Thursday, May 20, 2004

19 May, 2004


Google moves toward clash with Microsoft

Story last modified May 19, 2004, 8:00 AM PDT
Edging closer to a direct confrontation with Microsoft, Google is preparing to introduce a powerful file and text software search tool for locating information stored on personal computers.
Google's software, which is expected to be introduced soon, according to several people with knowledge of the company's plans, is the clearest indication to date that the company, based in Mountain View, Calif., hopes to extend its search business to compete directly with Microsoft's control of desktop computing.
Improved technology for searching information stored on a PC will also be a crucial feature of Microsoft's long-delayed version of its Windows operating system, code-named Longhorn. That version will have a redesigned file system, making it possible to track and retrieve information in ways not currently possible with Windows software. The new operating system, however, won't be available until 2006, at the earliest, and advanced search capabilities won't be in place until 2009.

Google Typo Leads To Speculation About 1 Terabyte Of Gmail Storage
Google Terabyte
Now the Google groups is working, it will take me some time to try it out however. Check it OUT. I did however notice that it bears a stiking resemblence to it's sister Gmail.
Google set to announce desktop search utility
Microsoft is ofering free Security clinic training.
Security Clinics
Clinic 2801: Microsoft® Security Guidance Training I
Summary: This online clinic provides students with introductory knowledge and skills essential for the design and implementation of a secure computing environment. It also provides students with prescriptive guidance on security update management and best practices for implementing security on Microsoft Windows® server and client computers.
Audience: IT Pro
Clinic 2802: Microsoft® Security Guidance Training II
Summary: This online clinic builds on existing knowledge of server and client security and provides students with the knowledge and skills to apply best practices to implement perimeter and network defenses and enhance security for applications and Microsoft Windows Server System™ components. It also provides students with prescriptive guidance to enhance security for Microsoft Windows® server and client computers and practical strategies for implementing security best practices across an environment.
Audience: IT Pro
Clinic 2806: Microsoft® Security Guidance Training for Developers
Summary: This online clinic provides students with knowledge and skills essential for the creation of applications with enhanced security. Students will learn about the need for implementing security at every stage of the development process and best practices for applying security principles. Students will also learn how to use established threat modeling methodologies and tools with other best practices to minimize vulnerabilities and limit damage from attacks. Finally, students will learn how to implement security features to enhance security for Web applications and Web services that are built by using Microsoft ASP.NET.
Audience: Developer

Linux News:

Bull Joins the Open Source Development Labs
Linux Thinks Big
SysAdmin to SysAdmin: GUI administration with KSysguard
Linus and Linux: The big lie versus the small truth
JBoss Under Fire, Accused of Bogus Postings
Novell Continues to Buy Open Source
Minimo Project
An overview of the Minimo Project
"Study Casts Doubt on the Founding Fathers," a parody by Scott Lazar
Fedora Core 2 Brims With New Features
Linux Forensics Software
Why Mono is Currently An Unacceptable Risk
Florida health organization migrates 3,500 PCs to OpenOffice and Novell's Linux


Cyber Security News:

New analysis shows exploits closing in on networks
Consequences of Cisco source code theft unclear
Number of exploits circulating for critical Mac flaws
'Patriot' hacker pleads guilty
HTML e-mail not worth the risk
[ GLSA 200405-11 ] KDE URI Handler Vulnerabilities
[OpenPKG-SA-2004.022] OpenPKG Security Advisory (cvs)
[OpenPKG-SA-2004.023] OpenPKG Security Advisory (subversion)
[OpenPKG-SA-2004.024] OpenPKG Security Advisory (neon)


Viruses and Worms

W32.Bobax.B is a worm that exploits the LSASS vulnerability (described in Microsoft Security Bulletin MS04-011). Infected computers may be used as an email relay.
W32.Bobax.B differs from W32.Bobax.A as follows:

* Uses a different, and variable, mutex name.
* Has a different size and MD5.
* Performs connection speed testing.
* Has the ability to update itself.
* Has the ability to report system information back to the author

W32.Bobax.C is a worm that exploits both the LSASS vulnerability using port 445 (described in Microsoft Security Bulletin MS04-011) and the DCOM RPC vulnerability (first described in Microsoft Security Bulletin MS03-026) using TCP port 135.
Infected computers can become email relays.
W32.Bobax.C differs from W32.Bobax.A as follows:

* Uses a different, and variable, mutex name
* Has a different size and MD5
* Performs connection speed testing
* Has the ability to update itself
* Has the ability to report system information back to the author
* Takes advantage of the DCOM RPC vulnerability described in Microsoft Security Bulletin MS03-026

W32.Bobax.D is a worm that exploits the LSASS vulnerability. This vulnerability discussed in the Microsoft Security Bulletin MS04-011. Infected computers may become an email relays.

* While this threat may execute on Windows 95/98/Me/2000/Server 2003-based computers, it targets only the Windows XP operating system.
* Virus definitions dated prior to May 19, 2004, may detect this threat as Bloodhound.Packed.

Bobax Trojan Analysis

Bobax is a semi-automated spreading trojan. Similar in concept to bots like Agobot, the trojan can spread unattended, but only when given the command to do so by its author. Its primary purpose appears to be to create a massive automated spamming network. Unlike proxy trojans which require the spammer to connect and send each individual piece of mail, Bobax sends the mail using a template and a list of email addresses. This has the benefit of offloading almost all the bandwidth requirements of spamming onto the trojaned machines, allowing the spammer to operate with minimal cost.

The dropper file is named svc.exe. When run, it extracts a DLL file from its executable and injects it into the Explorer process space.
When executed for the first time, the Bobax trojan follows these steps:

  • Tests for the presence of mutex 00:24:03:54A9D. Exits if it exists, creates it if it doesn't
  • Attempts to delete files from the Temp directory with a tilde prefix, cleaning up after the infection process
  • Copies itself to the Windows system directory and adds to the following registry keys:

    [keyname] => [path to executable file]

    The registry key name is an 8-digit hexidecimal psuedo-random number generated from the volume ID of the disk where the system directory resides.
    The exe name prefix is a sequence of 5-14 randomly generated lowercase letters.
  • Attempts to contact the the following sites:
    The requested URL is:
    http://hostname/reg?u=[8-digit hex id]&v=114
    The User-agent provided by the trojan when connecting to the control server is:
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    If successful, the trojan will parse the returned content looking for commands from this server. These commands may or may not be present depending on the spammer's schedule:

    exe - Download and execute a program
    scn - Scan and infect hosts using the MS04-011 exploit
    scs - Stop scanning
    prj - Send spam from template email and list of addresses provided

The scanning thread works as follows:

  • An HTTP listener is set up on a random numbered port between 2000 and 62000
  • 128 threads are started to scan for vulnerable hosts:

    • 32 threads will scan the same /16 subnet as the local host
    • 32 threads will scan the same /8 subnet as the local host
    • 64 threads will scan randomly chosen Internet addresses

  • The scan is actually performed on TCP port 5000 - if the port is found open this is usually indicative of a Windows XP host. The trojan will then connect to port 445 and execute the LSASS exploit against the vulnerable host. The trojan file will be served from the internal HTTP process and the target host will be infected and under the control of the spammer.

It is unclear why the trojan author chose to only infect Windows XP systems. It could be for simplicity - the exploit will crash a system if the target OS and patchlevel does not match certain offsets in the exploit code, so limiting the target platform means you only have to send one offset. It could also be the spammer prefers to operate using home-user systems rather than corporate servers which would be more likely to be running Windows 2000.
The internal workings of the code appear similar to spam trojans we have seen before - most recently in the "Minit" trojan. This could be an indication that they at least share some of the same code if they are not written by the same author.
Update: May 19, 2004
At this time, two more variants have been discovered. Bobax.B is a minor variant with additional websites to contact. In addition to seven primary control hosts contained in the binary, Bobax.B can generate a large number of hostname variations on those names in order to thwart attempts to have the names taken out of the free DNS services it uses. For instance, if butter.dns4biz.org no longer works, butter1.dns4biz.org, butter2.dns4biz.org, butter3.dns4biz.org and so on can be used. After the suffix '9', letters a-z are used. It also attempts to download files from other websites as a bandwidth-speed test. Bobax.C has introduced the ability to spread by also exploiting the RPC/DCOM vulnerability used by the Blaster worm (MS03-026/MS03-039) on TCP port 135.

VariantSizeMD5Compile Date
A20,480b0825423585db91f845cf77cbeb91774Sat May 15 18:31:56 2004
B21,504a1ed86348c7c2540244dc87dea3db5e9Sun May 16 22:13:38 2004
C22,52818a3787cbb84b4215c28a3d7ba20213fTue May 18 00:09:19 2004

Police probe Sasser informant
German police raid homes in Sasser computer worm probe
New Worm Spreads By Replying To All Mail
Symantec Agrees To Buy Anti-Spam Vendor Brightmail
Yahoo releases e-mail standard to fight spam
Bobax worm takes tip from Sasser
Open Source Users Unaffected by Sasser Worm - The Internet Keeps Going Despite Flawed Proprietary Software


Goggle News:

An explanation of our search results
If you recently used Google to search for the word "Jew," you may have seen results that were very disturbing. We assure you that the views expressed by the sites in your results are not in any way endorsed by Google. We'd like to explain why you're seeing these results when you conduct this search.
A site's ranking in Google's search results is automatically determined by computer algorithms using thousands of factors to calculate a page's relevance to a given query. Sometimes subtleties of language cause anomalies to appear that cannot be predicted. A search for "Jew" brings up one such unexpected result.
If you use Google to search for "Judaism," "Jewish" or "Jewish people," the results are informative and relevant. So why is a search for "Jew" different? One reason is that the word "Jew" is often used in an anti-Semitic context. Jewish organizations are more likely to use the word "Jewish" when talking about members of their faith. The word has become somewhat charged linguistically, as noted on websites devoted to Jewish topics such as these:
* http://shakti.trincoll.edu/~mendele/vol01/vol01.174
* http://www.jewishworldreview.com/cols/jonah081500.asp
Someone searching for information on Jewish people would be more likely to enter terms like "Judaism," "Jewish people," or "Jews" than the single word "Jew." In fact, prior to this incident, the word "Jew" only appeared about once in every 10 million search queries. Now it's likely that the great majority of searches on Google for "Jew" are by people who have heard about this issue and want to see the results for themselves.
Our search results are generated completely objectively and are independent of the beliefs and preferences of those who work at Google. Some people concerned about this issue have created online petitions to encourage us to remove particular links or otherwise adjust search results. Because of our objective and automated ranking system, Google cannot be influenced by these petitions. The only sites we omit are those we are legally compelled to remove or those maliciously attempting to manipulate our results.
We apologize for the upsetting nature of the experience you had using Google and appreciate your taking the time to inform us about it.
The Google Team
p.s. You may be interested in some additional information the Anti-Defamation League has posted about this issue at http://www.adl.org/rumors/google_search_rumors.asp. In addition, we call your attention to both the Jewish Internet Association, an organization that addresses online anti-semitism, at http://www.jewishinternetassociation.org/, and Google's search results on this topic.

Google Experiments With Local Filesystem Search
Teoti writes "No, Puffin is not the next name of your favorite email client, but, according to the New York Times (NSA reg. req.), the project codename for a new Google search application coming directly into your desktop, that will let you search your local filesystem efficiently. This is different from, but complementary of, the Google DeskBar that already lets you search the Web. The article also gives a few words on the end of the stand alone browser in Longhorn."

Google defines good manners for adware
What Google's Gmail Means for the Web
A new site has surfaced called Gmailswap some people will do the most idiotic thing to get a GMail. I currently am out of invites so do not ask me for a GMail acount. Google might refill our invites soon.
My Left Arm for a Gmail Account
Google fleetingly offers some 1,000GB



E-Mail Scammer Gets Four Years
By David McGuire, Washington Post May 19 2004 8:51AM
An Internet scammer who used e-mail and a fraudulent Web site to steal hundreds of credit card numbers was sentenced to almost four years in jail Tuesday, one of the stiffest-ever penalties handed down for online fraud.
Houston, Texas federal court Judge Vanessa Gilmore sentenced Houston resident Zachary Hill to 46 months in jail for his role in duping consumers into turning over 473 credit card numbers.
The Justice Department said the sentence is "one of, if not the longest" ever handed down against an e-mail scammer, said spokesman Michael Kulstad.
Hill, 20, used a "phishing" scheme to make his e-mail look like it came from America Online, the nation's largest Internet service provider, or PayPal, the online payment subsidiary of auction giant eBay. The message told victims that their accounts had lapsed and that the companies required their credit card numbers and passwords to restart them.
Hill prompted recipients to enter their information into Web forms designed to look like pages run by the companies, the Justice Department said. Hill then used the credit card numbers to buy $47,000 in goods and services.

Utah sees first spyware case
overload functions in C?
Skype Creator Promises Official VOIP Program Release
PHP Tutorial
Do All in Cmd Shell




Post a Comment

<< Home

Get Firefox!