builds of the second making it out a month later. Here’s a list of the major things the 10.5.2 patch fixes (including menubar transparency and Stacks).
â€¢ Airport connection reliability and stability
â€¢ Back to my Mac for third-party routers
â€¢ Dashboard widget performance improvement
â€¢ Stacks fix! List view, Folder view, and updated background for Grid Vid View
â€¢ Menubar transparency disabling
â€¢ Less translucent menus
â€¢ Several iCal recurring meetings supports, bug fixes overall
â€¢ iChat Bugfixes
â€¢ iSync support added for Samsung D600E and D900i phones
â€¢ Finder bugfixes
â€¢ Mail bugfixes
â€¢ AFP network volume hanging fixed
â€¢ RAW support improved
â€¢ Preview bugfixes
â€¢ Time Machine bugfixes (some external drives not being recognized)
Plus lots of various other fixes (we tried to cover only the hot ones here). Isn’t it funny that Vista has been out for a year and they are still working on a service pack. Apple has Leopard out since October, and they have had two service revisions. Go Apple.
Asus use to make a laptop called the s200, also known as the JVC MiniNote or Victor Interlink, which came with a 8.9 inch screen at 1024×600 resolution. Placing a JVC Mininote xp5230 side by side with an Asus eeePC: They’re practically the same size, and it was very surprising that Asus didn’t go with the 8.9″ screen originally, but I guess it all comes down to cost.
The main things I prefer on the JVC:
- of course the 8.9inch screen at 1024×600 resolution,
- the keyboard is a tiny bit bigger, which makes a hell of a difference when trying to touch type.
- I much prefer a trackpoint to a touchpad.
Things I don’t like about the JVC:
- it gets stupidly hot, to the point you can’t have it on your lap.
- this model has a lack of builtin WiFi, some of the higher models do have it though.
- the VGA out needs a breakout cable.
- this model takes stupidly small 144pin MicroDimms, that only allow memory expansion to 384MB.
but overall they’re very similar machines.
more photos after the jump…
A range of hoodies which covers the face is sparking fears they could be used for criminal activity.
With designs like skeletons, or Hannibal, referring to the cannibal villain in the movie “Silence of the Lambs”, the masks are meant to stir up a reaction. The masked hoodies range in price from 30 to 600 British pounds (60 to 1200 USD).
Cindy Martin reports.
I’m still kinda messed up in the head about it so bear with me.
I was delivering some computers to a small shop in the ghetto of Colorado Springs. I happen to be carrying a box of hard drives.
all of a sudden I hear “BLAP BLAP BLAP BLAP BLAP”
I hear some whizzing and suddenly, it feels like I got pushed hard!
I hit the ground, took me about 3 seconds to realize I was hit, but I couldn’t see any bleeding.
that’s when I saw the hole in the box. I went inside the shop and looked at the drives.
BURLINGTON, Vt. (AP) â€” When Sebastien Boucher stopped at the U.S.-Canadian border, agents who inspected his laptop said they found files containing child pornography.But when they tried to examine the images after his arrest, authorities were stymied by a password-protected encryption program.
Now Boucher is caught in a cyber-age quandary: The government wants him to give up the password, but doing so could violate his Fifth Amendment right against self-incrimination by revealing the contents of the files.
Experts say the case could have broad computer privacy implications for people who cross borders with computers, PDAs and other devices that are subject to inspection.
“It’s a very, very interesting and novel question, and the courts have never really dealt with it,” said Lee Tien, an attorney with the Electronic Frontier Foundation, a San Francisco-based group focused on civil liberties in the digital world.
For now, the law’s on Boucher’s side: A federal magistrate here has ruled that forcing Boucher to surrender the password would be unconstitutional.
This week Canonical, the company behind Ubuntu Linux, announced a partnership with Parallels, maker of the Virtualization products Parallels Workstation and Parallels Desktop for Mac. Consequently, the Parallels Workstation virtualization software is now available to download and install in Ubuntu Linux, completely supported by Canonical, and done entirely through the Add/Remove programs interface. This makes four different virtualization programs — three of which are installable via the package repositories — that run on Ubuntu Linux.
Virtualization is the technique of running a “guest” operating system inside an already-running OS; for example, Windows inside Linux, or visa-versa. This article compares four virtualization products available for Ubuntu Linux: the free, open source x86 emulator Qemu; the closed-but-free versions of VirtualBox and VMware-Server, and the commercial Parallels Workstation.
Jesus these goons don’t know when to quit. If they could make you install a brain filter that prevented you from hearing pirated music I’m sure they would.
At a Washington, DC, tech conference last week, RIAA boss Cary Sherman suggested that Internet filtering was a super idea but that he saw no reason to mandate it. Turns out that was only part of the story, though; Sherman’s a sharp guy, and he’s fully aware that filtering will prompt an encryption arms race that is going to be impossible to win… unless usersÂ somehow install the filtering software on their home PCs or equipment.
Last night, Public Knowledge posted a video clip from the conference that drew attention to Sherman’s other remarks on the topic of filtering, and what he has to say is downright amazing: due to the encryption problem, filters may need to be put on end users’ PCs.
The issue of encryption “would have to be faced,”Â Sherman admitted after talking about the wonders of filtering. “One could have a filter on the end user’s computer that would actually eliminate any benefit from encryption because if you want to hear [the music], you would need to decrypt it, and at that point the filter would work.”
Wouldn’t this “encryption arms race” that is “impossible to win” be done in “software” by “users,” making filtering connection hardware useless as the data is already encrypted?
Unless they want to block all encrypted data, because after all, you have nothing to hide if you aren’t doing anything wrong.Â Ugh.
Have you ever heard of a “sealed” PDF? I don’t mean password-protected or branded with your name (as some eBook sellers do). This is a different beast. Let me introduce a company called SealedMedia. Their business is protecting electronic documents (PDFs), a form of Digital Rights Management (DRM) which has always been a topic of ongoing debate. One of their most notable clients: Harvard Business School Press.
I had to write a paper on case #698-004, entitled “We’ve Got Rhythm! Medtronic Corp.’s Cardiac Pacemaker Business,” which is a great case by the way. Unfortunately, my experience purchasing and reading the case was not.
The HBSP Online Store allows visitors to purchase cases individually, in PDF format, well actually SPDF format. The .spdf extension indicates the document has been “sealed” by SealedMedia, and consequently Adobe Reader cannot properly render it without the SealedMedia plug-in and a valid license.
When you purchase the case, you receive a license with a login name and password. When launching Adobe Reader, you must authenticate to the license server to view the document:
Today is a great day for all the people waiting for the first bits and pieces of Amarok 2 on Windows. Amarok developer shakes worked hard to get it ready for you. Enjoy! Please be aware that it is only a tech preview with a lot of known problems. From the amarok.kde.org posting:
I’ve had the killer combination of being both sick and busy lately, so I haven’t got much done on Amarok recently.
However I do have one announcement that might make a few people happy: the windows installer of KDE now has packages of the Amarok 2 tech preview available.
You can download it by grabbing the installer and following the instructions over at the KDE techbase. It should be pretty self explainatory, just run the installer, select a mirror, and download the amarok package: all the dependencies should be automatically downloaded and installed for you.
Since so many Mac users are also child porn enthusiasts, I thought you might like to know that the newest version of TrueCrypt came out last night and they support OS X now.
Now my trendy Mac friends can stop having to mess around with their USB keychain, mirroring their passwords and bill pay confirmations from a Mac sparseimage to a TrueCrypt vault and back again.
If you’ve never heard of TrueCrypt, it’s basically a paranoid’s wet dream, open-source encryption app where you can do needlessly complicated things like hide an undetectable real vault inside a dummy vault so the NSA can’t get your Flickr password. It provides two levels of plausible deniability, in case an adversary forces the password out of you… and now it’s cross platform. Yay!