~ Archive for Systems ~

Dumaru

1

Here‘s professional information about the Dumaru virus, including a removal tool. Below are some questions:

Why does ‘Microsoft’ have my email address? Has ‘Microsoft’ ever sent out a patch by email? Would they do this by spamming? If they did spam to get people to patch, why would they send the patch as an attachment to an email, which EVERYONE knows is easy to forge? Maybe they would have some sophisticated technology which would allow them to point users to a website such as http://windowsupdate.microsoft.com? I’ve been hearing a lot of buzz lately about something called a ‘URL’; maybe that could be used for this purpose.

Why are they using exclamation points after the subject and every sentence? Why would they start the message “Dear Friend”? Isn’t that what spammers do? Wouldn’t Microsoft want a more corporate voice?

Why do they have the incompetent punctuation habit of putting a space between a word and the mark which follows it? Why would they write 500,000 with a dot instead of a comma? They’re an American company, right?

Why is the “patch” named “patch.exe”? Wouldn’t you expect that perhaps Microsoft has issued more than one patch for their many products over the years? Maybe they would want to give them names which might distinguish them from one another? And why haven’t they bothered saying which vulnerability the patch is for?

Why did this message enter Harvard’s mail system from someone’s infected home machine in Virginia? Isn’t Microsoft out west? And don’t they own their own computers?

Received: from localhost  h24-82-236-138.va.shawcable.net [24.82.236.138])
	by netopc.harvard.edu (8.11.6/8.11.6) with SMTP id h7NKBPU13613
	for ; Sat, 23 Aug 2003 16:11:25 -0400

Date: Sat, 23 Aug 2003 16:11:25 -0400
From: 'Microsoft' 
Subject: Use this patch immediately !

Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

Content-Disposition: attachment; filename=patch.exe

sobig.f on a rampage

7

A few people (e.g. red) at the Berkman Center have started getting lots and lots of messages infected with the W32.Sobig.F virus.

This is irritating for a couple of reasons.

1) It’s a drag to get lots of superfluous and possibly dangerous mail.

2) People will think you are infected with it, even when you aren’t. Sobig.F includes its own SMTP engine, which means that it talks directly with mail servers. This allows it to forge the address it alleges to be “from”. It also knows how to search through various files on an infected machine’s hard drive, and harvest email addresses. It uses these addresses both as a list of people to try to infect, and as a list of people from whom to pretend to have originated. So if your email address happens to be in a file which a Sobig virus looks at, people will get infected messages which claim to be from you. Some helpful souls will think that means you have a virus, and contact you. Some ill-guided institutions have doodads installed on their mail servers which automatically bounce virus-infected mail back to the “sender”, which is obviously dumb and confusing when the alleged sender is not the same as the infected person. It would be better to make these programs only bounce messages which contain viruses which actually use the real originating email address. In my opinion this behavior hovers somewhere along the border of unethical.

3) Sobig.F searches through cached webpages in addition to address books. If your address, like  bloggercon at cyber.law.harvard.edu or  cyber at law.harvard.edu, is in a lot of reasonably popular webpages, it will be cached on many machines and you will get a Lot of mail from a Lot of different people, and probably have your address forged on a Lot of infected emails.

4) The Sobig.F messages are, well, so big! The attachment is like 100k. If you have a quota on your mailbox and are getting lots of these, they might flood you.

So how do we deal with this? There is, unfortunately, no way to get the deluge of mail to stop, since it’s close to impossible to figure out whom an infected message is actually originating from. But here are a few things you can do:

1) Make sure you have have up-to-date virus software, so at least you can avoid the indignity of getting infected. If you’re at Berkman and your machine is on the network you’re fine. Otherwise you should make sure your virus definitions are very recent. I don’t know about other vendors, but Symantec just released their sobig.f definition today.

2) Everyone knows not to open attachments with extensions like .exe and .bat. However, Sobig.F uses .pif and .scr as its filename extensions. Don’t open attachments with these names either. And for Pete’s sake, don’t open attachments from people you don’t know. This is not burdensome paranoia – it’s common sense.

3) Cultivate forbearance and cunning. If you’re only getting a few of these messages, you can grin and bear it. If they’re really bugging you, it might be worthwhile to invest some time in setting up filters in your email program to delete these messages automatically, or move them to some other folder. There are only a half-dozen or so subject-headings that Sobig.F uses, and there are some other characteristics all infected emails will share, such as the presence of an attachment and certain text in the body.

If you want to know more, find a removal tool, etc., you can consult this excellent information page from Symantec or this from Sophos. Lots more details there.

Adding a webgui site

ø

I’ve written the first version of a command line script to automate the creation of a webgui script. It’s at eon:/opt/sbin/add-webgui-site.sh. It handles setting up the directory structure, the configuration file, and the initial database structure. It also prints out the changes to make to the apache config files (I don’t want to do these automatically, since they require a web server reboot, which takes down most of our dynamic sites for a few seconds). This also just sets up a vanilla webgui installation, with the goofy webgui default style and getting started pages. I’ll update it soon to setup a couple of initial admin users, delete the getting started pages (perhaps replace them with a more helpful tutorial?), and tweak a couple of the other settings. It saves 15 minutes of fiddling as is, though.

Cloning a Computer With Free Software

7

I’m going to describe a method here which I’ve used successfully to move a Windows XP system to a new hard drive. This is one of the things that commercial programs like Norton Ghost do. But the method I’ll describe here has worked for me several times, requires no expensive proprietary software, and provides a fun excuse to learn interesting stuff.

The first thing you should know about shenanigans like this is that it’s extremely extremely easy to make colossal errors which will utterly and irrevocably destroy all the data on your hard drive. Make a backup! Also, there are huge gaps in my knowledge. I wouldn’t trust me if I were you. Don’t do anything without understanding why! I’m not writing this as an authority, but as a story-teller. I would’ve like to find a narrative through this, because the references I found in Google to this kind of stuff were pretty fragmentary and allusive.

The first thing you’ll need is a free unix boot disk. You can use a CD-ROM installation disk for this – anything which will give you a shell and have the two crucial programs dd and fdisk. A boot floppy could work fine too, though it’s obviously hard to fit a great deal of Unix on one mere floppy. I like Tom’s Root Boot, which has a surprising amount of stuff.

You can use fdisk and dd to do nifty things like imaging a computer from somewhere on your network, but what I’m going to describe is what I’ve done most recently, which is moving a Windows system from a small, slow disk to a larger, faster one. I had two IDE drives, the original 6 GB and a blank 80 GB. I plugged both of them into the machine, and booted up. I wanted the hard drives on different IDE buses, since transferring a lot of data from master to slave drive on the same bus is slower than doing it between two different buses, so that’s how I set it up – the 6G drive was disk 0 on the first bus, and the 80G drive was disk 0 on the second.

Brief discursion for Windows folks – in Unix, physical devices are represented as files, found in the /dev/ directory. Tom’s Root Boot is linuxy, so the first IDE hard drive is the /dev/hda file. If there’s a slave on that bus it’ll be hdb, but my second drive was on the second bus so it was hdc. These files refer to the whole entire hard drive, including the partition table and everything, so you will very rarely want to write anything to them directly. The partitions of a disk are represented by similarly named device files, with numbers in their names. So the first partition on my first IDE drive was called /dev/hda1. This is the c: drive. There was another 2G partition on the original drive which I didn’t care about.

Now, I wanted to create a partition on the new drive, /dev/hdc. This is where I will copy /dev/hda1 to, so I want the new partition of hdc to be exactly the same size as hda1. To find out the size of hda1, I run “fdisk /dev/hda”, and hit p to print the partition table. I get some output like:

Disk /dev/hda: 255 heads, 63 sectors, 784 cylinders
Units = cylinders of 16065 * 512 bytes
   Device Boot     Start      End     Blocks    Id   System
/dev/hda1  *       1          522     4192933+   7   HPFS/NTFS
/dev/hda2  blah blah I don't care about this partition

So how big is that hda1 partition? Well, it’s made up of 522 cylinders. And each cylinder is 16065 * 512 = 8225280 bytes. So we’re looking at 4293596160 bytes, i.e. 4G.

Now I wanted to make a new partition, hdc1, on the new drive, hdc, so I ran “fdisk /dev/hdc”. When I printed the partition table I saw one crucial nice thing – the cylinder size on the new hard drive was the same as on the old one. I don’t even know if this method would work if the hard drives had different cylinder sizes – I’ve tried it and had it fail, but I have reason to believe that was due to one of my test-subject hard drives being broken.

With the cylinder size the same, it’s easy to create a partition of the same size – just use the same number of cylinders.

So I hit “n” in fdisk to create a new partition. I’m prompted to say whether I want a primary partition or an extended partition. I want this new partition to be partition 1, so I hit “p”. Now I’m prompted for the partition number, i.e. 1. Now I’m prompted for which cylinder should be the first cylinder in this partition, i.e. 1, and which I want to be the last, i.e. 522.

OK, I’ve created the partition and if I print the partition table I now see

Disk /dev/hdc: 16 heads, 63 sectors, 39560 cylinders
Units = cylinders of 1008 * 512 bytes
   Device Boot     Start      End     Blocks    Id   System
/dev/hdc             1        522   4192933+  83  Linux

There are still two changes I have to make to get hdc1 to match hda1. First I hit “a” to flag hdc1 as a bootable partition. And then I hit “t” and change the partition type to 7, which means NTFS. And now I’m happy with my new partition so I hit “w” to write the new partition table I’ve created to the hard drive.

Now we copy the old partition over to the new one, by running the command “dd if=/dev/hda1 of=/dev/hdc1”. This will take a long time – it could easily be an hour or significantly more, depending on partition size. Since dd gives no satisfying output whatsoever, no progress bar, no nothing, you might as well go write up a blog entry about how to do this process, or something…

OK, when it’s done I’ve cloned the c: drive successfully! But the new hard drive still isn’t bootable – it has no master boot record (MBR). The MBR is a groovy little program kept at the very beginning of the partition table — the BIOS loads it during the boot process, and it tells the computer which partition to boot from. It’s 512 bytes long. As it happens, simply copying the first 512 bytes from hda onto the beginning of hdc will make hdc bootable. It’s weird that that works. I suspect it would mess up if you did much differently, e.g. if you copied hda1 to any partition on hdc other than hdc1. But anyways, here’s how you copy those 512 bytes: “dd if=/dev/hda of=/dev/hdc bs=512 count=1”. Note that if you screw anything up at all with this command, you’re in hot water – for instance, if you switch the values of the “if” and “of” parameters you’ll end out with neither disk bootable. Be careful!

Office Streaming

ø

We had an interesting conversation with Diane today about the legality of setting up an streaming jukebox on the web for the office. We have one just for the geekroom (a web based mp3 jukebox that plays either queued up songs or random songs if nothing is queued), which has seemed okay since it is only playing in one physical room. However, we’d like to share the stream with everyone else in Baker and perhaps even other Berkman folks in other HLS buildings.

There seems to be an exception in the copyright code that deals specifically with playing background music in a business, but the exception specifically disallows an “interactive service,” which is basically anything that consists of a request. So it’s legal for us to stream the jukebox through the office, but only if we disable the queueing features. This would also mean that it would be illegal to buy a real jukebox that uses CDs and play it at the office, since a jukebox is an interactive service. For that matter, it would be illegal to play requested CDs at the office. If one person dictatorily decides which CDs to play, it’d be illegal, but if you let different folks choose the CDs throughout the day, that fits the definition of interactive and is therefore illegal.

Of course, we could just pay the webcasting royalty rates, but assuming our average employee listens to music 40 hours a week, we’d have to pay about $60 per week per employee listening. Whaddya say, John, can we afford $30,000 per year for an office jukebox?

Log in