CryptoLocker and Bitcoin

November 18th, 2013

The thoroughly expected “CryptoLocker” malware has attained prominence over the last two months, properly encrypting files and requiring a difficult-to-track ransom in order to receive back the decryption key.

At the same time, there has been a large run-up in the price of Bitcoin.

Most commentators have focused on the Chinese market for the Bitcoin run-up.  However, finally there is some attention to how the Bitcoin ransoms may be helping to inflate this tiny market:

2) A sinister cryptlocker virus has been spreading aggressively for more than a month. It hijacks computer systems and threatens to delete data unless a bitcoin ransom is handed over. Also, reports abound of a rush of purchases byunsophisticated and distressed buyers who are presumably ready to pay any price, and thus can be squeezed by more sophisticated players in the market.

Kaminska makes this reason #2, ahead of the Chinese market and below the Silk Road seizure – but the Silk Road incidents should have lowered the price, not raised it.

Combine that with how it might be difficult to buy a MoneyPak, and you’ve got the recipe for a squeeze.

No Comments »

Backdoor found in OpenX open source version 2.8.10 – some thoughts

August 8th, 2013

Two days ago, Heise (the German news and IT firm) reported that a backdoor was found in the prominent advertising platform OpenX.  (German link here, and I leave translation to the reader.)  The backdoor itself was injected into a somewhat obscure flowplayer javascript file, with obfuscated php hiding the fact that it was a remote code execution bit of php.  With this code there, it would be trivial for a solid hacker to build a shell for the server and completely compromise it.

The question which immediately came up for me was, Huh?  Since when is a webserver interpreting a javascript file as a php file?  I doubted that it is typical for web servers to be configured to have .js files interpreted by the .php interpreter first, then sent to the browser.  However, none of the technology reporting said anything about how the OpenX backdoor was getting the .js file to be executed as .php.

A couple examples of the simple explanation that .js files just obviously might house some .php and invoke it:

But web servers don’t do that.  So there must be something else in the OpenX code which allows javascript to be interpreted as php.  One clue was that the original Heise article said:

Die Datei wird durch einen Aufruf von require_once() aktiviert

which means, basically, that the rogue PHP function in the flowplayer js would be called and activated by a require_once() call.  But where is that call?

The second clue is that there were actually three files involved in the intrusion, not one, and all three are critical to the intrusion.  The somewhat unhelpful post from OpenX says to md5sum the following files:

558c80e601fb996e5f6bbc99a9ee0051  plugins/deliveryLog/vastServeVideoPlayer/flowplayer/3.1.1/flowplayer-3.1.1.min.js
fa4991d5fd3bf4a947b6ab0b15ce10b2  plugins/deliveryLog/vastServeVideoPlayer/
5014c31b479094c0b32221ae1f1473ac  lib/max/Delivery/common.php

The question then is: what is special about the other two files, and why would changing them be related to closing the backdoor? ver 2.8.10 has this line:

MAX_commonReadFile( $pwd . ‘/’ . $file_to_serve);

whereas vers 2.8.9 and 2.8.11 have:

echo file_get_contents( $pwd . ‘/’ . $file_to_serve);

The latter would simply send the javascript without interpreting it.  But… what does MAX_commonReadFile do?

Cue lib/max/Delivery/common.php:

Versions 2.8.9 and 2.8.11 don’t have this function, so it was also injected.  Here is the function in 2.8.10, nestled between MAX_commonConvertEncoding and MAX_commonSendContentTypeHeader:

* A function to read a contents of SWF file
* @param string $file The path to SWF file to read
function MAX_commonReadFile($arg)
echo file_get_contents($arg);


Bingo.  There is the invoker of the backdoor: require_once($arg), which in this case would be to the path.  All this stuff about “SWF file” is obfuscation – the attacker was actually doing a javascript read, and frankly, there never would be a reason to require_once a file if it is a non-php asset like a SWF.

I’m puzzled currently about the ['debug']['read'] item – it seems to be a way of throwing admins who are trying to trace problems with the site and thus who are in debug mode.  Anyone else have an idea?

So, a few final thoughts:



No Comments »

Adventures in Live Linux CDs

July 9th, 2013

Recently I’ve needed to use Live CDs for a client, when nothing could be saved on disk.  I’ve used:

* Knoppix (best)

* Xubuntu (has problems with the wireless card in this laptop)

* Tails (security overkill)

It is time to take a look at Puppy again, just to see if it is compatible with the wireless card in this server.

Incidentally, the idea of routinely using a hard-drive-free Linux live CD is becoming more appealing.  The idea is to have a computer with no connection between current and past sessions.  If you are dealing with information covered by privacy regulations, like student info, health information, or financial information, this can help you meet regulations in short interactions with websites.

No Comments »

“When Patents Attack!” on This American Life

June 4th, 2013

Intellectual property concerns are paramount in the technology world.  Once the Supreme Court opened the door for patenting computer programs and technical processes, the economic incentive to patent technologies of all kinds became large.

Pair that with a potentially less-than-precise Patent Office, which frequently allows patents which are either obvious or have significant overlap with other patents (and frequently both!), then you get a recipe for litigation over the most simple of computer techniques (say, one-click ordering, pop-up windows on mobile, or cloud storage of files).

This American Life put together a fantastic exploration of this topic.  Check it out.

No Comments »

New trend in credit card fraud

April 25th, 2013

The ISC StormCast for today - - mentions a new way stolen credit cards are being automated.  Rather than start at minimal amounts (as in 0.05) to test the cards, the attackers are starting at high amounts and ratcheting downwards until the transaction is accepted.  Clever.

No Comments »

Mobile usage March 2012 according to Nielsen

May 8th, 2012

Nielsen reports today that more than 50% of Americans use smartphones, and than Android-based phones are in the lead.  Android is at above 48%, and iPhone is at 32%.

Android software is heavily fragmented, however, and I would suspect that a demographic study of users would reveal that iPhone users are more valuable in general.

No Comments »

“Free” antivirus software packages

November 6th, 2008

The word “free” is always dicey when you talk about computer software. Usually, free software is a loss-leader for the software company, and such software often comes bundled with stuff which tries to separate you from your money later on. And, in the worst cases, this “stuff” is spyware, which spies on you, trying to figure out how to sell you more stuff.

Nevertheless, there are some computer security companies which make available some good antivirus software, and they give it away to home users. Those companies hope to make money later, either from upgrades, or indirectly as a marketing cost leading to higher trust levels (for instance, tech people buy their software for non-home situations) I often will recommend these packages to my clients, and they work well in a pinch.

The biggest problem with these programs is that they can turn into “nagware” – that is to say, they start nagging you to buy an upgrade. AVG, for instance, used to be pretty quiet, but now (in 2008) its newest version is total nagware.

There are a few other currently free antivirus software packages – for instance, Avira AntiVir and Eeye Blink – but I can’t say anything one way or another on those two.

No Comments »

LogMeIn: good stuff

December 3rd, 2007

Thought I’d give a shout-out to the makers of LogMeIn (, who have come up with a useful free version of a product which turns out to be more handy than my previous option (a combination of DynDNS, VNC, and fiddling with routers). In the span of 3 months, I went from not using it at all to having more than a dozen systems on it.  (It even has a Mac version, in beta, which I can use to remote-control my media-laden MacMini.)

About two years ago, I tried to get Hamachi working — that was the original project by this company, so far as I know. Frankly I was left a little baffled, and ended up using the old standby, OpenVPN.  However, compared to Hamachi-of-two-years-ago, LogMeIn is wonderfully slick.

I foresee a time when I’ll be using its Rescue, Pro, and Backup versions — there are situations appropriate for those kinds.  (Pro allows you to locally print off a remote program; Rescue lets you help people remotely without an install; Backup does what backup implies — competitor to Mozy?)  But for now, LogMeIn is good enough to keep me from exploring further VNC, PCAnywhere, Connect, Remote Desktop, SharedView, WebEx, or Glance.  In the future, those will surely become part of the mix.

1 Comment »

Malicious website advertisements: new trends

November 19th, 2007

A client of mine ran into an odd event last week: the computer seemed to be infected either with a virus or with an anti-virus program which wouldn’t shut up.

After looking at it a bit, I had to shut down the web browser, and though I couldn’t find any malware, I made sure her workspace was over at a non-admin account.

Now today, I find that reputable websites (that is, if and are reputable) are serving advertisements from doubleclick — and those ads are the culprit. This youtube video shows what happens.

What can you do? Well, we are now in the age of cross-site web programming, wherein almost all websites are assembled together on the web browser to create one’s internet experience. You have to assume that even responsible websites will be using scripts, videos, or widgets from other sites. And you also have to assume that they won’t catch everything. So: you have to practice safe browsing, now more than ever. This means one thing, above all:

Don’t browse the web when you’re using your computer in a profile or account which can make widespread changes on your machine. (These are usually called “administrative” accounts.)

If you do, well, you’ll be paying someone to clean up your machine sometime soon.

No Comments »

Small-to-medium business uptake of linux?

April 17th, 2006,2000061733,39187298,00.htm brings up an interesting issue. Part of the topic really is a lack of management at such places. The types of tasks which need to be done in the enterprise haven’t been analyzed, and thus employees are allowed to do basically anything they want with their machines. They consequently are encouraged to rely on any old application which comes their way, and get hooked to it.

SMEs really need to have a sense of what computers will do for their enterprise. Why do they have computers, and how do they add to the bottom line of the company? That reasoning then should have impacts with employee job roles and with information technology spends, no matter how small.

If an employee truly only needs to work with a web browser and with a spreadsheet, it is ridiculous to use a Windows machine. Technology choices should then go from there.

Employees will simply learn to copy, whatever the tasks. If Mozilla and OpenOffice are given for tasks, then the employees will cope. Once that is all they use, then if they show up one day and all their data is on a server of some sort (IMAP, shared backed up server, etc.), and they can still run Mozilla and OpenOffice, then there you go.

The “gravy” (media players, chat software, etc.) really can be duplicated for free on linux without incident. Be better, in fact.

This form of thinking can apply to lowering one’s Windows spend as well. There are open source alternatives on Windows, and they should be used as much as possible. Start with OpenOffice, Thunderbird, and Firefox. Gaim if you need chat. MS Access is still handy on Windows — a MySql/OpenOffice emulation is on its way.

No Comments »

Next Page »