Charlie's Diary

[ Site Index] [ Feedback ]

Fri, 19 Sep 2003


So. I bugger off for most of a week, buy a car, drive around large chunks of Yorkshire and Lancashire, finally get home dog-tired and in need of a bath, then log on to check my email. And what do I find? Another Microsoft-specific worm, the Swen-A (aka Gibe-F). It's so prolific that it's hammering my mail server -- about 330 copies received since it first started up yesterday -- and each copy runs to 140Kb or more in size. The SpamAssassin system is catching them but they're coming so thick and fast that this puny little server can't reclaim memory from terminated SpamAssassin scripts fast enough to keep up. With results like this (in UNIXese):

[root@raq981 /root]# w
  6:27pm  up 73 days, 23:24,  2 users,  load average: 59.08, 60.54, 63.32
USER     TTY      FROM              LOGIN@   IDLE   JCPU PCPU  WHAT
charlie  pts/0     6:13pm  3.00s  0.44s 0.08s  sh 
root     pts/1     6:14pm 39.00s  0.44s 0.23s  w 

The key indicator are the three decimal numbers after "load average" -- the instant, one minute, and five minute load ratings. A load average of 1.00 means the machine has one job waiting to run for each CPU. A load average of 59 means the machine is staggering along sluggishly, with 59 jobs tapping their fingers impatiently as it hurries to keep up.

Yes, Windows viruses can totally fuck a UNIX server up beyond recognition. All it takes is enough of them.

(Now writing procmail rules to bin the bastards on sight, rather than relying on the accurate but memory-hungry SpamAssdassin. Gaah. Where's my bath?)

[ Discuss Spam ]

posted at: 19:11 | path: /virus | permanent link to this entry

Tue, 09 Sep 2003


45Mb of virus delivered to me in 26 hours. That's just under 2Mb/hour. Another way of looking at the situation is that it's consuming up to 15% of the monthly bandwidth allowance on this colocated server. Another order of magnitude increase (and Sobig.F is already an order of magnitude worse than any other worm I've ever seen) and it'll start costing me real money.

Today's daydream of punishment for the virus writer responsible: to be sentenced to clean out the cats' litter tray (with his hands tied behind his back). Preferably once per individual virus received (that's what ... 450 times for the past day's work? The cats will die of old age first!).

On a more practical note, Paul Graham has a modest proposal for fighting spam. It won't work against viruses -- but against ordinary spam it should be a killer. Simply put, spammers send spam indiscriminately in order to generate hits on a website (through which they aim to sell goods or services). They expect a response rate of typically under 0.1%, and they send millions of junk messages (at the expense of the unwilling recipients). If they received a response rate of 10-100%, it would literally swamp their servers, subjecting them to high bandwidth usage charges and turning the tables on the "free lunch" paradigm that makes their business marginally profitable.

It should be easy enough to turn the tables on the spammers. Imagine, if you will, a software filter through which all positively-identified spam is sent by SpamAssassin. The filter extracts all URLs from the mail and then spiders them a couple of times. If a hundred thousand people with this tool are hit by a spam, it'll generate many hundreds of thousands to millions of hits on the spammer's website within a matter of minutes, hammering them into the ground.

There are problems with this approach to spam fighting. Firstly, legitimate emails containing URLs are broadcast to lots of mailing lists every day -- there needs to be some mechanism for positively identifying the mail as spam before spidering ensues. Secondly, if such a mechanism is badly designed it could open the way to distributed denial of service attacks. (Much as Osirusoft or ORBS or other spam blacklisting sites can take down an entire domains' ability to send and receive email, a malevolent attacker with spamware could broadcast spam with a URL pointing to their intended victim's server, and ensure that their victim was trashed by the spam response system.) I'm not convinced by the idea -- but anything would be better than the current mess.

[ Link ] [ Discuss spam ]

posted at: 14:56 | path: /virus | permanent link to this entry

Sun, 07 Sep 2003

Crazy ...

I'm successfully filtering out all the incoming copies of the Sobig.F virus before they hit my inbox.

But since I last zeroed out my virus trap, 80 hours ago, I have received 73Mb of virus payloads. That's nearly 1Mb per hour, and the rate is accelerating -- it was only about 6Mb in the first day, but it's now tending towards 1Mb/hour.

This has got to be sucking up a good chunk of the total email bandwidth of the internet.

UPDATE: sixteen hours have passed, and my virus trap is now up to 117Mb. That's 3.5Mb of viral crap per hour, or about the bandwidth of a 14.4K modem dialup. This is a worse shit-storm than the original Sobig.F attack a couple of weeks ago. I'm off to the pub tonight (it being Feorag's birthday) and I'll be soliciting suggestions for how best to deal with the asshole responsible. A free pint will be won by the most creative but appropriate torture ...

As a side-note: because of a distributed denial-of-service attack that suspiciously coincided with the first Sobig.F attacks, Osirusoft (one of the main spam relay blacklists) went offline a couple of days ago. Before they went offline their administrator, in what appears to be a fit of pique, set the SPEWS blacklist to blacklist the entire internet. If you use SpamAssassin, please update your configuration so as not to use Osirusoft as a blacklist -- otherwise you won't get any email from me, or a hell of a lot of other people, either. (More information on Slashdot and elsewhere.) It has been speculated that the Sobig series are being developed by spammers in order to turn infected machines into relay zombies ... it's at times like this that I realise I'm really living in the 21st century and I wish it would go away.

[ Link ] [ Discuss spam ]

posted at: 18:48 | path: /virus | permanent link to this entry

Wed, 20 Aug 2003

Blood on the server room floor

I use two levels of spam filtering -- an ancient handcarved perl script called NAGS, now obsolete, running inline with the much more sophisticate SpamAssassin. SpamAssassin is a heavyweight -- capable of bringing my weedy little server (PII/450, 64Mb RAM/10Gb disk) to its knees, but this week it has saved my ass. Because there's a test in SpamAssassin (MICROSOFT_EXECUTABLE) which is 100% effective at weeding out Microsoft-specific virus payloads, including Sobig-F (see below).

Yesterday, NAGS trapped about 14 instances of Sobig-F, and I thought it was a heavy attack. So I tweaked SpamAssassin to add the MICROSOFT_EXECUTABLE test. Today I went over to Glasgow, shopping with Feorag (as one does). When I got back, I checked my spam trap.

272 copies of Sobig-F. That's 30 megabytes of viral crap. In 36 hours. In my spamtrap. I'm obviously popular; Feorag only got 49.

I've never seen anything like it. Multiply this attack by everyone out there and you've got a serious assault on the infrastructure of the internet as we know it. Mark Frauenfelder of BoingBoing fame got hammered by 300 copies, and as he's on a 4800 baud dialup that must hurt. I've been hearing stories of companies with firewalls and maybe 40 staff where someone made the mistake of opening the attachment -- within an hour the company mail servers had ground to a halt with several thousand viruses clogging up the spool area.

I can imagine what's going on in the NOCs of all the ISPs. I'm glad I don't work in those places. Problem is, this epidemic doesn't seem to be amenable to an easy fix. It's an emergent effect of insecure email protocols, operating systems which harbour bugs that can be triggered via said insecure email protocols, and small world theory. What is to be done?

Update: Cory Doctorow is dead famous for a variety of reasons, not least of which is the fact that he co-edits BoingBoing and is outreach director of the EFF. As he points out, Sobig-F follows a power law that increases with the number of people who've ever sent you email. He's experienced a peak of 8-10 viruses per minute, although it's now dropped back to a couple per minute. That's a peak of 800Kb-1Mb/minute, or 50-60Mb/hour, which to put it in perspective is about one-fifth the saturation bandwidth of a T1 line.

[ Discuss microsoft ]

posted at: 21:37 | path: /virus | permanent link to this entry

Tue, 19 Aug 2003

Virus storm rising

In the past hour and a half I've received via email 11 copies of some kind of Windows worm. My second-level spam filter is overflowing with the buggers -- luckily as a non-Windows user I'm pretty much immune, but they're coming in at a rate of >1Mb/hour. I'm glad I'm not currently collecting my email via Palm Pilot and mobile phone! Blaster, last week's exploit du jour (which tried to take down Microsoft's software update website), had a 6Kb payload, but this obese little turd carries a 93Kb chunk of code with it, so it looks like a new one to me. It's the highest level of worm activity I've ever seen, by somewhere between one and two orders of magnitude, and most of the initial copies appear to have emanated from Finland, which makes me wonder. Anyone else seen this, or know what's going on?

[ Discuss microsoft ]

posted at: 12:25 | path: /virus | permanent link to this entry


Is SF About to Go Blind? -- Popular Science article by Greg Mone
Unwirer -- an experiment in weblog mediated collaborative fiction
Inside the MIT Media Lab -- what it's like to spend a a day wandering around the Media Lab
"Nothing like this will be built again" -- inside a nuclear reactor complex

Quick links:

RSS Feed (Moved!)

Who am I?

Contact me

Buy my books: (FAQ)

Missile Gap
Via Subterranean Press (US HC -- due Jan, 2007)

The Jennifer Morgue
Via Golden Gryphon (US HC -- due Nov, 2006)

Via (US HC -- due June 30, 2006)

The Clan Corporate
Via (US HC -- out now)

Via (US HC)
Via (US PB -- due June 27, 2006)
Via (UK HC)
Via (UK PB)
Free download

The Hidden Family
Via (US HC)
Via (US PB)

The Family Trade
Via (US HC)
Via (US PB)

Iron Sunrise
Via (US HC)
Via (US PB)
Via (UK HC)
Via (UK PB)

The Atrocity Archives
Via (Trade PB)
Via (Trade PB)
Via Golden Gryphon (HC)
Via (HC)
Via (HC)

Singularity Sky
Via (US HC)
Via (US PB)
Via (US ebook)
Via (UK HC)
Via (UK PB)


Some webby stuff I'm reading:

Engadget ]
Gizmodo ]
The Memory Hole ]
Boing!Boing! ]
Futurismic ]
Walter Jon Williams ]
Making Light (TNH) ]
Crooked Timber ]
Junius (Chris Bertram) ]
Baghdad Burning (Riverbend) ]
Bruce Sterling ]
Ian McDonald ]
Amygdala (Gary Farber) ]
Cyborg Democracy ]
Body and Soul (Jeanne d'Arc)  ]
Atrios ]
The Sideshow (Avedon Carol) ]
This Modern World (Tom Tomorrow) ]
Jesus's General ]
Mick Farren ]
Early days of a Better Nation (Ken MacLeod) ]
Respectful of Otters (Rivka) ]
Tangent Online ]
Grouse Today ]
Hacktivismo ]
Terra Nova ]
Whatever (John Scalzi) ]
Justine Larbalestier ]
Yankee Fog ]
The Law west of Ealing Broadway ]
Cough the Lot ]
The Yorkshire Ranter ]
Newshog ]
Kung Fu Monkey ]
S1ngularity ]
Pagan Prattle ]
Gwyneth Jones ]
Calpundit ]
Lenin's Tomb ]
Progressive Gold ]
Kathryn Cramer ]
Halfway down the Danube ]
Fistful of Euros ]
Orcinus ]
Shrillblog ]
Steve Gilliard ]
Frankenstein Journal (Chris Lawson) ]
The Panda's Thumb ]
Martin Wisse ]
Kuro5hin ]
Advogato ]
Talking Points Memo ]
The Register ]
Cryptome ]
Juan Cole: Informed comment ]
Global Guerillas (John Robb) ]
Shadow of the Hegemon (Demosthenes) ]
Simon Bisson's Journal ]
Max Sawicky's weblog ]
Guy Kewney's mobile campaign ]
Hitherby Dragons ]
Counterspin Central ]
MetaFilter ]
NTKnow ]
Encyclopaedia Astronautica ]
Fafblog ]
BBC News (Scotland) ]
Pravda ]
Meerkat open wire service ]
Warren Ellis ]
Brad DeLong ]
Hullabaloo (Digby) ]
Jeff Vail ]
The Whiskey Bar (Billmon) ]
Groupthink Central (Yuval Rubinstein) ]
Unmedia (Aziz Poonawalla) ]
Rebecca's Pocket (Rebecca Blood) ]

Older stuff:

June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002
April 2002
March 2002
(I screwed the pooch in respect of the blosxom entry datestamps on March 28th, 2002, so everything before then shows up as being from the same time)

[ Site Index] [ Feedback ]

Powered by Blosxom!