To the New President: Secure Cyberspace


As the transition period leading to the new presidency is almost coming to an end, everyone will probably have multiple requests to the president, and of those is to increase cyber defence. In this optic, a new report created by the “CSIS Commission on Cybersecurity for the 44th Presidency[1]” has release its recommendations on how to secure cyberspace. They consist of:

  • Create a Comprehensive National Security Strategy for Cyberspace
  • Organizing for Cybersecurity
  • Rebuilding Partnership with the Private Sector
  • Regulate for Cybersecurity
  • Identity Management for Cybersecurity
  • Modernize Authorities
  • Build for the Future

This report comes 5 years after the “National Strategy to Secure Cyberspace” document released in 2003 by the National Advisory board which goal was to “engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact[2]“. The CSIS’ document doesn’t mention the previous efforts by the National Advisory Board but declares the previous efforts of the Bush administration as “good but not sufficient[3]“.

As usual, it remains difficult to see how much of this report is based on real facts or just a way to secure funds from the new president by linking potential damage to the cyberspace infrastructure to the economy . It states that “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009[4]“. It uses the cyber attack that occurred on various American networks in 2007 as an example[5].

While they may be some part of fear mongering in this report, we should not completely put aside threats mentioned in this report. As cyber warfare is mostly a war happening without much fanfare and therefore happens in the shadows, it is hard to really determine what’s going on. Since there is no open war between modern countries, we won’t see any cyber warfare for the time being. For the moment, cyberspace will be used for spying mostly and this is what this document mostly addresses.

The unclassified e-mail of the secretary of defense was hacked … A senior official at the Department of State told us the department had lost “terabytes” of information,” declares the report, also: “Senior representatives from the intelligence community told us that they had conclusive evidence, covertly obtained from foreign sources, that U.S. companies have lost  billions in intellectual properties.

Unfortunately, “senior representatives“, “conclusive evidence” and “foreign sources” are so vague that it’s impossible to validate the scope of the problem…or even believe it. Another document though[6], mentioned in the present reading give some examples of the uses of terrorists for cyberspace. It mentions among others the “Muslim Hackers Club” website and the information posted to it, and the use of stolen credit cards and bank account information to finance the Bali attack in 2002[7].

The authors are putting a lot of emphasis on treating cybersecurity as a priority on the same levels as WMD and any other subject that requires national attention therefore requiring that the federal government take charge of the national cybersecurity instead of IT departments. It proposes that:

1)      Standards for computer security be enforce for to the industry such as manufacturing plants and power plants.

2)      Cyberspace security be overlook by a cybersecurity chief and that security agencies such as the National Cyber Security Center (NCSC) and the Joint Inter-Agency Cyber Task Force (JIACTF) be merged into one.

A central office in charge of enforcing computer security standards will have to be formed later or sooner. Fortunately this will be sooner. Information Technology departments should not only have a national reference on the standards to achieve, but also have the opportunity to know how to implements those standards by having government-accredited security companies implementing those standards to networks of various industries. I also believe this new agency should periodically test the security of those networks, as I presume, should already be done. The reports propose that instead of a new agency, the Whitehouse be in charge of the national cybersecurity with an assistant to the president.

The difficulty in this resides in the fact that only one weak link is sufficient to be able to attack the entire system. Therefore, it is necessary to screen the entire critical infrastructure in order to be efficiently secured. And since this implies that systems are often connected internationally for large industries, it means an international consensus.

One thing is for sure, is that all the existing computer-security related need to be consolidated in order to focus on a common goal, and that is the protection of cyberspace. As the report states, it also need to be working hand-to-hand with the private sector in order to have a quick reaction to emergencies. Unfortunately this is only another report amongst other. Maybe a more tech-savvy president such as Barack Obama will catch on quicker to this threat. Until then, the battle still rages on in the shadows of the Internet…

See also

“Obama urged to create White House cybersecurity chief “, Dan Goodin, The Register, December 8, 2008, (accessed on December 10, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “Securing Cyberspace for the 44th Presidency”, CSIS Commission on Cybersecurity for the 44th Presidency, December 8, 2008,,com_csis_pubs/task,view/id,5157/ (accessed on December 10, 2008)

[2] “The National Strategy to Secure Cyberspace”, National Advisory Board, February 2003, p. VII

[3] “Securing Cyberspace for the 44th Presidency”, CSIS Commission on Cybersecurity for the 44th Presidency, December 8, 2008, p.15

[4] Ibid. p.11

[5] “Pentagon shuts down systems after cyberattack’, Robert McMillan, InfoWorld, June 21, 2007, on December 10, 2008)

[6] “Threats Posed by the Internet”, CSIS Commission on Cybersecurity for the 44th Presidency, October 2, 2008,,com_csis_pubs/task,view/id,5146/type,1/ (accessed on December 10, 2008)

[7] “Bali death toll set at 202”, BBC News, February 19, 2002, (accessed on December 10, 2008)

NSA’s new data center in San Antonio


San Antonio will be hosting the new data center of the National Security Agency reports the San Antonio Current[1]. An old Sony factory on the West Military Drive, near San Antonio’s Loop 410 freeway, will be transformed to accommodate enormous size of data, which will mainly be electronic communications such as phone conversations and emails according to author James Bamford:

“No longer able to store all the intercepted phone calls and e-mail in its secret city, the agency has now built a new data warehouse in San Antonio, Texas.”

This city have been chosen for it’s cheap electricity, provided on an independent power grid since Texas as its own, unconnected to the other states’ grid, making it more reliable.

NSA's Datacenter in San Antonio
NSA's Datacenter in San Antonio

Another factor that played was the location of a similar size Microsoft datacenter a few miles away. This center will be the third largest data center of San Antonio.

As for the Sony plant, it’s made out of two connected buildings, offering offices and research areas and totals around 470 000 square feet[2]. It is expected that 1500 employees will work there initially and may employ up to 4000 personnel.

[1] “The panopticon economy”, Greg M. Schwartz, San Antonio Current, December 3, 2008, (accessed on December 8, 2008)

[2] “NSA Plans San Antonio Data Center”, Rich Miller, Data Center Knowledge, April 19, 2007, (accessed on December 8, 2008)

China’s Red Flag Linux


Red Flag Linux Logo
Red Flag Linux Logo

Two days ago, the Inquirer post an article on a new law passed in the Chinese city of Nanchang, in the Jiangxi province, to replace pirated copies of Windows in Internet cafes by legitimate software[1]. The alternative proposed to the cafes is the Red Flag Linux distribution, which prompted fears of snooping by U.S Radio Free Asia. The radio quoted the director of the China Internet Project, Xiao Qiang as saying that “cafes were being required to install Red Flag Linux even if they were using authorised copies of Windows[2]“. According to an official of the Nanchang Cultural Discipline Team, the transition from Windows to Red Flag already started in the 600 Internet Cafes of the city[3] and not across all of China unlike many titles claim.

Short History of Red Flag Linux

Red Flag Linux was created by the Software Research Institute of the Chinese Academy of Sciences in 1999 and was financed by a government firm: NewMargin Venture Capital. The distro is now distributed to government offices and business by Red Flag Software Co[4]. The goal of the Chinese government was to reduce the dominance of Microsoft over the operating system market. It therefore invested in Red Flag Software through a venture capital investment company owned by the Ministry of Information Industry called CCIDNET Investment[5].

At first, the OS was exclusively in Chinese and restricted itself to the Chinese market. In 2003, then the company developed an English version for international markets. This project received further help after Hewlett Packard concluded a plan to provide Red Flag with help in various field to market its operating system around the world[6]. As many companies took interest in the Chinese economic boom, Red Flag signed partnerships with various western companies like IBM, Intel, HP, Oracle[7] who wanted to open a new market into China. That way, Real networks among others, distributed its media software with Red Flag[8].

According to IDC, a market-research company, the revenue of Red Flag Software Co. totalled US$8.1 million in 2003. There were 24 000 server operating system shipments accounting for $5.9 million in revenue[9]. In 2006, Red Flag Software was the top Linux distributing company in China with over 80% of the Linux desktop market[10]. After a while, new versions of Red Flag were made for mobile devices[11] and embedded devices[12]. It can also be found on various server sold across China by Dell.

Therefore it seems that Red Flag Linux, after a slow period in the dot-com crash, is alive and well nowadays in China. The operating system changed quite a bit from its beginnings in 1999 up to now but we can expect the use of this distribution to grow in the upcoming years, as prices for proprietary OS such as Windows can be quite prohibitive for most of the Chinese population. The Red Flag Linux distro can be downloaded for free from Red Flag Software Co. (see the end of this article for the links) while Vista Home Basic was sold at renminbi (US$65.80) in 2007[13]

Technical Aspects

According to this early reviewer who tested the OS back in 2002[14], the first Red Flag 2.4 Linux OS was based on the Red Hat distro. It came basically with the same options such as X11, the KDE interface as default and used the Reiser file system. Interestingly, no root password were needed and seemed to be the default account. It came with the standard user applications such as XMMS.

Since then, Red Flag Linux has switch from Red Hat to Asianux 2.0 as its base distribution[15]. A root password needs to be specified at the installation and is now available on Live CD. Also, don’t expect a completely English system, while the most important parts of it should be English, some may still be in Mandarin. XMMS has long been replaced with KDE’s multimedia tools such as KsCD, JuK, Dragon Player, and KMix. Other software you can find on the “Olympic” beta version distribution, released last September[16]:

KAddressBook Kopete
Kontact Krfb
KOrganizer KNode
Firefox Akregator
KMail Akonadi

According to the reviewer, and by looking at the English website, is does look like the English version is not maintained as much as the Chinese version. Therefore I believe the Chinese version might contain more features and less bugs. It might even contain office software such as Red Office.

This operating system is certainly one to watch, not really for its technical aspects or usefulness, but mainly because it might spread across China as businesses and governmental agencies adopt Red Flag Linux. If an attack should be ported against Chinese communication infrastructure, this distribution would certainly be one of the targets to analyze in order to find holes and exploits. Unfortunately, finding information about this Linux is tricky, mainly due to the language barrier. Using software translation is amusing but useless. It is hard to determine if the OS contains any modification for spying or snooping, as one would need to go through the source of a large part of the OS (I wish I had time to do that). But then, it’s less hard than to examine closed source software. Snooping can come from everywhere also, they might be better off with Red Flag Linux than Sony software afterall[17]

If anyone has information, please share it, as information should always be shared. In the meantime, a desktop version of Red Flag Linux is available here. And if you can understand Mandarin, maybe you could visit this page.

Enrich your Mandarin Vocabulary: 红旗 = Red Flag

See also:

Red Flag Software Co., (Mandarin language)

Red Flag Software Co., (English language)

Red Flag Linux may be next on IBM’s agenda“, James Niccolai, Network World, September 22, 2006, (accessed on December 4, 2008)

Dell flies Red Flag Linux in China“, Michael Kanellos, ZDNet, December 3, 2004, (accessed on December 4, 2008)

With HP’s help, China’s Red Flag Linux to step onto global stage“, Sumner Lemon, ComputerWorld, September 2, 2003,,10801,84602,00.html (accessed on December 5, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “Chinese ordered to stop using pirate software”, Emma Hughes, The Inquirer, December 3, 2008, (accessed on December 4, 2008)

[2] “New fears over cyber-snooping in China”, Associated Press, The Guardian, December 4, 2008, (accessed on December 4, 2008)

[3] “Chinese Authorities Enforce Switch from Microsoft”, Ding Xiao, translated by Chen Ping, Radio Free Asia Mandarin Service, December 2, 2008, (accessed on December 4, 2008)

[4] Ibid.

[5] “Raising the Red Flag”, Doc Searls, Linux Journal, January 30, 2002, (accessed on December 4, 2008)

[6] “English version of China’s Red Flag Linux due soon”, Sumner Lemon, InfoWorld, September 8, 2003, (accessed on December 4, 2008)

[7] “Red Flag Linux”, Operating System Documentation Project, January 13, 2008, (accessed on December 4, 2008)

[8] “RealNetworks signs up Red Flag Linux”, Stephen Shankland, CNet News, October 6, 2004, (accessed on December 4, 2008)

[9] “China’s Red Flag Linux to focus on enterprise”, Amy Bennett, IT World, August 16, 2004, (accessed on December 4, 2008)

[10] “Red Flag Linux 7.0 Preview (Olympic Edition)”, Begin Linux Blog, August 15, 2008, (accessed on December 4, 2008)

[11] “Introduction to MIDINUX”, Red Flag Software, June 2007, (accessed on December 4, 2008)

[12] “Car computer runs Red Flag Linux”, LinuxDevices, November 13, 2007, (accessed on December 4, 2008)

[13] “Update: Microsoft cuts Windows Vista price in China”, Sumner Lemon, InfoWorld, August 3, 2007, (accessed on December 5, 2008)

[14] “Red Flag, China’s home-grown Linux distribution, is a good start”, Matt Michie,, February 22, 2002, (accessed on December 4, 2008)

[15] “Red Flag Linux Desktop”, (accessed on December 5, 2008)

[16] “Red Flag Linux Olympic Edition fails to medal”, Preston St. Pierre,, September 11, 2008, (accessed on December 5, 2008)

[17] “Real Story of the Rogue Rootkit”, Bruce Schneier, Wired, November 17, 2005, (accessed on December 5, 2008)

ENISA releases list of mobile phones vulnerabilities


The European Network and Information Security Agency (ENISA) release a paper about general vulnerabilities that is affecting or will affect mobile communications. The organization surveyed experts via different medias to gather concerns from the industry about the future of wireless communications. The document discusses security issues about three different types of devices, each using wireless mechanism: mobile devices, contactless cards and smart cards.

Mobiles phones

The paper mentions two possible vulnerabilities on mobiles, which one of them is rather obvious and really didn’t need to be detailed:

  • Theft or Loss of device
  • Untrustworthy Interface

Since a lot of information is store on cells phones and other devices, theft can be a security issue, especially if used in a commercial/governmental context. Since mobiles devices are called to be

Untrustworthy interface refers to any exploits, worms or social engineering that usually affects computers. After all, mobiles use operating systems like any computer such as Android, Windows Mobile, Symbian OS, Linux or iPhone OS
Untrustworthy interface refers to any exploits, worms or social engineering that usually affects computers. After all, mobiles use operating systems like any computer such as Android, Windows Mobile, Symbian OS, Linux or iPhone OS

used for more and more uses, such as purchasing items and services as it’s actually done in Japan, theft will be a problem. As far as I know, not much can be done to prevent mobiles from being stolen except caution. On the other hand, encryption and authentification should be use to protect data stored inside the device.

Untrustworthy interface refers to any exploits, worms or social engineering that usually affects computers. After all, mobiles use operating systems like any computer such as Android, Windows Mobile, Symbian OS, Linux or iPhone OS. None of the OS can pretend to be 100% secure, and none should ever do either. For those who think that such things doesn’t happen on phones, here are a couple of example that might change your mind:

Last year, at the Black Hat conference which took place August 2nd, an attack against the iPhone was carried out by a team at the Independent Security Evaluators security company[1]. By setting up a fake access point with the same SSID and encryption type that an access point previously used by the user, one could use the fake access point to add malicious code to websites requested by the user[2].

At the beginning of the year, Symbian OS was victim of another worm, called Beselo that spread itself by harvesting contacts and sending MMS with a SIS attachment disguised as a picture or mp3 file[3].

In October, Google’s Android shipped with an outdated version of the WebKit package, which could allowed an attacker to steal saved passwords and cookies by crafting a malicious website[4].

Do I even need to give examples for the Windows Mobile OS? If yes, then the ones who come in mind what the one found by Collin Mulliner a while ago and disclosed at the 23rd CCC[5]

As mobile phones become more and more computers, exploiting cell phones will become more and more common.

Smart Cards

The paper mention specifically two issues concerning smart cards:

  • Physical Attacks
  • Side Channel Attacks

Physical attacks consist of studying the underlying hardware in order to reverse-engineer it:

“These kinds of attacks are usually invasive, eg, rewiring a circuit on the chip or using probing pins to monitor data flows. Physical attacks include altering the environment around the card, such as temperature or radiation, in order to induce faults. The goal of the attacker is to bypass security mechanisms and gain secret information stored on the card. In general, modern smart cards are quite resistant to physical attacks. Nevertheless, there have been a number of reverse-engineering attacks in attempts to retrieve private keys or find flaws in the hardware design.[6]

This usually involves a lot of different techniques and lots of time. Concrete examples of applying a physical attack on smart cards could go back to 2002, when two researchers from Cambridge University discovered they could extract data from smart cards by using a camera flash. Without forgetting that modern smart cards are often programmed with a subset of Java, therefore open to programming errors and exploit[7].

Side-Channels attacks are way touchier as they imply retrieving information from the card by analysing physical properties such as power consumption, radiation and signals duration to steal data from the card[8]. Using side-channel attacks can lead to the gathering of sensible information about the implementation of a cryptographic algorithm:

One of the most successful side-channel attacks exploits the correlation between the power consumption of a given device and the data being processed. These Power Analysis Attacks have particular relevance since for some of them, no knowledge regarding the implementation of the target device is needed in order to be effective.[9]

Contactless Cards

  • Skimming
  • Eavesdropping
  • Tracking
  • Relay Attack
  • Falsification of Content
A brilliant example of a skimming attack was the work done in the now infamous Oyster card case
A brilliant example of a skimming attack was the work done in the now infamous Oyster card case

A brilliant example of a skimming attack was the work done in the now infamous Oyster card case[10]. After reverse-engineering the MIFARE contactless card[11] by using acid to remove the plastic and studying the architecture of the hardware used in the card, the encryption algorithm was understood and could be cracked. In order for the hack to work, the attacker needs to skim the victim Oyster card by building a custom reader.

The last attack that I will shortly describe in this article is the relay attack as the others are well known. The relay attack is simply a man-in-the-middle attack, that will send data skimmed from a card to a reader by using a middle attacker relay.

The document also states two other vulnerabilites, which could be applied to various types of devices actually: cryptanalytic attacks and man-in-the-middle attacks (see Cyber-Espionage : The Triggerfish for an example of cell phone man-in-the-middle attack).

The paper also goes on with various use-case scenarios of these attacks for your reading pleasure.

See also:

Security Issues of Authentication Using Mobile Devices”, Ingo Naumann, Giles Hogben, November 21, 2008, (accessed on December 3, 2008)

PocketPC Security Research“, Collin Mulliner, July 9, 2007, (accessed on December 3, 2008)

Optical Fault Induction Attacks“, Sergei P. Skorobogatov, Ross J. Anderson, University of Cambridge, (accessed on December 3, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “IPhone Flaw Lets Hackers Take Over, Security Firm Says”, John Schwartz, The New York Times, July 23, 2007, (accessed on December 3, 12)

[2] “Exploiting the iPhone”, Independent Security Evaluators, 2007, (accessed on December 3, 2008)

[3] “Fortinet: Symbian OS worm spreading in mobile networks”, Jack Rogers, SC Magazine, January 23. 2008, (accessed on December 3, 2008)

[4] “Vulnerability patched in Google’s Android-powered phone”, Angela Moscaritolo, November 03, 2008, (accessed on December 3, 2008)

[5] “How to Exploit A Windows Mobile Handset”, Sergiu Gatlan, January 4, 2007, (accessed on December 3, 2008)

[6] “Security Issues of Authentication Using Mobile Devices”, Ingo Naumann, Giles Hogben, November 21, 2008, p.10

[7] “Smart Card Security from a Programming Language and Static Analysis Perspective”, Xavier Leroy, INRIA Rocquencourt, Trusted Logic, 2003, (accessed on December 3, 2008)

[8] “Security Issues of Authentication Using Mobile Devices”, Ingo Naumann, Giles Hogben, November 21, 2008, p.10

[9] “Power Attacks Resistance of Cryptographic S-boxes with added Error Detection Circuits”, Francesco Regazzoni, Thomas Eisenbarth, Johann Großschädl, Luca Breveglieri, Paolo Ienne, Israel Koren, Christof Paar, University of Lugano, 2007, (accessed on December 3, 2008)

[10] “Oyster card hack published, released at security conference”, Nicholas Deleon, CrunchGear, October 7, 2008, (accessed on December 3, 2008)

[11] “Dismantling MIFARE Classic”, Flavio D. Garcia, Gerhard de Koning Gans, Ruben Muijrers,Peter van Rossum, Roel Verdult, Ronny Wichers Schreur, Bart Jacobs, Radboud University Nijmegen, 2008, (accessed on December 3, 2008)

New Kid on the Block: Downadup


Many reports on the last few days mention a new worm growing on the back of the Windows’ MS08-067 vulnerability. The worm named Downadup, also being dubbed Conficker.A by Microsoft, as now spread to alarming levels: “We think 500,000 is a ball park figure” said Ivan Macalintal, a senior research engineer with Trend Micro Inc[1].

The Exploit

The vulnerability is located in the Windows Server service, which is used to share networks files and printers across computers on a Windows network. This service is used by all Windows versions, even the Windows 7 Pre-Beta version, therefore making every Windows user vulnerable unless patched[2]:

Microsoft Windows 2000 Service Pack 4 Windows Server 2003 with SP1 for Itanium-based Systems
Windows XP Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems
Windows XP Service Pack 3 Windows Vista and Windows Vista Service Pack 1
Windows XP Professional x64 Edition Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows XP Professional x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems*
Windows Server 2003 Service Pack 1 Windows Server 2008 for x64-based Systems*
Windows Server 2003 Service Pack 2 Windows Server 2008 for Itanium-based Systems
Windows Server 2003 x64 Edition Windows Server 2003 x64 Edition Service Pack 2

Vulnerable Operating System by the MS08-67 Exploit

The exploit is executed by sending a specially crafted packet to the RPC (Remote Procedure Call) interface. The interface could be reach by an attacker if there are no firewalls activated or if the File/Printer sharing options is enabled and connected to the Internet. The packet will cause a buffer overflow which allows arbitrary code to be executed.

The core of the exploit comes from a buffer overflow created when parsing a specific path. The exploit occurs when specially crafted packet is sent to port 139 or 445 on a Windows file/printer sharing session. The reception of that package will trigger a call to the RPC API NetPathCompare() and NetPathCanonicalize() functions.

The exploit is triggered when giving a specific path to canonicalize, such as “\c\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”[3] to the NetPathCanonicalize function, which uses the _tcscpy_s macro, which in turns calls the wcscpy_s function[4]. This function is used to copy a wide-character string from a location in memory to another. The buffer overflow is provoked by a miscalculation in the parameters given to the _tcscpy_s macro by the NetPathCanonicalize() function.

The _tcspy_s function is called like this by the NetPathCanonicalize:

_tcscpy_s(previousLastSlash, pBufferEnd – previousLastSlash, ptr + 2);

NetPathCanonicalize contains a complex loop to check the path for dots, dot-dots, slashes while making a lot of pointer calculations. Once the loop is passed over a couple of time, the previousLastSlash parameter gets an illegal value.

The RPC call

To exploit this vulnerability, all one have to do is to bind with the SRVSVC pipe of the Windows Server Service, which is the RPC interface and bind with it. If this is successful, a call to the NetPathCanonicalize()function with a specially crafted path as shown above, is done, then it’s only a matter of providing the payload. Exploits are already public on sites such as milw0rm[5].

The New Worm: Downadup

Downadup is the new worm to use the exploit on a large scale and has proved to be widely successful even if it’s already been one month since the vulnerability was found and patched.

Once installed on a system, the worm will copy itself with a random name into the system directory %systemroot%\system32 and register itself as a service[6]. It will, of course, also add itself into the registry with the following key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<name>.dll
    ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\”ServiceDll” = “<name>.dll”

It will then use those sites to get the newly infected machine’s IP address:


With the IP address, Downadup can download a small HTTP server (““) and open a HTTP server on the current machine with the following address[7]:


Once the HTTP server is set up, it will scan for other vulnerable machines and when a target is found, the infected machine URL will be sent to the target as the payload. The remote computer will then download the worm from the URL given and then start to infect other machines as well. Therefore, there is no centralized point of download. Upon successful infection, it will also patch the hole to prevent other worms to infect the machine[8].

According to Symantec, it has a domain name generating algorithm based on dates just like the Srizbi has (see Srizbi is back for more details on the algorithm). It also deletes any prior Restore Points saved by the user or the system[9].

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “New Windows worm builds massive botnet”, Gregg Keizer, ComputerWorld, December 1, 2008, (accessed on December 1, 2008)

[2] “Microsoft Security Bulletin MS08-067 – Critical”, Microsoft, October 23, 2008, (accessed on December 2, 2008)

[3] “Gimmiv.A exploits critical vulnerability (MS08-067)”, Sergei Shevchenko, October 23, 2008, (accessed December 2, 2008)

[4] “MS08-067 and the SDL”, The Security Development Lifecycle, October 22, 2008, (accessed on December 2, 2008)

[5] See MS08-067 Exploit by Debasis Mohanty and MS08-067 Remote Stack Overflow Vulnerability Exploit for examples.

[6] “F-Secure Malware Information Pages: Worm:W32/Downadup.A”, F-Secure Corporation, November 26, 2008, (accessed on December 2, 2008)

[7] “W32.Downadup”, Symantec, Takayoshi Nakayama and Sean Kiernan, November 24, 2008, (accessed on December 2, 2008)

[8] “Microsoft warns of new Windows attacks”, Gregg Keizer, ComputerWorld, December 1, 2008, (accessed on December 2, 2008)

[9] “Worm:Win32/Conficker.A”, Joshua Phillips, Microsoft Malware Protection Center, 2008, (accessed on December 2, 2008)

Technology in the Mumbai Attacks – A Quick Overview


Details are now starting to emerge from the deadly attacks by terrorists on the city of Mumbai, formerly known as Bombay. News outlets are starting to report technologies used by the attackers to communicate and coordinate their attacks that killed an estimated 172 people from various nations[1]

Among all the commercial technologies used by the terrorists are GPS and satellite phones. The attackers, apparently trained in marine assault[2], entered the city by the MV Kuber[3], a hijacked fishing boat used as mother ship, and navigated by an experienced sailor using GPS maps[4]: “A trained sailor, [Abu] Ismail used the GPS to reach Mumbai coast on November 26.[5]” According to the Times of India, the GPS contained an escape route once the operation would be deemed completed[6].

Among the other objects found in the boat a satellite phone, a Thuraya model[7], was discovered which could be the key to find more information about the terrorists.

Satellite phone used by the terrorists

Satellite phone used by the terrorists[8]

The satellite phone could be used to track conversations between the individuals before their landing on the city. According to an article published by ABC News, Indian Intelligence also intercepted a satellite phone call:

“Nov. 18, Indian intelligence also intercepted a satellite phone call to a number in Pakistan known to be used by a leader of the terror group, Lashkar e Taiba, believed responsible for the weekend attack, Indian intelligence officials say.[9]

Officials from the RAW, the Indian Intelligence agency, said that they got hold of SIM cards found with the satellite phone, possibly bought in the U.S. Those are providing leads to Lashkar e Taiba, a Kashmir separatist group, according to the same ABC article.

Also, many of the articles reports that BlackBerries phones were used by the attackers to communicate between each other and to attest the medias’ reports about the attacks. Damien McElory from The Telegraph claims that the terrorists used them to monitor the situation using British medias[10].

Finally, it appears the terrorists proclaimed their identity by sending various forged emails to news outlets by using a remailer[11].

More to come as the investigation continues, now that the siege has ended…

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “India clears last Mumbai siege site”, Ravi Nessman, Associated Press, December 1, 2008, (accessed on December 1, 2008)

[2] “‘No regrets’: Captured terrorist’s account of Mumbai massacre reveals plan was to kill 5,000”, Daily Mail, December 1, 2008, (accessed on December 1, 2008)

[3] “MV Kuber opens can of worms”,  Ninad Siddhaye, DNA, December 1, 2008, (accessed on December 1, 2008)

[4] “Is technology a toy in the hands of terrorists?”, CyberNews Media, November 28, 2008, (accessed on December 1, 2008)

[5] “Arrested terrorist says gang hoped to get away”, Times of India, November 29, 2008, (accessed on December 1, 2008)

[6] Ibid.

[7] “U.S. Warned India in October of Potential Terror Attack”, Richard Esposito, Brian Ross, Pierre Thomas, ABC News, December 1, 2008, (accessed on December 1, 2008)

[8] “Mumbai attack: Satellite phone vital clue to solve mystery”, Yogesh Naik, The Times of India, November 28, 2008, (accessed on December 1, 2008)

[9] “U.S. Warned India in October of Potential Terror Attack”, Richard Esposito, Brian Ross, Pierre Thomas, ABC News, December 1, 2008, (accessed on December 1, 2008)

[10] “Mumbai attacks: Terrorists monitored British websites using BlackBerry phones”, Damien McElroy, The Telegraph, December 1, 2008, (accessed on December 1, 2008)

[11] “How Gadgets Helped Mumbai Attackers”, Noah Shachtman, Danger Room – Wired, December 1, 2008, (accessed on December 1, 2008)

LATimes: Agent.BTZ Might be Concerted Cyber-Attack


The Los Angeles Times reports that the reports about the Agent.BTZ worm spreading to the U.S Army networks might be a coordinated attacks originating from Russia[1].

The U.S Central Command is now infected with the worm and a high-classified network has been hit also.

It is unclear if the author of the article thinks that an infection is the same things as an ‘attack’ though. From the article:

“Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement.”

This infection has been report at the beginning of the month. This might just be sensationalism ofrcomplete ignorance from the author who might think than an infection by a worm made in Russia is a deliberate attack.

Officials would not describe the exact threat from agent.btz, or say whether it could shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.

Then maybe they should just call Symantec or F-Secure or even better, Google it…or this if they are having a hard time..

See also:

“U.S Army Infected by Worm”, Jonathan Racicot, Cyberwarfare Magazine, November 11, 2008,

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “Cyber-attack on Defense Department computers raises concerns”, Julian E. Barnes, Los Angeles Times,  November 28, 2008,,0,230046.story (accessed on November 28, 2008)

Srizbi is back


Update: The new Estonian company that hosted the command & control server, Starline Web Services, was shut down. The domain name chase continues !

The Srizbi botnet is back online after being shut down by the closure of the criminal hosting company McColo Corp two weeks ago. Srizbi’s command and controls servers, now moved to an Estonian hosting provider, took back control of the botnet[1] in the last days.

The Srizbi Botnet

The Srizbi botnet is mostly a spam generating botnet. According to security firm FireEye, there are 50 variants of the bot, which controls altogether around 500 000 zombies across the world[2]. The most virulent forms of Srizbi are said to control around 50 000 bots.

The Srizbi botnet had a backup procedure in case its C&C servers went down, that is why it got back online very fast. Included in the bot, is a procedure that generates domain names[3] and tries to contact it to see if the C&C is available. Therefore the owners, knowing the random-generating domain name algorithm of the botnet, only had to register one or more of the domain names that will be generated by the bots and install their new control and command server on a machine registered a valid domain name. That is enough for bots to download a new version, pointing to a new address for the botnet. To explain it using pseudo-code, it would look something like this:

More information can be found about the random name generation algorithm at FireEye[4]. Interesting enough, the algorithm is based on date to generate a new set of possible domains names by period. FireEye had successfully discovered this function after McColo closed, but due to financial constraint, they could not register all the domain names that the bot generated. That would have implied to register more than 450 domains each week…

We have registered a couple hundred domains,” Fengmin Gong, chief security content officer at FireEye Inc., “but we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names.[5]

Communications intercepted between a Srizbi bot and its Command and Control Server
Communications intercepted between a Srizbi bot and its Command and Control Server

According to the Symantec Srizbi webpage[6], the worm creates windbg48.sys and another randomly named .SYS file in the %SYSTEM% folder. It then registers the wingdbg48.sys as a driver by inserting the hidden HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windbg48 key into the Windows’ Registry. Srizbi hides those keys by running in Kernel mode and hooking the ZwOpenKey and ZwEnumerateKey kernel functions among others. It might also try to block access to the registry. A tool is available in order to access the registry anyway.

It will also hide its files by hooking the NTFS file system driver. As if it was not enough, it will also modify the TCP/IP network drivers to bypass Firewalls and Intrusion Detection systems. It will also work in Safe Mode.

For those who wish to go deeper, Windows has two levels of execution: user mode and kernel mode. Usually applications run in user mode, which protects the kernel from applications so they won’t mess up the system. Kernel mode is a privilege mode where services and drivers have access to system resources such as the processor but also the memory… Hooking kernel functions is done by redirecting calls made to the kernel to a custom function. There are a couple of ways to do that in kernel mode, and one of them is to alter the System Service Descriptor Table, which is a table that maps every kernel function to an address in memory. By modifying this table to the address of your custom function, you could hook the kernel. This however would be easily detected by any anti-virus.

Another way is to insert an unconditional jump instruction into the kernel function by modifying the function directly in memory. The advantage of this method is that it’s much harder to detect, and can reproduce the same functionality of the hooked function. This is called inline function hooking.

This why this Trojan can also work in Safe Mode. I don’t know if this particular Trojan uses inline function hooking, but rootkits that uses this kind of hooking are quite hard and dangerous to remove.

Return of Srizbi

When McColo Corp. closed two weeks ago following and investigation by the Washington Post’s Security Fix, it made the news across the Internet as this hosting company was considered responsible for around 75 percent of all the spam sent across the web. Although many rejoiced, including me, at the sudden drop of spam as soon as McColo was turn off[7], everyone knew it was only temporary before the cyber criminals would found another hosting company.

Few knew that this random domain name generating routine was coded to connect to another C&C server though. As soon as it came back online, the first command it received was for a Russian spam campaign. By generating domain names such as,, or, it was unthinkable for FireEye to register every possibility generated by Srizbi. It is becoming harder and harder to fight botnets on a technical basic. Fortunately, the economic fight could maybe put an end to spam, as mentioned in this Ars Technica article:

“… it suggests that spammers may be extremely sensitive to costs-more so than was previously believed. Even a small increase in the cost of sending an e-mail, they postulate, could have significant ramifications for the botnet industry, and might slow the rate at which it grows or put some spam operations out of business altogether.[8]

The Rustock, Cutwail and Asprox botnets are also making a come back[9], provoking a new surge in spam in the last few days, but not quite yet at the same level of the pre-McColo era.

See also:

Windows Rootkits of 2005, Part One“, James Butler, Sherri Sparks, Security Focus, November 4, 2005,, (accessed on November 27, 2008)

Fallback C&C channels“, Alex Lanstein, Atif Mushtaq, Julia Wolf, and Todd Rosenberry, FireEye, November 16, 2008, (accessed on November 27, 2008)

[1] “Massive botnet returns from the dead, starts spamming”, Gregg Keizer, ComputerWorld, November 26, 2008, (accessed on November 27, 2008)

[2] “Srizbi Botnet Re-Emerges Despite Security Firm’s Efforts”, Brian Krebs, Washington Post – Security Fix, November 26, 2008, (accessed on November 27, 2008)

[3] “Technical details of Srizbi’s domain generation algorithm”, Julia Wolf, November 25, 2008, (accessed on November 27, 2008)

[4] Ibid.

[5] “Massive botnet returns from the dead, starts spamming”, Gregg Keizer, ComputerWorld, November 26, 2008, (accessed on November 27, 2008)

[6] “Trojan.Srizbi”, Kaoru Hayashi, Symantec, July 23, 2007, (accessed on November 27, 2008)

[7] “Spam plummets after Calif. hosting service shuttered”, Gregg Keizer, ComputerWorld Security, (accessed on November 27, 2008)

[8] “Study: Storm botnet brought in daily profits of up to $9,500”, Joel Hruska, Ars Technica, November 10, 2008, (accessed on November 27, 2008)

[9] “Srizbi botnet active again”, Jeremy Kirk, November 27, 2008, (accessed on November 27, 2008)

Luxottica Retail Company Hacked


The giant of retail merchandise, Luxottica Retail, distributor of brands such as Anne Klein, Bulgari, Chanel and Ralph Lauren has been hacked and information about 59 000 former employees have been stolen from the mainframe[1].

According to Lt. Jeff Braley from the Cyber Crimes Task Force of the Warren County Sheriff, the suspected hacker breached the mainframe without even hiding her IP address. The incredible omission let the police to a woman called Molly Burns, a 30 years old resident of Glendale, Arizona. The Burns’ apartment has been raided this summer during a heroin raid and a unspecified number of computers have been seized by the police.

“You not only see the criminal history this suspect has, but you see the ties that they have and that is much more worrisome,” Braley said.

According to News 5, the arrest record of the suspected hacker includes forgery, theft and drug abuse[2]. Burns is now on the run and three different police departments in Arizona are also looking for her. The FBI will soon take over the case.

No details were given on how the attack was carried on. Any additional information would be appreciated. Luxottica Retail claimed that their systems have been secured since.

[1] “Thousands At Risk After Hacker Breaches Computer Mainframe”,  Eric Flack, WLWT, November 24, 2008, (accessed on November 25, 2008)

[2] Ibid.