Correcting PC Clocks

They say that a man with one watch knows exactly what the time is but give him a second one and he will never know. As you can see from the Nachi graph below, computer clocks are all over the place and not knowing the time - to the nearest second at least - can be a disadvantage when trying to interpret computer logs. This was one thing that stood in the way of finding out just what went on and in what order in the case in Clifford Stoll's book 'The Cuckoo's Egg' (various ISBNs) which describes how an astronomer uncovered a real-life hacker.

About Time (a nice little freeware - careware program) from Paul Litus http://www.arachnoid.com/abouttime/index.html is a free download that plugs into any time server you want (as long as you have permission - some prefer confirmation first).

It uses NTP which is provided in two strata - 1 and 2 (surprisingly). Stratum 1 is for other time servers essentially and stratum 2 is for us.

It is best to choose a time server that is fairly local so that you are not falling victim to network latency so try a few local ones and look at the ping times.

You can get a list of the time servers at a number of places on the Internet. A good page about this is at http://www.eecis.udel.edu/~mills/ntp/servers.html and, unless you are thinking about setting up your own series of time servers, you should pick a server from the stratum 2 list. The list of servers at http://www.eecis.udel.edu/~mills/ntp/clock2a.html is in TLD order (rather than language) so in the UK, look under UK and not EN (except for USA NTP servers which are under US rather than COM, NET and so on).

IPSec and SSL VPNs

IPSec and SSL Virtual Private Networks are both ways of communicating reasonably securely over an open public network. Each, through a series of public key cryptography supported key exchanges provide a per-session, secret key encrypted 'tunnel' which will detect when packets have been tampered with. In addition to this, the packets they do produce will make no sense if they are intercepted and read.

So, what is the difference?

An IPSec VPN effectively places the user's machine (or a network that they were linking) onto the network at the other end of the tunnel. It goes without saying that it is important that there are firewalls at both ends of the VPN otherwise it would be pointless.

In effect, the user's machine is able to access network resources (effectively) directly. These VPNs are best suited to remote offices or homes of users that need direct access and whose environment is stable enough to set up the firewall/VPN and leave it in place.

The screenshot on the right is a typical IPSec VPN configuration for one that is built into a hardware (appliance) firewall. Once configured, it can be forgotten about and with this in mind, they can be configured at the workplace before being given out to the employees who need to have them at home..

With an SSL VPN, the software runs on the computer and connects through its firewall (if it has one - it could be just a desktop firewall), across the Internet, through the firewall at the other end and then to a server. The server fetches and processes any data that is required and the user never has any direct contact with the machines it is held on.

The advantage of this is that the client machine could be anywhere such as in a library or a cybercafe. The disadvantage is that these machines are usually configured to accept and scripts and could have any key-logging software on them - if you were the owner of a cybercafe or responsible for a local authority's IT, you would want to know if someone is downloading stuff they shouldn't.

One main weakness to both is that they can suffer from man-in-the-middle attacks. This is where somebody pretends to be one end of the VPN, receiving the traffic and passing it onto the true end - it thinking that it has a genuine client. The unfortunate fact is that the tunnel is breached part way along and data can be siphoned off or even tampered with. With a machine on the internal side of a firewall on an untrusted network, ports can be passed through such proxies transparently.

Tarpits and the Nachi Lesson

It appears that it is most probably that exploits of vulnerabilities occur because of patches that are issued rather than patches being issued because of exploits. The theory goes that, rather than searching through millions of lines of source code or looking at the way that hundreds of megabytes of compiled code works, people look at and reverse engineer the patches - there is a saying that if you lose your keys in the dark, start off by looking under the lampposts.

W32/Nachi-A spread by making used of the RPC DCOM vulnerability in the same way that Blaster does. The first thing that happens when Blaster or Nachi investigate your machine is that they send a ping. Then, with the result of the ping, they go about the next part of the exploit - ie infect and spread.

Whilst Blaster is 100% nasty, Nachi tries to download and install the Microsoft patches to plug the vulnerability and disinfect the machine before it goes looking for other machines to infect. Whether you decide that this is still 100% nasty is up to you but before you go thinking that this is a 'good virus', remember that: to install the patches, it needs to shut down the machine and you could be half way through doing something important and not is a position to save; and, you didn't explicitly invite this critter onto your hardware (some might argue that by failing to patch the hole yourself, this was an implicit invitation but that would be for a court to decide). Also, just so that this doesn't go on forever, Nachi was programmed to kill itself off when 2004 came around.

So, we have a piece of software (the worm/virus) that is going about, patching people's machines for them and then looking for more work to do. I seem to remember that some of the big computer companies were talking about this type of program a few years ago and talking about it as though it was the way forward as the user does not have to do anything.

Anyway, this meant that during the last half of 2003, ISP's subnets were cluttered up with pings (they were firewalled at the ISP gateway) and if you monitored them, you could see that only a few came from outside the ISP's subnet.

To monitor these, I set my firewall up so that it directed the pings to a non-existent IP address on the local network.

I also had a Linux box running a program called 'Labrea'. Labrea (named after the tarpits in the USA) acknowledges a ping that is sent to a non-existent IP address but does so in such a way that any further communications to that address from the sending host will be done at a funereal pace.

Or at least that is what the infected machine thinks. In reality, Labrea never acknowledges anything other than the original ping (tying that infective thread up with trying to take the next step of its infection process but only being able to do it slowly) and if you look over the log, you can see that machines eventually give up waiting and ping again, some time later. It is a little like taking some unsolicited visitors that knock on your door and putting them in a room. You sit them down and tell them that you are just nipping out to get them a drink and you never go back. Ever. Sooner or later, depending upon how polite they are, they will leave of their own accord but in the mean time, they will not have been out knocking on other people's doors and annoying them.

On the command line, it looks like this

# labrea -dozvv

so that it displays the verbose information on the screen as in the screenshot on the right.

On the right is the graphical output of the 250 hours spent observing this with a sample day's worth thrown in to put it into perspective - click on the graph to bring up the large version in a new browser window. You will remember that this figure was peaking at around 300 a few months earlier.

The technical support lines were busy helping people to disinfect their machines and by Christmas 2003, had got the number of pings down - Christmas presents put more vulnerable machines out into the open and you can see the evening levels increase until they get under control again.

With Code Red, the worm was supposed to produce a denial of service attack on the Whitehouse website (although it went for the IP address rather than the URL and then, it checked that port 80 was open first, both making it easier to thwart it) so it needed to be heavily co-ordinated and at 00:00 UTC, the mode changed very visibly. Here (with Nachi), it relied on the clocks of machines that were maintained by members of the general public which is why the end is not so well defined although it is still clear to see.

The level of activity on the local ISP network tailed off, leaving periods of several hours at a time where there were no pings at all. Inspection of the Labrea logs showed that many of the machines simply stopped churning out pings, leaving some that just carried on regardless - the latter most likely to be an infection of Blaster that Nachi had not got around to clearing up. Looking at the October ping rates, it looks as though a qualified guess at the effectiveness would be around 95%.

Whilst we, as users, have no power over what is out there trying to infect our machines, it does give an idea of how effective one of these automatic-disinfect strategies could be.

So, are we prepared for the next one?

Code Red and Blaster send out a tentative enquiry before they went to their next step so their rate of spread was dependent upon the latency of the network. Sapphire/Slammer however just sent out the attack so it was bandwidth limited and was therefore very quick with probe rates as large as 26,000 probes per second.

However, it was, as many viruses are, restricted in its impact by faults in the programming (if it was developed by a large software company, they would have called them features). Sapphire suffered from an incompetently constructed pseudo-random number generator (used to find new IP addresses to attack) which missed out large chunks of address space.

Viruses and worms like these (and even email trojans) rely upon there being a significant proportion of the available population that they are able to infect. Many programs install things on machines such that the people running those machines are not aware that they are running. Using a database in a program that you write, then distributing that will not make the users of your program aware that there is something out there that can now ruin their machines unless you make them aware of it in the first place. Household machines are rarely updated. People open email attachments. No we are not prepared unless people start acting responsibly.

Trojans in emails

The following is the full text of the email:

hi, I am from Spain and you'll don't believe me,
but a trojan horse in on your computer.
I've scanned the network-ports on the internet. (I know, that's illegal)
And I have found your pc. Your pc is open on the internet for everybody!
Because the smss.exe trojan is running on your system.
Check this, open the task manager and try to stop that!
You'll see, you can't stop this trojan.
When you use win98/me you can't see the trojan!!

On my system was this trojan, too!
And I've found a tool to kill that bad thing.
I hope that I've helped you!

Sorry for my bad english!

greets

=================== End Part 1 / Begin Part 2 =====================
Name: remove-smss_tool.exe

% Part 2 is binary

========================== End Part 2 =============================

Instead of pretending to be a security advisory from a large, authoritative organisation, as you can see, it is written from the point of view of the curious but harmless/helpful idiot who had stumbled across a problem and just wants to help.

If you come across a suspect mail with an attachment, open it not into the usual viewer, but, in Outlook Express, by right-clicking and selecting Properties, then Details (tab) then Message Source... (button) and a window will open with just the text, including any code, but without executing it. If you take the first line of message (or the first part of it) and put it into a search engine such as google, you can often find that somebody else has found it and written about it (if it is a virus). In this case, it is: W32/Sober-C

This virus attacks by a number of methods including email and has a variety of mail messages with different files. Lists of them are on the Sophos site amongst others, including how to get rid of the mail.

Here, you can see that an up-to-date on-access scanner has caught the virus - this is just Windows Explorer attempting to read enough of the file to get an icon to display.

Anti-virus vendors host many details about various viruses and anything that you are not too sure about is well worth a check.

Of course, (I would have said that 'it goes without saying' but looking at the way these things spread, it does not) you should never execute an email attachment unless you are sure - you have checked with the person sending it, you were expecting it, it is the same as the one that was sent (check the MD5 hash) and so on.

Keyboard shortcuts in KDE

If your mouse falls over for some reason, you will find yourself in a situation that you could have prepared for - you need to know the keyboard shortcuts to navigate your way around th GUI.

If you have already saved all of your work, you can shut the system down by pressing [Ctrl][Alt][F2] to bring up a full screen console (any function key from [F2] to [F6] will do - just in case you were wondering, [Ctrl][Alt][F1] brings up your initial screen that you would have seen at bootup by pressing [F2], [Ctrl][Alt][F7] brings up the fist GUI, if nobody else has logged in, this will be the only GUI session going, [Ctrl][Alt][F8] and [Ctrl][Alt][F9] bring up two more GUI sessions if they are active and [Ctrl][Alt][F10] brings up a rather useful log of events.) log in as root then type

# INIT 6

Which will set the runlevel to 6 and shut down the computer.

Anyway, rather than me go on here about how you can press this and that key combination, I will tell you where to look and how to change the scheme

Go to Control Center and look under Regional & Accessibility/ Keyboard Shortcuts. Here, it is possible to select an existing scheme, edit, create and remove them.

For those who want more of a Windows feel, there are two Windows themes available.

Adding new buttons to IceWM and the files

It is possible to change the desktop that a window appears in by right-clicking on the title bar and selecting a new desktop - or all. However, it is almost always more convenient just to click on the sticky button.

One of my favourite IceWM themes is microGUI which, as you can see from the screenshot on the right, does not have a sticky (depth) button.

To remedy this - you could do this for any theme - locate the directory with the files in it - on my system it is /opt/kde3/share/apps/kwin/icewm-themes/microGUI - and then copy two suitable buttons into the same directory, renaming them as you do it.

Here, I have chosen the hide buttons - hideA.xpm and hideI.xpm. By using buttons that already exist, most of the work is already done - making the new buttons look part of the existing theme and so on. Also, if you chose one that has a similar shape to the buttons shape you are going to create, you are again cutting down on the amount of work you will need to do.

One thing to be aware of is that many button themes are designed with specific positions already in mind for the buttons so the close button is almost always designed to look as though it is going to go right-most. I found with this that the hide button was destined to go further to the right than the depth button so I opened upt the minimise buttons and copied the right-hand half of the button background into the new depth buttons. It is usually only possible to do this once you have the buttons installed so don't worry about doing it at this stage - you can always come back to it.

With the images sorted out, you can now add the 'd' to the TitleButtonRight section in the default.theme file, placing it where you want it to go.

Note that it is possible for users to put the buttons in the order that they want and in most themes, this does not matter. In this one it does (the background changing slightly in the buttons on the right - enough to notice though - and the menuButton on the left being completely different). It is up to them but that is their problem.

Back in Control Center, go to Appearance & Themes/ Windows Decorations/ General (tab)/ IceWM (list box), then click on the Configure [IceWM] tab and if you are already on microGUI (or whatever the name of the theme you are modifying is) then click on another theme and then the Apply button (bottom right).

Next, click on the theme you have just edited and them Apply again and it will be used (assuming that you have done this properly - one mistake and it will not allow it so be careful not to delete other files or make mistakes in the configuration file).

In the screenshot, you can see microGUI with a depth button. Below, you can click on the Aqua icon to copy the .xpm files to wherever you want - this will save you from editing them yourself. Remember to add the 'd' to the default theme file for microGUI if you are going to do this or you will not see them

Depth - Active file: depthA.xpm
Depth - Inactive file: depthI.xpm

Have fun.

Four new themes for IceWM

As promised, here are some IceWM themes to play around with. Open the Tarballs (.tar.gz) and extract them to the location of your IceWM themes on your system. On mine (SuSE) it is /opt/kde3/share/apps/kwin/icewm-themes/ with the names of the themes as the next layer of directories.

Digital Leerdammer Blue - square-based holey cheese
Digital Leerdammer Red - red vesion
Ramrod GWR - bring back the steam age - castings, polished brass and paint but no smell of hot oil. Great Western colours.
Ramrod LMS - London, Midland, Scotish colours.

With them installed, you will see them in the Configure [IceWM] section of Control Center/ Windows Decorations.

The Tarball icons above are from the Aqua icon theme.