Playing with Storm

This video shows an anti-virus researcher playing with a website infected with the Storm worm. Security firm F-Secure published it on YouTube around a year ago, so it's certainly not new. However, it's still an interesting look at how server-side malware can change itself every time someone downloads it. In this case it is changing the padding to avoid detection by anti-virus software.

The researcher uses different web browsers (or at least pretends to) to demonstrate how the site reacts. For example, when the visitor uses Internet Explorer 6.0 (IE6) it serves a page containing exploit code designed to attack this browser. It serves different code when the visitor uses Firefox.

For (Very) Public Release: The FBI Exposed

A US Department of Justice report was published recently on the interet, with some of its sensitive information hidden from public view. According to Matt Blaze's blog, the Implementation Of The Communications Assistance For Law Enforcement Act By The Federal Bureau Of Investigation report exhibited a classic redaction mistake. Essentially, you can uncover the hidden text by pressing the Ctrl-A, Ctrl-C and then (after opening a text file) Ctrl-V keys. In other words, it's the old select/copy/paste gambit.

Redacting information by obliterating sensitive text with big black lines works sometimes. However, it's easy to get wrong and there have been many cases where those who should know better have attempted to hide data but have failed to do so effectively. Sometimes the results are embarrassing. Other times they have been deadly.

Turn Their World Upside-Down

Someone stealing bandwidth wirelessly from your internet connection? Don't get mad (or encrypted) - get even. This article has been available for some time, but it still amuses me and almost makes me wish someone would crack into my wireless network. Almost.

Pete Stevens documented how he handled his thieving neighbours, proxying their web traffic and making changes to it. Favourite countermeasures include turning images upside down or blurring them automatically. It shouldn't be too hard to run pages through The Dialectizer to produce Cockney, Jive or Swedish Chef versions.

What does a botnet look like?

The idea that criminals have harnessed the power of hundreds of thousands of innocent computers, forming massive networks designed to perform evil deeds, is hard for the general public to swallow. It's also quite a tricky concept to visualise.

That has not stopped David Voreland and Scott Berinato from trying. They have created a map of interconnected botnet systems. It's interesting - is your system on it?

Can you copyright malicious software?

Software developers don't like people ripping off their work. This is just as true of legitimate companies producing commercial software as it is for shadier developers who create malicious software for sale, such as Trojans.

Despite this, lots of people copy software illegally. Developers use protection systems such as registration codes; activation of installed software with servers controlled by the developers; and (less commonly these days) copy-protected installation media. The anti-piracy challenge for Trojan writers and other malware authors is tougher because they don't have the same technical resources as large companies and, perhaps more importantly, they can't use the law to enforce their licenses. They don't want to be tracked so an activation server is probably out of the question until they can figure out how to use something like a dynamic botnet to handle this job.

The answer, according to an article by security company Symantec, is to threaten your customers that you'll shop them to anti-virus companies.

More specifically, if you buy a custom version of the Zeus Trojan and resell it, or attempt to reverse-engineer it, you will be in violation of the licensing agreement. In such cases, the dodgy software developers will send your copy of the Trojan to security companies, effectively rendering it useless.

It turns out that this approach has not worked very well. According to Symantec, copies of this software was being traded on online forums shortly after its release.