A few months ago a client came in from another part of the business and had an issue where the DHCP server appeared to not have given the PC any DNS entries. This of course was a big problem – DNS is critical to any PC wanting to talk outside of its own broadcast domain. I only had limited time to find a solution to the issue so I had to put together a work-around before coming to the root cause. The work-around was simple enough – Manually supply the DNS addresses and move on. But before the client left I managed to take a Wireshark packet capture of the DHCP event, and sure enough the DNS server addresses were definitely in both the DHCP offer and client response. So something was wrong with the clients’ PC.

All my research turned up was people with similar issues and no real pattern other than a certain sub-set of NIC chipsets. So when I saw it pop up again this week on a HP workstation I immediately got excited about the possibility of nailing this bastard of a problem. I recorded the NIC chipset details and went to work on isolating the issue. I first had to make sure this was really the weird DHCP problem described earlier – I made sure it wasn’t some DHCP scoping problem or an AD group policy of some sort, and finally I did a Wireshark capture. Sure enough, the DNS server addresses were definitely in there. So again, the PC knew about the DNS server address, but it just didn’t apply them. Why?

Luckily, after a lot of Googling I believe I’ve found the fix…

The Root Cause

The root cause appears to be Windows XP SP3. Take special note of ‘SP3′, as it appears to be the only service pack affected. The other contributor is the Lucent QIP DHCP server application – Although there are reports of other DHCP servers causing the same issue, it seems QIP is the largest one affected. Here is an excerpt from the MS Forums explaining the issue:

The investigation shows that the position of the option 43 in the packet seems to be the source of the problem. The XP SP3 client assumes that this will be the last one in the list of options. In most of the cases this is present at the end of the list, but with Lucent’s DHCP Server this option can be placed anywhere in the list of options. That seems to be confusing the XP SP3 client and therefore some options are getting dropped.

The Solution

The solution is quite simple – The KB953761 Hotfix. Unfortunately MS have chosen not to publicly publish this hotfix for whatever reason and you have to contact them directly here.

For me, the real solution is to upgrade the DHCP server – Seriously, if you’re having this issue I’m 95% sure your DHCP server is WAY to old to be in service now. Some people might ask – Why upgrade the DHCP service if its MS’s fault? Sure, but chances are you’re organization is wasting more money keeping the thing managed and alive.

Sources

Discussion of issue on MS Forums.

Knowledgebase Article and Solution.

As I began the 6th and last series of the 3D Buzz tutorials – Creating a 3D OpenGL engine – I decided I’d like to focus less on the core mathematics of displaying pixels and more on the creation and design of actual games. I’m not a very good mathematician after-all, and getting into that kind of stuff requires low-level efficient code. Code I really don’t have the skill to write just yet.

So I started looking around for graphics engine libraries that’ll allow me to focus on the game itself. There are a startlingly huge number of graphics engines out there, both free and not, and while I went through quite a damn few I want to talk about just one.

Leadwerks

http://www.leadwerks.com

I’ve been using the Leadwerks engine for about 6 months now and I’m loving it. Why?

1. The Engine – Built from the ground up to be a user-friendly and complete package. Modelled after the Crytek Crysis engine, it has all the features one could possibly need for both a wide-open game (Like Crysis) or an in-doors game, complete with a real-time sandbox editor. I think what I love most is that it is a very OO-centric engine. The code is just so clean and easy to understand – The huge plus for someone starting out like me.
2. Documentation - The documentation is all built up on a very-well organised and clean wiki, which you can freely browse for yourself. Josh, the creator, has made video tutorials for almost all aspects of the engine. This means you can pretty much just jump in, follow the tutorials, and you WILL have a running game in under a day.
3. Community - The Leadwerks forums, also freely available, is a small but very helpful community. Josh, the creator, is often on there as well. You’ll find that any questions will be answered in under a day.
4. Cost - One of the more problematic issues about Leadwerks. The cost is $100US upfront. Meaning you need to dish out early to really start. On the other hand, once you pay the initial fee you’re done. You get the engine for life, including any updates, and you can do whatever you want with your application. Which makes this engine one of the cheapest going around.

All in all, Leadwerks seems to be the perfect engine for someone who has a basic understanding of OO C++ and would like to dive into game development. Although the initial $100US fee can be a bit daunting for some, I highly recommend it.

What You’ll Need

• The Scribblenauts NDS image file: Downloaded from your favourite torrent search engine.
• An Emulator, of which there are currently two options. There are reported problems for both of them so you’ll need to find the one that works best for you:
  • Note: The following has been tested on Windows XP and Windows 7.
  • NO$GBA 2.6a – Old but very good emulator. Very basic. Reported problems with Scribblenauts:
    • Very low quality crackly sound.
    • There appears to be a subtle dull blue hue over the screen.
  • DeSmuME 0.9.4 - Another mature emulator. Has many options including the nice ability to increase the size of the screen. Reported problems with Scribblenauts:
    • The sky appears to be the wrong color (white instead of blue) – It may not be displaying all the layers.

Instructions (Using DeSmuME)

1. Open DeSmuME 0.9.4 change the following settings:
   1. Config -> 3D Settings -> Choose SoftRasterizer as the Renderer.
   2. Config -> Emulation Settings -> Tick Use 8MB debugger mode when starting execution.
   3. Done! Reload the cartridge and play!

Instructions (Using NO$GBA)

1. Open NO$GBA 2.6a and run Scribblenauts, then change the following settings:
   1. Options -> Emulation Settings -> Change NDS Cartridge Backup Media to EEPROM 64KBytes.
   2. Options -> Save Options.
   3. Done! Reload the cartridge and play!

Always looking for feedback – Have you had success? Failure?

You Will Need

• Dungeon Keeper 2 - Obviously very hard to come by in legit form, so I think it is OK (Read: Still not legal) to leech from somewhere. Get it / buy it, then patch it:
  • Patch to v1.7 – DK2 needs to be patched to v1.7, the latest and last update. That too can be understandably hard to come by, so get your Google on.
• (Recommended) Dungeon Keeper 2 (Silver Edition) – The full DK2 game, but packed full of all 3 bonus packs, pre-patched to v1.7 and installs without a hitch. All thanks some some random die-hard fan. Can be found on many torrent trackers.

Instructions

Step 1. Install DK2 and update it to v1.7 if you need to. Attempting to run DK2 now should result in a crash to desktop.

Step 2. Right-click the DK2 desktop shortcut and click Properties. Click on the Compatibility tab and tick Run this program in compatibility mode for: and choose Windows XP (Service Pack 2). Apply and close the window.

Step 3. Launching DK2 now should get you in game. It appears that for some people that is all that needs to be done. But for me, and I suspect this is graphics card based, I get rather bad graphical artifacts in the form of pure black elements covering most of the screen. If you get these issues or similar, complete the 4th step.

Step 4. Go in game and proceed to the Graphics Options. Within this menu will be a Hardware Acceleration option. Disable it. OK out of the options and play a quick game such as the Pet Dungeon game mode. The reason for this is that the game doesn’t appear to save the options unless you go all the way in game and back out. Once in game, quit immediately and restart DK2.

Done! That is all there is to it.

This all works great, but my game crashes out randomly!

Tips:

• Running a dual monitor configuration? Try disabling your secondary monitor.
• Use Quick Save (ctrl+S) and Quick Load (ctrl+L) religiously.
• A known crash point is when dropping human NPCs in Pet Dungeon mode.

Please feel free to offer any feedback if you are still having issues.

You will need:

• GTA: Chinatown Wars – Probably worth buying legit and then ripping to the HDD. Or don’t. Pick up the game from somewhere. I guess just make sure it is in NDS format.
• No$gba Emulator 2.5c – This emulator works almost ‘out-of-the-box’ for GTA:CW. Apparently DeSmuME works as well if you manually compile the latest version straight from the SVN.

Instructions:

Step 1. Load up No$gba and go to Options > Emulation Setup. Change NDS Cartridge Backup Media to FRAM 32KBytes. Hit OK.

Step 2. Go to Options > Save Options to save the options permanently.

Step 3. You’re done! Drag ‘n’ drop the game in or open it from the File menu. Simple as that!

But some time ago Google forcefully rolled out a new version with the Canvas View feature, which adds a tab bar down the left hand side and makes a lot of the gadgets capable of maximizing to the width of the page without having to actually load a new page. It is very cool in some respects and I’m sure many people simply love its usefulness. I am not one of those people.

I only have a few gadgets installed on my page so the whole concept of tabs is not at all useful for me, and I rarely if ever want to maximize any of those gadgets. Therefore iGoogle wastes a lot of screen real-estate. Above and beyond that, there is just other small bloat creep that one does not need nor want to see:

Its all really not a big issue in the scheme of things, but every time I’ve looked at my homepage for the past few months it has irked me. And for whatever reason this morning I just couldn’t stand it any longer and decided to rectify the issue. I spent some time Googling about, uhm, iGoogle, and I found very little other than various forum threads dedicated to the same problem I have.

But luckily I have a brain, and even more luckily I used it quite well for how early it was in the morning! So here is how I managed to remove the bloat:

What you will need:

• Firefox – This only works in Firefox, so make the move if you haven’t already.
• Adblock Plus Plug-in – The Firefox plug-in that does all the work.
• (Optional) Firebug Plug-in – A Firefox plug-in that greatly assists in finding the code elements you want to remove.

The Concept:

The concept is simple. Adblock Plus is a must-have Firefox plug-in that automatically blocks 99.9% of ads that appear on websites. Most of the time it can stop them from even downloading in the first place, which increases page load time. The reason we’re going to use it here is because a. Every Firefox user should have this plug-in installed regardless, and b. It is a quick and simple method that can be easily modified, added to, or reversed at any time.

The Firebug plug-in helped me quickly find the elements I wanted to remove. It is not necessary for the HowTo, but if you want to add your own customizations then use this app.

Step 1.
Install and setup Firefox and Adblock Plus.

Step 2.
Select and copy the following filter code:

google.com#*(personalize_link)
google.com#*(footerwrap)
google.com#*(leftborder)
google.com#*(btnG)
google.com#*(new_user_demo)
google.com#*(btnI)

Step 3.
Open up the Adblock Plus Preferences by going to Tools > Adblock Plus Preferences.

Step 4.
Paste the filter code into the filter list by right-clicking anywhere in the filter list and hitting Paste.

Done! Your iGoogle page should now be Bloat Free(tm), like so:

Opened up Photoshop CS3 today to find that none of the tools worked at all. No matter what tool i selected the mouse cursor would stay stuck on the hand icon and attempting to use the tool anyway did nothing. I was really quite confused. I couldn’t find a thing on the internet about it at all. I restarted the application several times with no dice. In my frustration I went to grab a drink. When i came back, the Photoshop application i had left open was working just fine *shrugs*. Odd huh?

I took another look on Google about it later and saw a few people discussing it. Some claimed it was a memory issue, some said you needed to reset all the tool and window preferences citing that the preferences file was corrupted. Seems to me a healthy dose of time is all it needs. My guess is that the thread managing the tools got held up doing something trivial such as looking for updates over the net.

Anyhow, thought I’d shout it out as i was pretty annoyed over it at the time.

Intro

I’ve wanted one of these badboys for a very long time now, ever since i saw one sitting in a glass case at The Crown in Melbourne. For a long time i looked around various places that managed to get the Terminator license and produce them. I looked, and stared, and i walked away after seeing the price. But last month i committed the cash and went shopping. I’ll tell you one thing right now – The guys at Sideshow Toys make top notch stuff. Everything I’ve heard of them has been positive (and i did a lot of research). But above all that, the Terminator skull just looked correct. There are quite a few brands and versions of this bust out there, and many just look plain bad.

Its a funny thing about faces. There are so many features and facets in a face. So many subtle things that if not correct, can completely ruin the design and look. And although the Terminator endoskeleton is less of a face and more of a skull, it is no different. Stan Winston’s (RIP) design was perfection. I won’t try to explain it, as i don’t think words can really do it justice. But you should be a little freaked out by it, a little scared, and know that you wouldn’t ever want one walking at you. If you feel that, then its Stan Winston’s Terminator. But enough of that, lets talk about the model.

Sideshow currently ships two versions of the life size bust – A chrome version and a combat version. The chrome version is obviously just that, chrome. It looks fantastic in the pictures and I’ve seen user reviews of it in a normal environment. People have complained that in some light conditions the chrome gives off a bit of a rainbow effect on the dome of the skull (like you see in oil on the road). The chrome can also drown out model detail if its reflecting a detailed environment. Either way, i was forced to buy the Combat version instead as the chrome one was sold out indefinitely at the time (and still is). Over all i think this was the better choice in the end as the battle damaged look does bring out more of the skulls features in my opinion, and hell, if i have a change of heart i can apparently wipe the paint off with alcohol (Though i am not recommending that!). The combat version is quite simply the chrome skull with some paintwork applied to it to give it a look that it has been on the battle field. There are no physical dents or scratches on the model that i could see.

Packaging

In short, the model came very well packaged. And it was transported from wherever they are in America all the way down to here in Australia, so if damage could have been done it would have happened on this trip.

Starting from the inside – The skull was completely wrapped in gladwarp which i presume was to stop movement scuffing off the paintwork. Which was then wrapped in several pieces of flexi-cushion stuff and put inside a hollowed out block of polystyrene. From there it was snugly inserted into a custom cardboard box and put into a simple thicker transport cardboard box. All of which was covered in tape. I really can’t see how you could wrap this thing up any safer. Oh and the copious amounts of layers made for a bit of extra excitement when opening for the first time hah.

The Model

It should be said straight up that this replica is exceptional. I believe there isn’t a better one available anywhere in the world (For sale). The geometry of the model, is perfect. It is a Stan Winston replica through and through. The angle, or position the head is in is great. The base of the model is one that stays well out of the way of the skull, so as to not steal any of the limelight. And it has a couple of really cool hidden features you might not expect from a replica statue.

First up is the eyes, they of course turn on with the flick of a little metal switch at the back. And the effect is immediate. The red eye lens’s are not just some uniform flat color like you see on most models. These eyes have that grid like texture like right out of the movie. And to top it off, when you flick the eyes off (Terminate him, as i would say) they slowly fade out over a period of several seconds. Just like when he’s crushed at the end of T1. That’s attention to detail for ya. While I’m on the subject of the eyes, they require power to run of course. The model comes with 3 AA battery’s you insert on the underside of the base. I’m glad they went for AA’s instead of one of those hard to get flat watch battery’s.
One odd thing I’ve noticed is that the eyes seem to dim quite a bit after being on for some time.  I left them on for a good 4 or so days straight when i first got him and i could of sworn that by the 4th day they were noticeably dimmer. Turning the eyes off and on again 10 minutes later seemed to help, but it looks like the eyes drain battery power quite a bit faster than i would have thought.
Update: 2 weeks in and the batteries are dead. I didn’t have him turned on the entire time either. I suspect some highly quality batteries will last longer, but it looks like you can’t just leave him on for months (or 120 years, for that matter).

Second feature is the ability to pull the CPU out of the skull just like Sarah Conner did in T2, minus the drilling. It comes in three parts. The top ‘lid’ you pull off. Then there’s the serrated insert and finally the CPU embedded in its slot. The model comes with a little magnetic rod you use to easily pull out and replace the insert and CPU. Here is where you start to see some sub-par modeling. The insert is a bit too small for the hole and doesn’t fit snugly. It also feels a bit light and plastic like. I’m hoping they did that so it wouldn’t get stuck or so the magnetized rod could easily pull it out. But i think I’d still rather be given a small pair of pliers to pull it out like Sarah did in the movie, it’d be so much more satisfying.
The CPU chip is even worse. It is a very simple piece of plastic consisting of the 3 primary colors, there is no detail and it feels cheap. The hole itself is also uncared for and suffers the loss of metal from about half way down to the bottom (The rest is a black plastic). I would have happily paid a little more to see this part of the skull polished up like the rest of it, for at the moment it feels unfinished.
On the whole, i am pretty thoroughly disappointed with this feature. It simply does not match the quality on the outside.

The Paintwork

The is paintwork is good. But not great. From afar it looks great. But up close inspection will reveal a more sub-par job. Closest comparison i can give it is as if someone took the spraycan from MSPAINT and painted black dirt spots all over it. That is an exaggeration of course, but the effect is still there. There is an obvious difference in paintwork quality between the SideShow pictures and the real world model, as shown here:

Click to enlarge

Excusing for a moment the amateur photography and different lighting environments, it should be pretty apparent the guys at Sideshow Toys put significantly less work into the paintwork of my model than their window model. For starters the teeth are completely unpainted. My model has been obviously painted with a monotone black airbrush, as opposed to the Sideshow Toys model that has had several ‘dirty’ colored paints applied with considerably more effort and care.

The insert above the CPU is, oddly enough, painted dirty. From a realistic point of view, how it got dirty i don’t know. I would have much rathered a shiny metal insert with a delicate looking CPU. But you get neither.

On the whole I’m disappointed by the paint job. Its clearly not what was advertised and not up to my fanboy standards. I’ll let you be the judge though. More pictures at the bottom.

The Conclusion

Despite the bad things I’ve mentioned the model is still by far the best Terminator bust replica I’ve ever seen and I’d recommend any and all fanboys buy one in a heartbeat. The model isn’t perfect, and I’m not surprised. I believe it would take Stan Winston himself to rebuild the perfect model, or an inordinate amount of time spent by a professional artist perfecting one. AUD $600 (AUD $500 + $100 P’n'H) just won’t get you that. But the model is a work of art and i don’t regret the money spent buying it in the slightest.

Ultimately i want to one day own a fully articulate and 100% metal bust. I’m actually seriously considering building my own. Right now I’m trying to see if i can get a hold of a model (CAD/Maya/Max model) that i can modify and send to a professional metal fabricator workshop and put together my self. That might have to be a blog for another time. But if anyone has any info on doing such a thing I’d love to hear it.

The Pictures

Abstract— this paper will discuss and disseminate how the Storm Worm operates and the most current forms of mitigation and removal. Considering that its success can be largely attributed to the number of ways in which it can distribute itself, stay aware of the environment it is in, and the use of some intriguing techniques to avoid termination this worm in particular calls for caution.

You can download the PDF version HERE or continue on to read the rest.

Abstract— this paper will discuss and disseminate how the Storm Worm operates and the most current forms of mitigation and removal. Considering that its success can be largely attributed to the number of ways in which it can distribute itself, stay aware of the environment it is in, and the use of some intriguing techniques to avoid termination this worm in particular calls for caution.

I. Disclaimer

This paper assumes that the reader has a respectable amount of knowledge on such topics as worms and other malware, Microsoft Windows and a fairly deep knowledge on how the internet works.

It is worth noting that malware of this calibre update and change very quickly, and are also edited slightly by other parties and sent back out into the wild. It is simply impossible to dissect very iteration of the Storm Worm, therefore the scope of this paper will only contain the technologies used by the version of the worm this paper was written about, plus any findings posted by other people (whom are duly referenced) which were major enough to write about.

II. Introduction

“This doesn’t seem to have received much attention, but the world’s most powerful supercomputer entered operation recently. Comprising between 1 and 50 million CPUs (depending on whose estimates you believe), the Storm botnet easily outperforms the currently top-ranked system.” Peter Gutmann, 31^st August 2007.^[1]

Discovered on January 17^th, 2007^[2] the Storm Worm sought to become one of the most pervasive and successful viral applications the world as ever seen. It was estimated that in its peak the Storm Worm had infected up to an incredible 50 million Windows based PCs worldwide!

To this day (April, 2008) the Storm Worm is still in the wild and invading computers around the world. Its success is largely due to the criminals behind it all. Storm represents one of the larger schemes designed to make money, and it has become clear that there is a lot of money involved, because the rapid release of updates and new modules would require an impressive amount of resources. Storm is the poster boy for a new era of internet malware and crime, and quite possibly terrorism.

This paper will discuss and disseminate how the Storm Worm works and the latest ways in which to mitigate it.

III. Naming Conventions

Just like any other malware the Storm Worm has many names associated with it due to various security and AV companies defining their own signature recognition of the software.

The Storm Worm is not to be confused with the 2001 outbreak of W32/Storm.Worm; which was a largely ineffective worm.

Below is a list of known associated names with the Storm Worm, and their parent companies:

· Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure)

· CME-711 (MITRE)

· W32/Nuwar@MM and Downloader-BAI (McAfee)

· Troj/Dorf and Mal/Dorf (Sophos)

· Trojan.Downloader-647

· Trojan.Peacomm (Symantec)

· TROJ_SMALL.EDW (Trend Micro)

· Win32/Nuwar (ESET)

· Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)

· W32/Zhelatin (F-Secure and Kaspersky)

· Trojan.Peed, Trojan.Tibs (BitDefender)

To confuse matters more, the Storm Worm also uses sudo polymorphic techniques to alter itself and masquerade as an entirely new variant of malware, and therefore AV companies detect and tag the new variants with a different name.

IV. Infection

Probably the most prevalent of all of Storm Worm’s features is the way it can distribute its self across the internet. First and foremost the Storm Worm is a spambot, capable of sending out emails in bursts that exceed 1,800 in a 5 minute period. ^[3]

It sends specially crafted emails, known as a social engineering attack, to entice the victim to either visit a fake website or directly download an infected file embedded in the email. The variation of Storm being researched in this paper came as a URL link in a spam email wanting you to download a ‘Happy New Year!’ ecard, but hidden along side it was an infected file called applet.exe.

But in order for this technique to be truly effective, the fake websites and the location of the infected files need to have a high availability and resistance to being shutdown, otherwise the URL link in the email could be dead by the time a user reads it and clicks it. It can’t be an IP address based URL because is a single point of failure; the IP of the computer hosting the malware could become overwhelmed or shutdown by the authorities. So the attacker must find a way to create a completely distributed and ever-changing network, enter Fast-Flux.

A. Fast-Flux

Fast-Flux is a growing, sophisticated technique which is being increasingly used in the wild. Fast-flux service networks are a network of compromised PCs with DNS records that are constantly changing, in some cases every few minutes. These constantly changing records make it much more difficult to track down the criminal and shut down their operations.

The goal of fast-flux is for a fully qualified domain name (such as www.example.com) to have hundreds or even thousands of IP addresses assigned to it. These IP addresses fluctuate in and out with extreme frequency using a combination of round-robin and a very short Time-To-Live (TTL) for any IP. Website hostnames may be associated with a new set of IP addresses as often as every few minutes. A browser connecting to the same website every few minutes would actually be connecting to a different infected computer each time.

Fast-Flux is a perfectly normal DNS technique that any DNS provider can implement, but criminals tend to use certain Russian DNS providers with this technique because they are very slow to respond to illegal use of their services.

*WARNING* The domain name www.supersameas.com is still live as of April 13^th 2008. Browsing to this site may get you infected with Storm!

Not only does Storm use this technique, but it takes it a step further –

Figure 1 - Double-Flux in use in the Storm network.

Known as Double-Flux, Storm uses a completely decentralised DNS network service. The above diagram details how Double-Flux works with a live Storm domain name:

Step 1 – When the http address is entered into the browser your PC will first initiate a DNS query to find out where the domain is physically located. To do this your PC will ask your local ISPs’ DNS server (Omitted from the diagram), which will forward you on to the Name Server (NS) of that domain. This is where Double-Flux comes in; Not only is the A record fast-fluxed, but so too is the NS record:

ns3.supersameas.com 84267 209.136.140.189

ns4.supersameas.com 84267 66.190.211.71

ns1.supersameas.com 84267 75.62.247.33

ns2.supersameas.com 84267 75.82.24.44

The above output shows these NS records have a TTL of 84267, which approximates to 24 hours. So every 24 hours the IP of these NS records will change to another infected computer, providing yet another layer of redundancy and security to the worm.

Also if you do a reverse DNS lookup on those NS IPs you’ll see that they are in fact infected computers sitting on ADSL connections in consumer ISPs:

Name: texas-adsl-1205.camtel.net

Address: 209.136.140.189

Name: 66-190-211-71.dhcp.slid.la.charter.com

Address: 66.190.211.71

can’t find 75.62.247.33: Non-existent domain

Name: cpe-75-82-24-44.socal.res.rr.com

Address: 75.82.24.44

Notice that at least one of the NS records is no longer valid, meaning the compromised PC is down. In 24 hours time a new set of compromised PCs will enter rotation for the NS records, and the down node above will be replaced.

Step 2 – Once one of the name servers receives the query it will respond with an A record; the IP address of the web server you are attempting to browse to. The A record is the second part of the Double-Flux DNS service, and on the Storm DNS network the A record updates every second. Every time you browse to that domain, you will be browsing to a different IP address. There could quite possibly be hundreds of thousands of compromised PCs serving that one website, providing an incredibly formidable redundant service.

Step 3 – The PC now has the location of the web server and can initiate a HTTP GET to grab the webpage and download the content. This is got from any one of thousands of slave PCs.

B. Rootkit hook

Once the infected file is successfully downloaded to the machine, Storm initialises a whole plethora of instructions to compromise even a security hardened computer.

One of the first things Storm does after decrypting and unpacking itself is crash any active AV emulation engine process by calling the function FreeIconList; a legacy windows function and thus often not emulated by the AV engine.

While the AV engine is down Storm then runs a routine that disables Windows File Protection on the kbdclass.sys driver (and its cached copy) and loads the rootkit driver spooldr.sys into it.

After that Storm creates two files. One is a copy of applet.exe placed into %systemroot% and the other is a copy of spooldr.sys renamed to spooldr.exe and also placed into %systemroot%.

Storm then runs a system command to allow spooldr.exe through the Windows firewall:

netsh firewall set allowed program “%systemroot%\spooldr.exe” enable

C. Hooking the P2P client

Probably the most important module Storm loads is the P2P module, wincom32.sys. This driver injects a hidden executable into the user space of the SERVICES.EXE process. The injected file is responsible for connecting to the Storm network cloud and all P2P communications.^[4]

D. Hiding thy self

The last step in Storms infection process is to hide itself from view. The Storm rootkit module uses a Service Descriptor Table (SDT) hooking to hide files and registry keys, and hijacks IRP_MJ_DEVICE_CONTROL of ‘\Device\Tcp’ to hide active connections of SERVICES.EXE.^[4]

This means that Storm has become virtually invisible; there are no traces of it in the registry, no new processes seen running in task manager and all network connections made by it on behalf of the SERVICES.EXE process are also hidden.

E. Terminating the Anti-Virus

One of the alarming things Storm can do is completely disable almost any AV solution on the host PC. As discussed earlier on, Storm first crashes the AV application in order to patch a critical Windows driver. Next time Windows begins to boot it loads the infected kbdclass.sys driver, which then immediately spawns the Storm rootkit, spooldr.exe. Every driver and program loaded after kbdclass.sys is under control of the Storm rootkit. Storm simply checks every driver and program being loaded, and if it is one that is listed on its blacklist, then it is terminated.

A complete list of blacklisted programs the variation of Storm this paper dissects:

· Zonealarm Firewall

· Jetico Personal Firewall

· Outpost Firewall

· McAfee Personal Firewall

· McAfee AntiSpyware

· McAfee Antivirus

· F-Secure Blacklight

· F-Secure Anti-Virus

· AVZ Antivirus

· Kaspersky Antivirus

· Symantec Norton Antivirus

· Symantec Norton Internet Security

· Bitdefender Antivirus

· Norman Antivirus

· Microsoft AntiSpyware

· Sophos Antivirus

· Antivir

· NOD32 Antivirus

· Panda Antivirus

On October 22^nd 2007 Richard Cohen, a SophosLabs researcher stumbled upon a new technique found in a newer version of Storm that now simply “fools” the local computer system to run certain programs successfully, but in fact, they are not doing anything –

“Programs, including not just AV exes, dlls and sys files, but also software such as the P2P applications BearShare and eDonkey, will appear to run successfully, even though they didn’t actually do anything, which is far less suspicious than a process that gets terminated suddenly from the outside,”.^[5] Users and any related security systems will assume that security software is running successfully when it in fact is not. This allows the Storm worm to sneak into safe networks, even ones considered to be security hardened with applications like Network Access Control (NAC).

F. Lockdown

The last thing Storm does is lock two specific files; ntoskrnl.exe and the infected kbdclass.sys driver. This is most likely another method to hide itself by locking out access to those files to user mode applications like HiJackThis; a popular application that scans for suspicious changes to critical files.

V. Distribution

Contrary to popular believe, the spam sending process is not automated. The creator of the worm controls the botnet through the use of an encrypted P2P (Peer-to-Peer) network cloud that every infected PC listens to (more on this later). Through this P2P botnet, the creator can issue commands to his army and they will follow it through.

A. Spam

On Janaury 19^th 2007 ^[6] a mass spam email began hitting inboxes around the world in what is believed to be Storms’ first attack. It was also this event that gave Storm its name. The massive European windstorm Kyrill was the topic that the Storm used to entice people to open the email, with a subject line of:

230 dead as storm batters Europe!

“The spamming started when the storms were still raging.” – Mikko Hypponen, chief research officer at security firm F-Secure.^[6]

While this first wave of infection isn’t anything extraordinary, the fact that it was spread using front page news only mere hours after it had happened shows just how organised the criminals behind this form of malware are.

February 14^th 2007 marks the second wave of Storm spam emails preying on the romantics by offering a flash-based valentine eCard – postcard.exe.

Figure 2 – Screenshot of Valentine’s Day spam wave (Janaury 31^st 2007)

Since then there have been approximately 30 waves of spam covering a whole plethora of subjects from NFL, ‘hot videos’, Christmas cards, new years and ‘internal memos’ to the latest being an April Fools (April 1^st, 2008) email with the following image:

Figure 3 - Screenshot of Storm email spam (April 1st 2008)

This distribution method can be considered one of the worst, as it preys on unsuspecting and unknowing internet users. This kind of exploit is unlikely to ever be patched up.

Adam Swidler, a senior manager with security company Postini, said that since mid-July 2007, he has recorded 1.2 billion e-mails that have been sent out by the botnet. A record was set on August 22^nd 2007 when 57 million virus-infected messages, 99% of them from the Storm worm, were tracked crossing the Internet. ^[7]

VI. Peer-To-Peer Network

Traditional botnets were usually constructed with use of an IRC (Internet Relay Chat) client and server system whereby all the infected PCs would connect to a, usually public, IRC server and join a chat room within. From there they would just sit and wait. The creator of the botnet would come in, submit a password to gain controller privileges and then proceed to command the bot army how he liked. While this is a very popular way of controlling a large number bots, it has some major drawbacks:

· It is a centralized system. Very easy to shut down all operations by simply turning off the IRC server.

· Due to the fact that the location and password of the server and chat room was hard coded into each bot, it was not overly difficult to effectively take over and dismantle a botnet.

These are actually the very same drawbacks the pirating industry faced quite a few years ago, and they came up with a solution – P2P networking – The idea of removing the centralised server and recreating all the clients as equals. Certain members of the P2P network cloud would be relegated to being a Super-Node; Chosen for their high bandwidth internet connection and used to distribute and manage an index of files available from other nodes in the network. If a Super-node failed then another would take its place. But redundancy isn’t the only benefit of P2P networking. It also provides a great layer of security – No one node knows about every other node.

This is the kind of network the criminal organisation behind Storm employs to control the operations of the worm.

VII. Honeypot Death

A honeypot is a PC setup specifically to sit on the internet and get infected. It is used as an early warning device or to capture malware mere minutes after being released into the wild. This allows AV vendors to analyse the malware and create patterns and mitigation techniques in an attempt to protect end-users before it hits them.

Most honeypots these days are simply virtual PCs running under VMware or Microsoft Virtual PC (The most popular VPC software at the moment), this allows analysts to observe the malware in a safe and controllable environment. Anti-malware analysts can run unknown code on these virtual machines and watch how they behave. They can ‘freeze’ the virtual PC and dissect it, and they can destroy the machine afterwards with little risk of harming the real environment around the VPC. Unfortunately both Virtual PC and VMware leave small footprints in the memory and the Storm worm has a mechanism to detect that.

If you try to infect a VPC with Storm you’ll find that nothing happens. That is because Storm realised the environment it was in and put itself to sleep, to mislead and avoid detection.

Storm makes uses of two fairly common routines to achieve this – The ‘ComChannel VMXh magic’ trick to detect VMware emulation and the ‘illegal Opcode exception’ trick to detect Microsoft Virtual PC emulation.^[8] How the tricks work is not within the scope of this paper, but both of these routines are discussed in depth with examples in Peter Ferrie’s paper on Virtual Machine Attacks v2.^[9]

VIII. Self Defence

Taking one step closer to being a virus from right out of the movies the Storm worm now has automatic self defence capabilities.^[10]

Researchers around the world have found themselves being DDoS’ed for up to a day in retaliation for attempting to scan Storm infected PCs with security vulnerability scanners.

“During the past month we’ve observed and notified involved parties regarding numerous such Storm-related DDoS attacks. The attacks have been ICMP, can last more than a day, involve a large number of sources scattered globally, and can yield very significant attack traffic. “– Douglas D Pearson, Aug 2007.^[10]

At the moment it is not known exactly how much probing triggers the DDoS attack.

Zhelatin, the spammer gang believed to be behind the Storm worm, have been accused of causing most of the DDoS attacks performed on popular anti-spam websites such as www.spamnation.info and www.419eater.com.^[11]

Though the owners of the websites believe it is not the alleged Zhelatin them selves who order the attack, but spammer gangs that pay the group to do the DDoS on behalf of them.

IX. Mitigation and Removal

Since the storm worm doesn’t rely on any exploits to compromise systems, it is very difficult to avoid being effected. It instead preys on a lesser known exploit called human curiosity (and possibly stupidity) by masquerading as completely innocent looking files and using hot topics or news to appeal to people and infect the PC the second it is downloaded.

So how could you possibly mitigate it? You can’t, not fully. In September 2007, Microsoft released a MSRT (Malicious Software Removal Tool), downloaded through Windows Update every second Tuesday, to detect and remove the Storm worm. While Microsoft was able to clean a large amount of PCs, shortly after the event the Storm authors updated the storm worm to avoid detection. And so the MSRT update became redundant. It is the same with every flavour of AV solution – They update their detection signatures and Storm changes its code. And unfortunately, even if the worm was cleaned from a user’s PC it’ll most likely be back, because people with a habit of doing something are likely to repeat whatever they did.

Therein lies the problem – There will always be someone out there on the internet who doesn’t know a legit email from a bad email, or a fake website from a real one, or just doesn’t care. And while AV solutions can protect you from a majority of the malware in the wild, they can never keep up with the constantly changing and polymorphing zero-day malware like Storm. If the user is a largely inexperienced one, they’ll inevitably be infected; it’s only a matter of time before they download some malware that their flavour of AV has yet to come across (and therefore protect against).

So since infection may well be inevitable for most, it’d be prudent to discuss how the Storm worm can be removed. But it’s actually less about removing it and more about how you can detect it in the first place, or if you’ve detected it, how can you know what version you have in order to remove it? The only footprint the Storm worm leaves is the sluggish internet connection when it is using it to send out copious amounts of spam or attacking someone with DDoS. But there are a thousand reasons why an internet connection could be slow on some days, so it’s not definitive evidence. The only reliable way to trace a Storm infected PC is to watch its outbound connections from a remote device (remember that Storm hides its own connections on the local computer) for suspicious activity.

Once you know for sure a PC is infected, you may try to remove it manually. But the steps involved would be complex and would change as often as Storm does. It is not recommended to attempt to remove it manually. The only fool-proof way to remove Storm is to format the PC – destroy all the data. It may sound harsh, but once the Storm worm gets into a Windows machine, it gets in deep. Luckily Storm does not infect many files on the system (yet) and it is subsequently safe to backup personal data and erase all data on the PC.

X. Conclusions

It should be made clear that while Storm does use some very advanced methodologies, it all really comes down to the end-user not taking to correct precautions before downloading or browsing to an unknown email or website. These spammer groups know this; they know that users will go as far as to turn off anti-virus applications just to view a restricted and dangerous resource. They use this knowledge to exploit the curiosity of these users and they will gain control of the PC.

It has recently become easier to ignore the warnings, due to malware authors putting more effort into making sure it does not disrupt the end-user. Once Storm has compromised a PC, it does not destroy it. In fact it goes to some lengths to hide itself from any prying eyes and make sure the user cannot notice any difference. This effect is a double edged sword; it of course reduces the chance of removal if it is undetected, but by not disrupting the user experience there’s a good chance the user won’t bother trying to remove it even if it was detected. It is because of this, that Storm is so successful, and it’s not going to stop there. Storm has now become the poster boy for a new era of malware. Users need to realize that in the wrong hands, their own home PCs can be part of a large scale terrorist attack against any number of companies such as banks or even countries.

The latest rumor is that the Storm Worm botnet is being segmented up into smaller clusters to be auctioned off. We’re lucky the group behind Storm is only in it for the money, but it’s only a matter of time before someone with a dangerous prerogative will use this vast network for something truly illicit.

Maybe it’s time to instigate an Internet Driving License?

Acknowledgment

I’d like to acknowledge the community at www.spamtrackers.eu for their truly extensive timeline and documentation of the Storm Worm. Without them it’d be a lot more painful to find any information on the malware afflicting the internet at large.

References

[1] Gutmann, Peter., Insecure.org. [Online] http://seclists.org/fulldisclosure/2007/Aug/0520.html.

[2] F-Secure., F-Secure Malware Information. [Online] [Cited: 3 27, 2008.] http://www.f-secure.com/v-descs/small_dam.shtml.

[3] Information Week., Information Week. [Online] [Cited: 04 02, 2008.] http://www.informationweek.com/news/showArticle.jhtml?articleID=196902579.

[4] Ciubotariu, Elia Florio & Mircea., “Peerbot – Catch Me If You Can.” Symantec. [Online] [Cited: 04 08, 2008.] http://www.symantec.com/avcenter/reference/peerbot.catch.me.if.you.can.pdf.

[5] Vaas, Lisa., Storm Worm Botnet Lobotomizing Anti-Virus Programs. eWeek. [Online] [Cited: 4 14, 2008.] http://www.eweek.com/c/a/Security/Storm-Worm-Botnet-Lobotomizing-AntiVirus-Programs/1/.

[6] BBC NEWS., “Storm chaos prompts virus surge.” BBC NEWS | Technology. [Online] [Cited: 04 10, 2008.] http://news.bbc.co.uk/1/hi/technology/6278079.stm.

[7] Gaudin, Sharon., Storm Worm Botnet More Powerful Than Top Supercomputers . InformationWeek. [Online] [Cited: 4 14, 2008.] http://www.informationweek.com/news/internet/showArticle.jhtml?articleID=201804528.

[8] Boldewin, Frank., “Peacomm.C – Cracking the nutshell.” Reconstructer.org. [Online] [Cited: 4 15, 2008.] www.reconstructer.org.

[9] Ferrie, Peter., “Attacks on Virtual Machines v2.” Attacks on Virtual Machines v2. [Online] [Cited: 4 15, 2008.] http://pferrie.tripod.com/papers/attacks2.pdf.

[10] Pearson, Douglas D., [unisog] [REN-ISAC] Storm Worm DDoS Threat to the EDU Sector. Sans.org. [Online] [Cited: 04 13, 2008.] http://lists.sans.org/pipermail/unisog/2007-August/027405.html.

[11] Spam Nation., 419Eater DDoS’d? Spam Nation. [Online] [Cited: 4 13, 2008.] http://www.spamnation.info/blog/archives/2007/09/419eater_ddosd.html.