PGTS PGTS Pty. Ltd.   ACN: 007 008 568

point Site Navigation

point Other Blog Threads

  Valid HTML 4.01 Transitional

   Stop Spam! Stop Viruses!
   Secure And Reliable Ubuntu Desktop!


   If you own a netbook/laptop~
   Download Ubuntu Netbook!

PGTS Humble Blog

Thread: Internet Security/Malware/Spam

One world --- Or none!

The Problem Of The Living Dead

Chronogical Blog Entries:

Date: Mon, 31 Jan 2011 17:39:57 +1100

At the start of this year, the Canberra-based Think-Tank, The Kokoda Foundation, which has many connections to Australian defence forces, and have, in the past, released several papers on strategic and defence related issues, announced that they would address the issue of "cyber security".

Even though the report had not been released, at the time, Cameron Stewart, who writes for The Australian announced that the report would show that there is a looming "cyber security crisis" in Australia.

Now I must confess that I am not a renowned expert in the field of cyber-security, although in all modesty I can claim to have had some (relevant) first hand experience, which I will now relate, using the well worn metaphor of Hollywood horror movies in the zombie genre.

January 2005: Night Of The Living Dead

We don't normally see this much activity in a dead person!

--- "My Boyfriend's Back", 1993.

Occasionally friends and family ring me and ask for advice regarding computers and the Internet. Even though I have just confessed to not being an acknowledged expert ... Some of them still think I might have picked up the odd bit of knowledge about the topics, since I have worked as an analyst programmer for about three decades ... And as the new century unfolded, one observation I made was that regarding the steady increase in the number of Zombie computers during the first decade.

Of course, even though I am using the Hollywood metaphor, I am referring to a particular type of Microsoft computer commonly known as a zombie. No matter what else you read about Internet security, you can be sure of one thing. All zombies are Microsoft. This is because of the large number of security vulnerabilities in Microsoftware ... And because of the widespread adoption of their product. Which makes Microsoft the obvious vector of choice for malware authors.

In fact the trend was so serious, that about mid way through the first decade of this century, I decided that I would not help any friends or family re-install Microsoftware. Since the work I did for friends and family was "gratis", I considered it a waste of my time helping them reinstall the very software that was the root cause of their initial problem, which in most cases was that their computer had been turned into a "zombie" ... Only to have them call me again in a couple of months ... Because their computer had once again become a "zombie".

Not too long after I'd made this decision, a friend, who does not live in in Melbourne (the Australian city where I live), rang me to say that his emails to me were not being delivered. I asked for the time and date that he sent them and did a quick check of my log files. I discovered that his ISP's mailhub had been blacklisted. Since he was an old (and trusted) friend, I added his email address to the access "white-list" in /etc/postfix/access, which meant that future email from his (specific) email address would not be blocked.

He asked me "what could cause this". I did a little more investigation. It turned out that several portable addresses from his ISP's netblock had been reported for SPAM ... This is not uncommon ... I sent a notification to the postmaster address for his ISP (with a recommendation that they should "de-list" themselves). But, at the time, I thought it was "suspicious". There was a possibility that my friend's IP address was one of the "offenders" (i.e. a "zombie").

And there is some relevant background information. This friend had taken delivery of a new Microsoft computer about a year prior to this event ... At first like all consumers taking delivery of a "new" gadget he was excited and impressed with all the "new" features. But after a while, problems arose ... His drive was running slowly and sometimes not saving files.

Due to the tyranny of distance, I couldn't carry out a physical inspection of the computer, so I had to base my conclusions on our phone conversations ... Based on this "evidence", I told him that there was a 75 percent chance that his computer was infected with "malware".

And so he asked how could he fix that? "Well that's easy", I replied, "I can send you a CD in the mail with Ubuntu on it ... You put it in the drive and choose the option to 'format the hard drive' and use the entire disk for 'Ubuntu'". He protested that it would be too inconvenient! He had all these files in Microsoft format, etc, etc.

He said he used "Zone Alarm" and "AVG" for security etc, etc ...

Eventually his computer was performing so badly, he took it to a computer shop. They replaced the hard drive, and "cleaned" some viruses from it ... So his computer might have been a zombie ... But it was now fixed! And for a little while it worked. But then the problems re-appeared. And then became much worse! Feeling a little forlorn now, and possibly a little desperate, because he wasn't getting much help from the computer shop, he sent me some emails to say that his computer was running very slowly. Based on some questions I asked him, I searched my log files, looking for times that he visited my site, to try and find out what was happening ...

From the agent string in the files I concluded he was probably using MSIE (at the time notorious for security vulnerabilities), and that his version of MSIE might have been "hijacked" by FunWebProducts, a firm which was known to install adware and spyware on unwary "microsofties". And it looked as though his IP address (which I obtained from logs) at the same time had been listed by the CBL spamtrap.

I told him there was a 95 percent chance that his computer was infected with malware ... And he should immediately disconnect it from the Internet ... And give serious consideration to installing Ubuntu.

He said that he would do as I advised ... But later he admitted that he had not completely disconnected ... Just connected it for a little while ... To send emails etc ... He was "considering" my recommendation (to install Ubuntu) ... But just didn't have time to do it now! He was still getting a lot of spam and sent me a sample. I don't still have that sample ... But after studying it for a little while, I was able to conclude that he had spammed himself!. Or more correctly his computer was a zombie and it was the source of the spam, which at the time, caused me considerable amusement.

Although I have a feeling that my friend didn't exactly share my merriment. However he did admit that sometimes he had seen a message about "svchost.exe" on his screen ... (eek!)

Note: A science education has left me thoroughly imbued with scepticism, so I never say that I am one hundred percent certain about anything ... Except perhaps, The Second Law Of Thermodynamics ... So I did not give an estimate of the probability that his computer was infected with malware. But if I was bookmaker, I would have given the odds as a 99.999999999 percent chance that his computer was infected with malware ... Not odds, you'd bet against ... Unless you had some inside knowledge!

Eventually he took my advice and installed Ubuntu. And since then has been operating trouble-free.

September 2009: (DOS) Dawn Of The Dead

You can't talk to a man with a shotgun in his hand!

-- Carole King, "Smackwater Jack", 1971

In 2009, the PGTS website experienced dramatic network problems. The problems were caused by excessive network traffic, especially DNS queries. And this rogue traffic seemed to be part of a deliberate attempt to cripple the site.

The only assets at my disposal for defending my domain from a DOS attack was my own scant knowledge of Linux, C programming, perl and shell scripting skills and the Internet ... All of which I deployed to hastily construct a "sinbin" ... A concept borrowed from sporting contests, which impose a penalty on players who don't obey the rules, by removing them from the field of play for a "cooling off period" ... My variant of the "sinbin" was an algorithm which was directed at web clients who obviously didn't want to play by the rules.

Well perhaps that is not an informative analogy, so I will resort to another one. Even though I run the risk of mixing my metaphors.

At the time of these attacks, my website had an ancient (in computer terms) firewall which was being overwhelmed by the malicious DNS traffic. Now if perchance you are not a tech-head, dear reader, I will explain what a firewall is in non-technical terms ... I will use the more colourful metaphors of horror movie themes ... So just let your imagination loose and picture this:

The firewall that I used to have was like a grey haired old guy who manned a door entering into my domain (from the Internet). Anyone already inside PGTS could go out the door and go almost anywhere (inside PGTS) that they wished to go. And if they wish to bring someone back (from outside) ... They could do that too!

But if someone from the outside knocked on the door, the old security guard would say "Excuse me sir ... Do you have an invitation? ... May I see it?" ... If the visitor had an invite, the old guy would say "Please come in ... Have a nice day!" ... etc.

Otherwise, if a visitor arrived without an "invitation", the old security guy would look them over and see if they conformed to the "dress code". If they didn't comply the old security guy would say "I'm sorry sir but you can't come in" ... And close the door.

However certain uninvited visitors can cause disruption. These are the walking dead ... Microsoft zombies! ... When our grey-haired old firewall guy met a bunch of these living dead the (metaphorical) conversation was likely to go like this:

A Microsoft Zombie staggers in the direction of the Grey-haired Old Firewall (GOF) ... It pours forth a stream Microsoft zombie drivel!

Zombie: Grkk! grzzltx! xlstchptk? grunk!

GOF: Excuse me sir, do you have an invitation?

The zombie stares straight at him with a blank and disconcertingly unresponsive stare ... Two more zombies stumble up to the firewall door to join their colleague ....

Zombies: pft7zklst farp! gourplvktz Grark! Grsrdark! zl0hsj ltxkynw xlxtz#$%^&! grunk grrrecketch! gizzktk shlruck SHNUNK!

GOF: Gentlemen and (err) Ladies (?), please! Do any of you have an invitation?

A zlorch of zombies (and their spammer buddies) shuffle menacingly towards the trio of zombies already pressing up against the door ... The Microsoft zombie drivel becomes a cacophony. The Grey-haired Old firewall tries to raise his voice above the din ...

GOF: Excuse me! ... None of you seem to be suitably attired ... I'm sorry but you can't ... Can anybody hear me? ... HELP! HELP! ... Help! ... help ... help ...

GOF falls over and the Microsoft zombies shuffle forward ... Trampling over his still twitching body ... The dreadful din of their Microsoft zombie drivel drowns out all meaningful conversations ...

Upon completion of my hastily constructed sinbin, the firewall was still just an ancient and creaky old computer ... Still like a grey-haired old guy ... But thanks to some additional firewall scripts (using a Unix process known as IP TABLES) ... It now resembled a grey-haired old security guy with a shotgun in his hands! ... And explicit instructions from management to shoot on sight any visitor (uninvited or otherwise) who did not comply with dress codes.

You can well imagine that such a policy would improve the deportment and manners of visitors to a site ... And as the famous Carole King advises, you shouldn't give any back-chat to a man with a shotgun in his hands

Of course, those of you who are horror movie aficionados would be well aware of the fact that zombies are notorious for their lack of dress sense and poor personal hygiene ... And that a shotgun, discharged at head-height, is in fact the recommended remedial action! And in this regard, the metaphor is appropriate, so I hope you will indulge me as I embrace and extend it ... Here at PGTS, we show a distinct preference for the pump-action, 12-gauge Ubuntu model.

And since the 2009 zombie attack, the firewall has been replaced with a younger stronger model.

October 2010: Day Of The Dead

This could be the beginning of the ultimate contagion, the coming plague. -- "Day of the Dead 2", 2005

In late 2010, I received a phone call from a relative who wanted advice about some computer problems ... She had a laptop which had been "infected" with a virus and would no longer "boot". In fact there had been several sad stories from this particular relative. A year earlier, whilst living in a remote Western Australian mining town, she had purchased a copy of "Windows Seven" for several hundreds of dollars in order to fix a communications problem that she encountered with her computer. After consulting "The BigPond Help Desk" (surely an oxymoron), and various computer suppliers, she had embarked on the "upgrade" of her XP computer with Microsoft's flagship product. Needless to say, armed with such bad advice, the "upgrade" was a disaster. It did remedy her communication problem ... For a few hours ... (Probably the time it took to be re-infected with malware) ... And of course "the upgrade" destroyed all existing data on her (former) XP computer.

So in late 2010, I received the latest instalment in her saga of computer agonies. She had a laptop that was quite defunct ... Would not even start! I have found that many poor suffering computer users benefit from someone just listening ... So after listening in what I hoped was a sympathetic and caring manner, I informed her that I don't help people re-install Windows software any more. I offered to cut an ISO of Ubuntu netbook and she could at least have a working computer.

After the bad experience of her last Microsoft "upgrade", she eagerly accepted this offer. And with a little help over the phone, explaining about "BIOS" and how to configure a laptop to "boot" from the hard-drive, was soon up and running with Ubuntu netbook 10.04.

Although she was, by her own admission, "no tech-head", she boldly went where tech-heads would fear to venture ... She setup wireless networking and even upgraded her installation to 10.10 (which, at the time, had just been released).

And gradually, I am gathering anecdotal evidence of a small band of Linux "adopters" ... They are usually people on a "limited" budget ... With old computer hardware. And these days, you don't find many "old" Microsoft computers outside of a robust and well maintained firewall ... Most of them have long since been rendered inactive by "malware".

December 2010: Land Of The Dead

Hey! Dead guys don't break dance!

-- "GI Joe: The Rise Of The Cobra", 2009

(Dialogue spoken, in disbelief while a "corpse" does a horizontal "Funky Chicken" on the side-walk)

Since the 2009 zombie attack, the "sinbin" script I wrote, beefed up with some extra hardware has continued to do it's work. It has deflected zombies, rude robots, persistent spammers and other neer-do-wells, recording details in a log file as it toils tirelessly at the firewall.

From time to time I read the log file.

Towards the end of last year, I noticed traffic from an IP address very close to my own. I emailed the details to my ISP.

I should explain that all the IP addresses close to my own are static addresses and usually rented to other small businesses.

About a week later, I received a phone call from one of the engineers who works with my ISP. He told me that they were following up on my email. They had tried to contact the business that was the registered owner of the address, but probably because of the holiday season, had not been able to make speak to them.

The engineer who spoke to me was a young fellow who seemed quite familiar with security, Linux and the web hosts, and we had a brief discussion about various security packages. He endorsed a Linux package called Smoothwall, however I said that I would stick with my own custom written scripts for the time being.

Obviously dear reader, my ISP is not BigPond. It is one of the smaller ISPs ... However, it is interesting that they went to the trouble of calling me and assuring me that they were following up on my email.

There is some background to this. There is a slow ground-swell of opinion that perhaps there should be some legislation which makes it mandatory for ISPs to deny service to Microsoft zombies. The thought behind this is that it would help "secure" the Internet and makes it less likely that there might be a "Zombie Armageddon", such as the type that could result if a zombie master should emerge from the shadows and take control of very large zombie network such as Storm Worm.

Such a mandatory system would be sort of like a grand universal version of my "sinbin" script. However, even though it might be feasible for a particular site to implement such a policy ... It is an entirely different matter to attempt such an approach to be applied to the entire Internet ... As attractive as it might sound to users desperate for any help ... It is only more wishful thinking from people who still reminisce with fondness and nostalgia about the bygone eras when officialdom had some "real" control over information flows ... Any attempt to implement such a policy on a universal scale would be horrendously complex and expensive, not to mention prone to error and abuse.

And even though support is gathering for this lunatic plan (mostly amongst politicians and bureaucrats), most ISPs, especially small ones, oppose it, because of the inordinate cost and possible risk of "liability" ... And in truth it is quite unfair that authors and owners like Microsoft should attempt to shift the onus of security to ISPs, because they are unwilling to accept it themselves.

And possibly, this was why my ISP was so quick to reassure me that they were notifying the owner of the IP address about a possible "infected" workstation ... It's all part of the political backdrop that is gathering around the vexed issue of "broken" Internet security.

January 2011: Dairy Of The Dead

I believe ... Whatever doesn't kill you, simply makes you ... Stranger!

-- "Dark Knight", 2008.

(Meaningless but disturbing dialogue spoken by "The Joker")

And then at the start of this month, came the dramatic article, from The Australian senior journalist, Cameron Stewart, and the warning that our nation is threatened by a "looming cyber crisis" ... Although the "crisis" seems to have gone largely unnoticed.

In a follow-up article, about a week after the first announcement Stewart claimed that when it was released, the report woud show that the NBN would be highly susceptible to cyber attack and that the roll-out of the NBN offered an excellent opportunity to consolidate and defend IT infrastructure.

There were no details provided as to why the NBN would be more susceptible to cyber attack than our existing network ... And no details as to why Australia should be more susceptible than any other country. And so far there has been no sign of the promised paper from Kokoda ... Although since the original sensational claims ... The topic has been "off the radar" for the Australian.

Nevertheless, we are left to infer that the Kokoda Foundation, the journalist (Cameron Stewart) and possibly other editorial staff of The Australian, not to mention various ministers and other politicians, are all of them singing from the same prayer-sheet, in almost perfect falsetto harmony, whilst marching in lock-step synchronisation, singing a sweet song of concordance and agreement with the conclusions of an earlier report delivered to the House Standing Committee on Communications, in June last year, with the engaging title "Hackers, Fraudsters and Botnets".

And the conclusion they all seem to be tending towards is ... That there should be some sort of a (vast) mandatory scheme which requires ISPs to monitor the activities of their clients ... And block them if the activity is nefarious ... And so make the Internet a safer place for us all (Any of this sound familiar?).

Although he now lives in Melbourne, I can't resist making the observation that Cameron Stewart spent a considerable amount of time in Canberra ... In which case I might also speculate ... "What exactly is it that they put in the water in our Nation's capital?" ... Whatever it is ... It seems to generate extraordinary delusions of central control ... And seems to be prevalent in the Australian Capital Territory.

Of course a Canberra-centric bureaucratic world view such as this would lead ineluctably to an attempt to enforce a rigid centrally controlled network. And it is not at all surprising that a Microsoft official endorsed just this type of remedy only a few months ago.

Remarkably, Steve Ballmer, extreme CEO of Microsoft and many of his underlings have recently adopted the phrase "ecosystem" into their public corporate speak lexicon. Alas, Ballmer et al employ the word "ecosystem" in manner similar to that of BigPond executives using the word "competition" ... That is in a disingenuous fashion that really means the exact opposite ... The Microsoft monoculture is the antithesis of an "ecosystem". In fact it is front and centre of the entire "security" problem.

And interesting also, that software owners such as Microsoft may be trying to wriggle out of their long held claim that "security is entirely the user's responsibility" ... Of course they still don't want to assume any responsibility for themselves ... But they do seem to be manoeuvring into a new amoral high ground from which they (and their friends in high places) might coerce ISPs to accept responsibility for the obvious and more serious consequences of a wide-spread Microsoft monoculture.

But more alarming for software owners ... The message might be getting through! Some users are taking responsibility for their own security. Those that can afford it are purchasing Apple, who do seem to be taking security seriously, and also benefit from being a "smaller target" than Microsoft. However Apple is another monoculture ... A much more robust and well-defended monoculture, but a monoculture nonetheless.

The one true ecosystem is Open Source. Even though Linux is the dominant variant, there is already great variety within the Linux camp. There is Ubuntu, Android, Red Hat, etc. And success will only breed more variation, since Open Source software must be shared. It is this provision that ensures competition.

And diversity, not a rigid monoculture, is the best form of defence against zombies.

Update 2011-02-02: The Kokoda Foundation have announced that there will be a media launch for their new paper about "cyber-security" on February 4th, 2011, at the National Press Club, Canberra.

Update 2011-02-05: The media launch has gone largely unnoticed. A few organisations tried to run sensational headlines about "a security crisis" and there were, of course, the usual calls for the government "to do something" ... Or lamentations that the government had done so little, and cries such as "Hackers make a mockery of government security", etc, etc. However, the story has been pushed to the back pages, and then entirely off the page, by "real" crises ... Like floods, cyclones, climate change etc.

Other Blog Posts In This Thread:

Copyright     2011, Gerry Patterson. All Rights Reserved.