analysis

A quick tutorial on writing a program that accepts plugins

On the CWE-LUG mailing list, someone asked a question about creating a program that can be extended with plugins. I thought the answer was so useful that I wanted to save it and make it available to others.

On 2/17/07, Mark wrote:

I’m a young programmer (just finishing high school) who has done a fair amount of programming with PHP, MySQL, and other web technologies. … How does one go about designing a program so it can be extended later with plugins, apis, and modules?

Ed Howland, veteran programmer, replied:

Mark, if i understand you correctly, you are seeking how to design a general purpose program that can be extended by others. It would help us to know what your target environment is. Especially if it is a dynamic language like Perl, Ruby or Python.Or a compiled language like Java or C/C++. The difference lies in linking others source code with yours, interpreted languages are easier in this respect.

That said, the general techniques are well-established. For purposes of illustration, I’ll call the code you are wanting to write the host (application) and the external modules, the guest (module.) The basic idea is to use various callbacks into the guest module from the host application. But first the guest application must register itself with the host (see it is like a hotel checkin…) This registration process can take many forms and is usually dictated by the programming environment. Anyway, the host maintains a list of registered guests. Each time a new guest registers, he is appended to said list.

Next, the host will then use the handle that represents the main object of the guest, and call an initialize routine in the guest. That routine sets stuff and gets a handle to the host so it can call things in the framework API to open windows, etc.

So the basic steps are:

  1. Devise a registration process
  2. Maintain a list of registered guest modules
  3. When starting, loop over your registered guests and call their initialize routines
    1. When a guest’s initialize routine is called, it calls pre-defined host API calls to open windows, or other things.
    2. These might cause the framework (in the host) to callback to the guest to display the window, and paint the contents of the windows.

You want to make your plugin callback interface as narrow as possible. And you want your host API to be simple to create widgets, windows, whatever in a few easy steps. If using a O-O language like Java or C#, use interfaces for both the IPlugin (guest) and IPluginHost (host) and guest module writes will inherit from or implement those interfaces. Ideally, the minimal IPlugin interface could be as small as init() and destroy() (if destroy is needed.)

Finally, if starting fresh, you might think about designing your entire application to nothing but the framework and your own pieces will simply be plugins.

The hard part is the registration process. Do you allow files to be uploaded to a web server? Does it write and re-read a config file listing plugins? I haven’t looked at DotNuke or PHPNuke or Typo, WordPress or any of the other ones. But the answer is in there.

Ruby on Rails has a built-in plugin architecture, but not one that you can upload files to, at least not w/o restarting the RoR app iteself, IIRC. It looks in a subdirectory for plugin subdirs for a file called init.rb. It just executes whatever is in that tile.

http://en.wikipedia.org/wiki/Plugin
http://codex.wordpress.org/Writing_a_Plugin
http://www.codeguru.com/Cpp/misc/misc/plug-insadd-ins/article.php/c3879/

HTH, somewhat.

Ed

A quick tutorial on writing a program that accepts plugins Read More »

All stories have the same basic plots

From Ask Yahoo (5 March 2007):

There are only so many ways to construct a story.

Writers who believe there’s only one plot argue all stories “stem from conflict.” True enough, but we’re more inclined to back the theory you mention about seven plot lines.

According to the Internet Public Library, they are:

1. [wo]man vs. nature
2. [wo]man vs. man
3. [wo]man vs. the environment
4. [wo]man vs. machines/technology
5. [wo]man vs. the supernatural
6. [wo]man vs. self
7. [wo]man vs. god/religion

Ronald Tobias, author of “Twenty Basic Plots” believes the following make for good stories: quest, adventure, pursuit, rescue, escape, revenge, riddle, rivalry, underdog, temptation, metamorphosis, transformation, maturation, love, forbidden love, sacrifice, discovery, wretched excess, ascension, and decision.

All stories have the same basic plots Read More »

3 problems with electronic voting

From Avi Rubin’s “Voting: Low-Tech Is the Answer” (Business Week: 30 October 2006):

Unfortunately, there are three problems with electronic voting that have nothing to do with whether or not the system works as intended. They are transparency, recovery, and audit. …

Electronic voting is not transparent – it is not even translucent. There is no way to observe the counting of the votes publicly, and you can’t even tell if the votes are being recorded correctly. …

Now, what do we do if something goes very wrong during the election? What happens if the equipment fails or there is a power outage?

Let’s compare electronic voting machines to paper ballots. If an e-voting machine crashes, it is possible that the memory cards containing the votes could be corrupted. Something as unexpected as someone spilling coffee on the machine could cause it to fail.

There are dozens of ways one could imagine that an electronic voting machine could be rendered a paperweight. Imagine, for example, a widespread power outage on Election Day. How do you continue the election? What can you do to recover votes already cast? …

I don’t feel very good about the only copies of all of the votes in a precinct existing in electronic form on flash memory cards. … If we have paper ballots and the power goes out, we can get some flashlights and continue voting.

Electronic voting is vulnerable to all sorts of problems, many of which cannot be anticipated. For example, in Maryland’s September primary, voting systems were delivered to the precincts in Montgomery County without the smart cards needed to activate the votes. As a result, the polls opened hours late, and thousands of voters were affected.

There was no quick and easy recovery mechanism. It is true that the problem was due to human error, but that does not change the fact that there was no way to recover. Paper ballot systems are much less fragile and can withstand many of the unexpected problems that might arise on Election Day. …

Finally, and I believe most seriously, there is no way to independently audit a fully electronic voting system. While it is true that many of the machines keep multiple copies of the votes, these copies are not independent. If the machines are rigged, or if they suffer from unknown software bugs …, the election results might not reflect the votes that were cast, despite all of the copies of the votes being identical.

On the other hand, electronic counting of paper ballots can be audited by manually counting the paper and comparing the results to the electronic tally. It is imperative, in fact, that every software-based system be audited in a manner that is independent from the data that are the subject of the audit.

3 problems with electronic voting Read More »

The final moment of tragedy

From Northrop Frye’s “The Mythos of Autumn: Tragedy” (128):

The moment of discovery or ‘anagnorisis’, which comes at the end of the tragic plot, is not simply the knowledge by the hero of what has happened to him … but the recognition of the determined shape of the life he has created for himself, with an implicit comparison with the uncreated potential life he has forsaken.

The final moment of tragedy Read More »

Spimes, objects trackable in space and time

From Bruce Sterling’s “Viridian Note 00459: Emerging Technology 2006” (The Viridian Design Movement: March 2006):

When it comes to remote technical eventualities, you don’t want to freeze the language too early. Instead, you need some empirical evidence on the ground, some working prototypes, something commercial, governmental, academic or military…. Otherwise you are trying to freeze an emergent technology into the shape of today’s verbal descriptions. This prejudices people. It is bad attention economics. It limits their ability to find and understand the intrinsic advantages of the technology. …

If you look at today’s potent, influential computer technologies, say, Google, you’ve got something that looks Artificially Intelligent by the visionary standards of the 1960s. Google seems to “know” most everything about you and me, big brother: Google is like Colossus the Forbin Project. But Google is not designed or presented as a thinking machine. Google is not like Ask Jeeves or Microsoft Bob, which horribly pretend to think, and wouldn’t fool a five-year-old child. Google is a search engine. It’s a linking, ranking and sorting machine. …

Even if there’s like, Boolean logic going on here, this machine has got nothing to do with any actual thinking. This machine is clearly a big card shuffler. It’s a linker, a stacker and a sorter. …

In the past, they just didn’t get certain things. For instance:

1. the digital devices people carry around with them, such as laptops, media players, camera phones, PDAs.
2. wireless and wired local and global networks that serve people in various locations as they and their objects and possessions move about the world.
3. the global Internet and its socially-generated knowledge and Web-based, on-demand social applications.

This is a new technosocial substrate. It’s not about intelligence, yet it can change our relationship with physical objects in the three-dimensional physical world. Not because it’s inside some box trying to be smart, but because it’s right out in the world with us, in our hands and pockets and laps, linking and tracking and ranking and sorting.

Doing this work, in, I think, six important ways:

1. with interactive chips, objects can be labelled with unique identity – electronic barcoding or arphids, a tag that you can mark, sort, rank and shuffle.
2. with local and precise positioning systems – geolocative systems, sorting out where you are and where things are.
3. with powerful search engines – auto-googling objects, more sorting and shuffling.
4. with cradle to cradle recycling – sustainability, transparent production, sorting and shuffling the garbage.

Then there are two other new factors in the mix.

5. 3d virtual models of objects – virtual design – cad-cam, having things present as virtual objects in the network before they become physical objects.
6. rapid prototyping of objects – fabjects, blobjects, the ability to digitally manufacture real-world objects directly or almost directly from the digital plans.

If objects had these six qualities, then people would interact with objects in an unprecedented way, a way so strange and different that we’d think about it better if this class of object had its own name. I call an object like this a “spime,” because an object like this is trackable in space and time. …

“Spimes are manufactured objects whose informational support is so overwhelmingly extensive and rich that they are regarded as material instantiations of an immaterial system. Spimes begin and end as data. They’re virtual objects first and actual objects second.” …

“The primary advantage of an Internet of Things is that I no longer inventory my possessions inside my own head. They’re inventoried through an automagical inventory voodoo, work done far beneath my notice by a host of machines. So I no longer to bother to remember where I put things. Or where I found them. Or how much they cost. And so forth. I just ask. Then I am told with instant real-time accuracy. …

It’s [spimes] turning into what Julian Bleecker calls a “Theory Object,” which is an idea which is not just a mental idea or a word, but a cloud of associated commentary and data, that can be passed around from mouse to mouse, and linked-to. Every time I go to an event like this, the word “spime” grows as a Theory Object. A Theory Object is a concept that’s accreting attention, and generating visible, searchable, rankable, trackable trails of attention. …

Spimes, objects trackable in space and time Read More »

It takes 10 years to develop expertise

From Peter Norvig’s “Teach Yourself Programming in Ten Years” (2001):

Researchers ([John R. Hayes, Complete Problem Solver (Lawrence Erlbaum) 1989.], [Benjamin Bloom (ed.), Developing Talent in Young People (Ballantine) 1985.]) have shown it takes about ten years to develop expertise in any of a wide variety of areas, including chess playing, music composition, painting, piano playing, swimming, tennis, and research in neuropsychology and topology. There appear to be no real shortcuts: even Mozart, who was a musical prodigy at age 4, took 13 more years before he began to produce world-class music. In another genre, the Beatles seemed to burst onto the scene with a string of #1 hits and an appearance on the Ed Sullivan show in 1964. But they had been playing small clubs in Liverpool and Hamburg since 1957, and while they had mass appeal early on, their first great critical success, Sgt. Peppers, was released in 1967. Samuel Johnson thought it took longer than ten years: “Excellence in any department can be attained only by the labor of a lifetime; it is not to be purchased at a lesser price.” And Chaucer complained “the lyf so short, the craft so long to lerne.”

It takes 10 years to develop expertise Read More »

What is Web 2.0?

From Bruce Sterling’s “Viridian Note 00459: Emerging Technology 2006” (The Viridian Design Movement: March 2006):

Here we’ve got the canonical Tim O’Reilly definition of Web 2.0:

“Web 2.0 is the network as platform, spanning all connected devices; Web 2.0 applications are those that make the most of the intrinsic advantages of that platform: delivering software as a continually-updated service that gets better the more people use it, consuming and remixing data from multiple sources, including individual users, while providing their own data and services in a form that allows remixing by others, creating network effects through an ‘architecture of participation,’ and going beyond the page metaphor of Web 1.0 to deliver rich user experiences.”

What is Web 2.0? Read More »

Warning signs of an incipient serial killer

From Wikipedia’s “MacDonald triad” (26 July 2006):

The MacDonald triad are three major personality traits in children that are said to be warning signs for the tendency to become a serial killer. They were first described by J. M. MacDonald in his article “The Threat to Kill” in the American Journal of Psychiatry.

  • Firestarting, invariably just for the thrill of destroying things.
  • Cruelty to animals. Many children can be cruel to animals, such as pulling the legs off of spiders, but future serial killers often kill larger animals, like dogs and cats, and frequently for their solitary enjoyment rather than to impress peers.
  • Bedwetting beyond the age when children normally grow out of such behaviour.

Warning signs of an incipient serial killer Read More »

Types of open source licenses

From Eric Steven Raymond’s “Varieties of Open-Source Licensing” (The Art of Unix Programming: 19 September 2003):

MIT or X Consortium License

The loosest kind of free-software license is one that grants unrestricted rights to copy, use, modify, and redistribute modified copies as long as a copy of the copyright and license terms is retained in all modified versions. But when you accept this license you do give up the right to sue the maintainers. …

BSD Classic License

The next least restrictive kind of license grants unrestricted rights to copy, use, modify, and redistribute modified copies as long as a copy of the copyright and license terms is retained in all modified versions, and an acknowledgment is made in advertising or documentation associated with the package. Grantee has to give up the right to sue the maintainers. … Note that in mid-1999 the Office of Technology Transfer of the University of California rescinded the advertising clause in the BSD license. …

Artistic License

The next most restrictive kind of license grants unrestricted rights to copy, use, and locally modify. It allows redistribution of modified binaries, but restricts redistribution of modified sources in ways intended to protect the interests of the authors and the free-software community. …

General Public License

The GNU General Public License (and its derivative, the Library or “Lesser” GPL) is the single most widely used free-software license. Like the Artistic License, it allows redistribution of modified sources provided the modified files bear “prominent notice”.

The GPL requires that any program containing parts that are under GPL be wholly GPLed. (The exact circumstances that trigger this requirement are not perfectly clear to everybody.)

These extra requirements actually make the GPL more restrictive than any of the other commonly used licenses. …

Mozilla Public License

The Mozilla Public License supports software that is open source, but may be linked with closed-source modules or extensions. It requires that the distributed software (“Covered Code”) remain open, but permits add-ons called through a defined API to remain closed. …

Types of open source licenses Read More »

The real solution to identity theft: bank liability

From Bruce Schneier’s “Mitigating Identity Theft” (Crypto-Gram: 15 April 2005):

The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. …

The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim’s name. …

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. …

The second issue is the ease with which a criminal can use personal data to commit fraud. …

Proposed fixes tend to concentrate on the first issue — making personal data harder to steal — whereas the real problem is the second. If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

… That leaves only one reasonable answer: financial institutions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.

… The bank must be made responsible, regardless of what the user does.

If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions.

The real solution to identity theft: bank liability Read More »

When people feel secure, they’re easier targets

From Bruce Schneier’s “Burglars and “Feeling Secure” (Crypto-Gram: 15 January 2005):

This quote is from “Confessions of a Master Jewel Thief,” by Bill Mason (Villard, 2003): “Nothing works more in a thief’s favor than people feeling secure. That’s why places that are heavily alarmed and guarded can sometimes be the easiest targets. The single most important factor in security — more than locks, alarms, sensors, or armed guards — is attitude. A building protected by nothing more than a cheap combination lock but inhabited by people who are alert and risk-aware is much safer than one with the world’s most sophisticated alarm system whose tenants assume they’re living in an impregnable fortress.”

The author, a burglar, found that luxury condos were an excellent target. Although they had much more security technology than other buildings, they were vulnerable because no one believed a thief could get through the lobby.

When people feel secure, they’re easier targets Read More »

Clay Shirky on flaming & how to combat it

From Clay Shirky’s “Group as User: Flaming and the Design of Social Software” (Clay Shirky’s Writings About the Internet: 5 November 2004):

Learning From Flame Wars

Mailing lists were the first widely available piece of social software. … Mailing lists were also the first widely analyzed virtual communities. …

Flame wars are not surprising; they are one of the most reliable features of mailing list practice. If you assume a piece of software is for what it does, rather than what its designer’s stated goals were, then mailing list software is, among other things, a tool for creating and sustaining heated argument. …

… although the environment in which a mailing list runs is computers, the environment in which a flame war runs is people. …

The user’s mental model of a word processor is of limited importance — if a word processor supports multiple columns, users can create multiple columns; if not, then not. The users’ mental model of social software, on the other hand, matters enormously. For example, ‘personal home pages’ and weblogs are very similar technically — both involve local editing and global hosting. The difference between them was mainly in the user’s conception of the activity. …

… The cumulative effect is to make maximizing individual flexibility a priority, even when that may produce conflict with the group goals.

Netiquette and Kill Files

The first general response to flaming was netiquette. Netiquette was a proposed set of behaviors that assumed that flaming was caused by (who else?) individual users. If you could explain to each user what was wrong with flaming, all users would stop.

This mostly didn’t work. The problem was simple — the people who didn’t know netiquette needed it most. They were also the people least likely to care about the opinion of others …

… Addressing the flamer directly works not because he realizes the error of his ways, but because it deprives him of an audience. Flaming is not just personal expression, it is a kind of performance, brought on in a social context.

… People behave differently in groups, and while momentarily engaging them one-on-one can have a calming effect, that is a change in social context, rather than some kind of personal conversion. …

Another standard answer to flaming has been the kill file, sometimes called a bozo filter, which is a list of posters whose comments you want filtered by the software before you see them. …

… And although people have continually observed (for thirty years now) that “if everyone just ignores user X, he will go away,” the logic of collective action makes that outcome almost impossible to orchestrate — it only takes a couple of people rising to bait to trigger a flame war, and the larger the group, the more difficult it is to enforce the discipline required of all members.

The Tragedy of the Conversational Commons

Briefly stated, the tragedy of the commons occurs when a group holds a resource, but each of the individual members has an incentive to overuse it. …

In the case of mailing lists (and, again, other shared conversational spaces), the commonly held resource is communal attention. The group as a whole has an incentive to keep the signal-to-noise ratio high and the conversation informative, even when contentious. Individual users, though, have an incentive to maximize expression of their point of view, as well as maximizing the amount of communal attention they receive. It is a deep curiosity of the human condition that people often find negative attention more satisfying than inattention, and the larger the group, the likelier someone is to act out to get that sort of attention.

However, proposed responses to flaming have consistently steered away from group-oriented solutions and towards personal ones. …

Weblog and Wiki Responses

… Weblogs are relatively flame-free because they provide little communal space. In economic parlance, weblogs solve the tragedy of the commons through enclosure, the subdividing and privatizing of common space. …

Like weblogs, wikis also avoid the tragedy of the commons, but they do so by going to the other extreme. Instead of everything being owned, nothing is. Whereas a mailing list has individual and inviolable posts but communal conversational space, in wikis, even the writing is communal. … it is actually easier to restore damage than cause it. …

Weblogs and wikis are proof that you can have broadly open discourse without suffering from hijacking by flamers, by creating a social structure that encourages or deflects certain behaviors.

Clay Shirky on flaming & how to combat it Read More »

The Cold War as game theory

From Charles Platt’s “The Profits of Fear” (August 2005):

Game theory began with the logical proposition that in a strategic two-player game, either player may try to obtain an advantage by bluffing. If the stakes are low, perhaps you can take a chance on trusting your opponent when he makes a seemingly fair and decent offer; but when the penalty for being deceived can be nuclear annihilation, taking a chance is out of the question. You work on the principle that the person you are dealing with may be utterly ruthless, unethical, and untrustworthy, no matter how peaceful his intentions may seem. You also have to assume that he may be smart enough to use game theory just like you; and therefore, he will assume that _you_ are ruthless, unethical, and untrustworthy, no matter how peaceful _your_ intentions may seem. In this way a supposedly rational system of assessment leads to a highly emotional outcome in which trust becomes impossible and strategy is based entirely on fear. This is precisely what happened during the decades of the Cold War.

The Cold War as game theory Read More »

3 English words with the most meanings

From Tim Bray’s “On Search: Squirmy Words” (29 June 2003):

First of all, the words that have the most variation in meaning and the most collisions with other words are the common ones. In the Oxford English Dictionary, the three words with the longest entries (i.e. largest number of meanings) are “set,” “run,” and “get.”

3 English words with the most meanings Read More »

Language & grammar types: inflected, agglutinative, & analytic

From Tim Bray’s “On Search: Squirmy Words” (29 June 2003):

Of course, the way that words twist and turn around is highly language-dependent. English is what’s called an “inflected” language, which is to say words change their form depending on their grammatical role: verb conjugation, singular/plural, and so on. (Interestingly, “inflection” has a common variant spelling: “inflexion”.) Other languages (for example Turkish and Finnish) are “agglutinative”, where words are formed by combining “morphemes.” The third most common category of languages is “analytic” or “isolating”, where words do not change and grammatical roles are established by sequences of words. The best-known example is written Chinese.

Language & grammar types: inflected, agglutinative, & analytic Read More »

What bots do and how they work

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

After successful exploitation, a bot uses Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), HyperText Transfer Protocol (HTTP), or CSend (an IRC extension to send files to other users, comparable to DCC) to transfer itself to the compromised host. The binary is started, and tries to connect to the hard-coded master IRC server. Often a dynamic DNS name is provided … rather than a hard coded IP address, so the bot can be easily relocated. … Using a special crafted nickname like USA|743634 or [UrX]-98439854 the bot tries to join the master’s channel, sometimes using a password to keep strangers out of the channel. …

Afterwards, the server accepts the bot as a client and sends him RPL_ISUPPORT, RPL_MOTDSTART, RPL_MOTD, RPL_ENDOFMOTD or ERR_NOMOTD. Replies starting with RPL_ contain information for the client, for example RPL_ISUPPORT tells the client which features the server understands and RPL_MOTD indicates the Message Of The Day (MOTD). …

On RPL_ENDOFMOTD or ERR_NOMOTD, the bot will try to join his master’s channel with the provided password …

The bot receives the topic of the channel and interprets it as a command: …

The first topic tells the bot to spread further with the help of the LSASS vulnerability. … the second example of a possible topic instructs the bot to download a binary from the web and execute it … And if the topic does not contain any instructions for the bot, then it does nothing but idling in the channel, awaiting commands. That is fundamental for most current bots: They do not spread if they are not told to spread in their master’s channel.
Upon successful exploitation the bot will message the owner about it, if it has been advised to do so. …

Then the IRC server (also called IRC daemon, abbreviated IRCd) will provide the channels userlist. But most botnet owners have modified the IRCd to just send the channel operators to save traffic and disguise the number of bots in the channel. …

The controller of a botnet has to authenticate himself to take control over the bots. …

… the “-s” switch in the last example tells the bots to be silent when authenticating their master. …

… Once an attacker is authenticated, they can do whatever they want with the bots … The IRC server that is used to connect all bots is in most cases a compromised box. … Only beginners start a botnet on a normal IRCd. It is just too obvious you are doing something nasty if you got 1.200 clients named as rbot-<6-digits> reporting scanning results in a channel. Two different IRC servers software implementation are commonly used to run a botnet: Unreal IRCd and ConferenceRoom:

  • Unreal IRCd (http://www.unrealircd.com/) is cross-platform and can thus be used to easily link machines running Windows and Linux. The IRC server software is stripped down and modified to fit the botnet owners needs. Common modifications we have noticed are stripping “JOIN”, “PART” and “QUIT” messages on channels to avoid unnecessary traffic. … able to serve 80.000 bots …
  • ConferenceRoom (http://www.webmaster.com/) is a commercial IRCd solution, but people who run botnets typically use a cracked version. …

What bots do and how they work Read More »

Different types of Bots

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

… some of the more widespread and well-known bots.

  • Agobot/Phatbot/Forbot/XtremBot

    … best known bot. … more than 500 known different versions of Agobot … written in C++ with cross-platform capabilities and the source code is put under the GPL. … structured in a very modular way, and it is very easy to add commands or scanners for other vulnerabilities … uses libpcap (a packet sniffing library) and Perl Compatible Regular Expressions (PCRE) to sniff and sort traffic. … can use NTFS Alternate Data Stream (ADS) and offers Rootkit capabilities like file and process hiding to hide it’s own presence … reverse engineering this malware is harder since it includes functions to detect debuggers (e.g. SoftICE and OllyDbg) and virtual machines (e.g. VMWare and Virtual PC). … the only bot that utilized a control protocol other than IRC. A fork using the distributed organized WASTE chat network is available.

  • SDBot/RBot/UrBot/UrXBot/…

    This family of malware is at the moment the most active one … seven derivatives … written in very poor C and also published under the GPL.

  • mIRC-based Bots – GT-Bots

    We subsume all mIRC-based bots as GT-bots … GT is an abbreviation for Global Threat and this is the common name used for all mIRC-scripted bots. … mIRC-scripts, often having the extension “.mrc”, are used to control the bot.

  • DSNX Bots

    Dataspy Network X (DSNX) bot is written in C++ and has a convenient plugin interface. … code is published under the GPL. … one major disadvantage: the default version does not come with any spreaders.

  • Q8 Bots

    only 926 lines of C-code. … written for Unix/Linux systems.

  • kaiten

    … lacks a spreader too, and is also written for Unix/Linux systems. The weak user authentication makes it very easy to hijack a botnet running with kaiten. The bot itself consists of just one file.

  • Perl-based bots

    … very small and contain in most cases only a few hundred lines of code. They offer only a rudimentary set of commands (most often DDoS-attacks) … used on Unix-based systems.

Different types of Bots Read More »

Uses of botnets

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

“A botnet is comparable to compulsory military service for windows boxes” – Stromberg

… Based on the data we captured, the possibilities to use botnets can be categorized as listed below. …

  1. Distributed Denial-of-Service Attacks

    Most commonly implemented and also very often used are TCP SYN and UDP flood attacks. Script kiddies apparently consider DDoS an appropriate solution to every social problem. … run commercial DDoS attacks against competing corporations … DDoS attacks are not limited to web servers, virtually any service available on the Internet can be the target of such an attack. … very specific attacks, such as running exhausting search queries on bulletin boards or recursive HTTP-floods on the victim’s website.

  2. Spamming

    open a SOCKS v4/v5 proxy … send massive amounts of bulk email … harvest email-addresses … phishing-mails

  3. Sniffing Traffic

    use a packet sniffer to watch for interesting clear-text data passing by a compromised machine. … If a machine is compromised more than once and also a member of more than one botnet, the packet sniffing allows to gather the key information of the other botnet. Thus it is possible to “steal” another botnet.

  4. Keylogging
  5. Spreading new malware

    In most cases, botnets are used to spread new bots. … spreading an email virus using a botnet is a very nice idea

  6. Installing Advertisement Addons and Browser Helper Objects (BHOs)

    setting up a fake website with some advertisements … these clicks can be “automated” so that instantly a few thousand bots click on the pop-ups. … hijacks the start-page of a compromised machine so that the “clicks” are executed each time the victim uses the browser.

  7. Google AdSense abuse

    … leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counter.

  8. Attacking IRC Chat Networks

    attacks against Internet Relay Chat (IRC) networks. … so called “clone attack”: In this kind of attack, the controller orders each bot to connect a large number of clones to the victim IRC network.

  9. Manipulating online polls/games

    Online polls/games are getting more and more attention and it is rather easy to manipulate them with botnets.

  10. Mass identity theft

    Bogus emails (“phishing mails”) … also host multiple fake websites pretending to be Ebay, PayPal, or a bank …

Uses of botnets Read More »

Who runs botnets?

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

An event that is not that unusual is that somebody steals a botnet from someone else. … bots are often “secured” by some sensitive information, e.g. channel name or server password. If one is able to obtain all this information, he is able to update the bots within another botnet to another bot binary, thus stealing the bots from another botnet. …

Something which is interesting, but rarely seen, is botnet owners discussing issues in their bot channel. …

Our observations showed that often botnets are run by young males with surprisingly limited programming skills. … we also observed some more advanced attackers: these persons join the control channel only seldom. They use only 1 character nicks, issue a command and leave afterwards. The updates of the bots they run are very professional. Probably these people use the botnets for commercial usage and “sell” the services. A low percentage use their botnets for financial gain. …

Another possibility is to install special software to steal information. We had one very interesting case in which attackers stole Diablo 2 items from the compromised computers and sold them on eBay. … Some botnets are used to send spam: you can rent a botnet. The operators give you a SOCKS v4 server list with the IP addresses of the hosts and the ports their proxy runs on. …

… some attackers are highly skilled and organized, potentially belonging to well organized crime structures. Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly. Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon.

Who runs botnets? Read More »