The Uncanny Valley, art forgery, & love

Apply new wax to old wood
Creative Commons License photo credit: hans s

From Errol Morris’ “Bamboozling Ourselves (Part 2)” (The New York Times: 28 May 2009):

[Errol Morris:] The Uncanny Valley is a concept developed by the Japanese robot scientist Masahiro Mori. It concerns the design of humanoid robots. Mori’s theory is relatively simple. We tend to reject robots that look too much like people. Slight discrepancies and incongruities between what we look like and what they look like disturb us. The closer a robot resembles a human, the more critical we become, the more sensitive to slight discrepancies, variations, imperfections. However, if we go far enough away from the humanoid, then we much more readily accept the robot as being like us. This accounts for the success of so many movie robots — from R2-D2 to WALL-E. They act like humans but they don’t look like humans. There is a region of acceptability — the peaks around The Uncanny Valley, the zone of acceptability that includes completely human and sort of human but not too human. The existence of The Uncanny Valley also suggests that we are programmed by natural selection to scrutinize the behavior and appearance of others. Survival no doubt depends on such an innate ability.

EDWARD DOLNICK: [The art forger Van Meegeren] wants to avoid it. So his big challenge is he wants to paint a picture that other people are going to take as Vermeer, because Vermeer is a brand name, because Vermeer is going to bring him lots of money, if he can get away with it, but he can’t paint a Vermeer. He doesn’t have that skill. So how is he going to paint a picture that doesn’t look like a Vermeer, but that people are going to say, “Oh! It’s a Vermeer?” How’s he going to pull it off? It’s a tough challenge. Now here’s the point of The Uncanny Valley: as your imitation gets closer and closer to the real thing, people think, “Good, good, good!” — but then when it’s very close, when it’s within 1 percent or something, instead of focusing on the 99 percent that is done well, they focus on the 1 percent that you’re missing, and you’re in trouble. Big trouble.

Van Meegeren is trapped in the valley. If he tries for the close copy, an almost exact copy, he’s going to fall short. He’s going to look silly. So what he does instead is rely on the blanks in Vermeer’s career, because hardly anything is known about him; he’s like Shakespeare in that regard. He’ll take advantage of those blanks by inventing a whole new era in Vermeer’s career. No one knows what he was up to all this time. He’ll throw in some Vermeer touches, including a signature, so that people who look at it will be led to think, “Yes, this is a Vermeer.”

Van Meegeren was sometimes careful, other times astonishingly reckless. He could have passed certain tests. What was peculiar, and what was quite startling to me, is that it turned out that nobody ever did any scientific test on Van Meegeren, even the stuff that was available in his day, until after he confessed. And to this day, people hardly ever test pictures, even multi-million dollar ones. And I was so surprised by that that I kept asking, over and over again: why? Why would that be? Before you buy a house, you have someone go through it for termites and the rest. How could it be that when you’re going to lay out $10 million for a painting, you don’t test it beforehand? And the answer is that you don’t test it because, at the point of being about to buy it, you’re in love! You’ve found something. It’s going to be the high mark of your collection; it’s going to be the making of you as a collector. You finally found this great thing. It’s available, and you want it. You want it to be real. You don’t want to have someone let you down by telling you that the painting isn’t what you think it is. It’s like being newly in love. Everything is candlelight and wine. Nobody hires a private detective at that point. It’s only years down the road when things have gone wrong that you say, “What was I thinking? What’s going on here?” The collector and the forger are in cahoots. The forger wants the collector to snap it up, and the collector wants it to be real. You are on the same side. You think that it would be a game of chess or something, you against him. “Has he got the paint right?” “Has he got the canvas?” You’re going to make this checkmark and that checkmark to see if the painting measures up. But instead, both sides are rooting for this thing to be real. If it is real, then you’ve got a masterpiece. If it’s not real, then today is just like yesterday. You’re back where you started, still on the prowl.

What bots do and how they work

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

After successful exploitation, a bot uses Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), HyperText Transfer Protocol (HTTP), or CSend (an IRC extension to send files to other users, comparable to DCC) to transfer itself to the compromised host. The binary is started, and tries to connect to the hard-coded master IRC server. Often a dynamic DNS name is provided … rather than a hard coded IP address, so the bot can be easily relocated. … Using a special crafted nickname like USA|743634 or [UrX]-98439854 the bot tries to join the master’s channel, sometimes using a password to keep strangers out of the channel. …

Afterwards, the server accepts the bot as a client and sends him RPL_ISUPPORT, RPL_MOTDSTART, RPL_MOTD, RPL_ENDOFMOTD or ERR_NOMOTD. Replies starting with RPL_ contain information for the client, for example RPL_ISUPPORT tells the client which features the server understands and RPL_MOTD indicates the Message Of The Day (MOTD). …

On RPL_ENDOFMOTD or ERR_NOMOTD, the bot will try to join his master’s channel with the provided password …

The bot receives the topic of the channel and interprets it as a command: …

The first topic tells the bot to spread further with the help of the LSASS vulnerability. … the second example of a possible topic instructs the bot to download a binary from the web and execute it … And if the topic does not contain any instructions for the bot, then it does nothing but idling in the channel, awaiting commands. That is fundamental for most current bots: They do not spread if they are not told to spread in their master’s channel.
Upon successful exploitation the bot will message the owner about it, if it has been advised to do so. …

Then the IRC server (also called IRC daemon, abbreviated IRCd) will provide the channels userlist. But most botnet owners have modified the IRCd to just send the channel operators to save traffic and disguise the number of bots in the channel. …

The controller of a botnet has to authenticate himself to take control over the bots. …

… the “-s” switch in the last example tells the bots to be silent when authenticating their master. …

… Once an attacker is authenticated, they can do whatever they want with the bots … The IRC server that is used to connect all bots is in most cases a compromised box. … Only beginners start a botnet on a normal IRCd. It is just too obvious you are doing something nasty if you got 1.200 clients named as rbot-<6-digits> reporting scanning results in a channel. Two different IRC servers software implementation are commonly used to run a botnet: Unreal IRCd and ConferenceRoom:

  • Unreal IRCd ( is cross-platform and can thus be used to easily link machines running Windows and Linux. The IRC server software is stripped down and modified to fit the botnet owners needs. Common modifications we have noticed are stripping “JOIN”, “PART” and “QUIT” messages on channels to avoid unnecessary traffic. … able to serve 80.000 bots …
  • ConferenceRoom ( is a commercial IRCd solution, but people who run botnets typically use a cracked version. …

Different types of Bots

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

… some of the more widespread and well-known bots.

  • Agobot/Phatbot/Forbot/XtremBot

    … best known bot. … more than 500 known different versions of Agobot … written in C++ with cross-platform capabilities and the source code is put under the GPL. … structured in a very modular way, and it is very easy to add commands or scanners for other vulnerabilities … uses libpcap (a packet sniffing library) and Perl Compatible Regular Expressions (PCRE) to sniff and sort traffic. … can use NTFS Alternate Data Stream (ADS) and offers Rootkit capabilities like file and process hiding to hide it’s own presence … reverse engineering this malware is harder since it includes functions to detect debuggers (e.g. SoftICE and OllyDbg) and virtual machines (e.g. VMWare and Virtual PC). … the only bot that utilized a control protocol other than IRC. A fork using the distributed organized WASTE chat network is available.

  • SDBot/RBot/UrBot/UrXBot/…

    This family of malware is at the moment the most active one … seven derivatives … written in very poor C and also published under the GPL.

  • mIRC-based Bots – GT-Bots

    We subsume all mIRC-based bots as GT-bots … GT is an abbreviation for Global Threat and this is the common name used for all mIRC-scripted bots. … mIRC-scripts, often having the extension “.mrc”, are used to control the bot.

  • DSNX Bots

    Dataspy Network X (DSNX) bot is written in C++ and has a convenient plugin interface. … code is published under the GPL. … one major disadvantage: the default version does not come with any spreaders.

  • Q8 Bots

    only 926 lines of C-code. … written for Unix/Linux systems.

  • kaiten

    … lacks a spreader too, and is also written for Unix/Linux systems. The weak user authentication makes it very easy to hijack a botnet running with kaiten. The bot itself consists of just one file.

  • Perl-based bots

    … very small and contain in most cases only a few hundred lines of code. They offer only a rudimentary set of commands (most often DDoS-attacks) … used on Unix-based systems.

Uses of botnets

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

“A botnet is comparable to compulsory military service for windows boxes” – Stromberg

… Based on the data we captured, the possibilities to use botnets can be categorized as listed below. …

  1. Distributed Denial-of-Service Attacks

    Most commonly implemented and also very often used are TCP SYN and UDP flood attacks. Script kiddies apparently consider DDoS an appropriate solution to every social problem. … run commercial DDoS attacks against competing corporations … DDoS attacks are not limited to web servers, virtually any service available on the Internet can be the target of such an attack. … very specific attacks, such as running exhausting search queries on bulletin boards or recursive HTTP-floods on the victim’s website.

  2. Spamming

    open a SOCKS v4/v5 proxy … send massive amounts of bulk email … harvest email-addresses … phishing-mails

  3. Sniffing Traffic

    use a packet sniffer to watch for interesting clear-text data passing by a compromised machine. … If a machine is compromised more than once and also a member of more than one botnet, the packet sniffing allows to gather the key information of the other botnet. Thus it is possible to “steal” another botnet.

  4. Keylogging
  5. Spreading new malware

    In most cases, botnets are used to spread new bots. … spreading an email virus using a botnet is a very nice idea

  6. Installing Advertisement Addons and Browser Helper Objects (BHOs)

    setting up a fake website with some advertisements … these clicks can be “automated” so that instantly a few thousand bots click on the pop-ups. … hijacks the start-page of a compromised machine so that the “clicks” are executed each time the victim uses the browser.

  7. Google AdSense abuse

    … leveraging his botnet to click on these advertisements in an automated fashion and thus artificially increments the click counter.

  8. Attacking IRC Chat Networks

    attacks against Internet Relay Chat (IRC) networks. … so called “clone attack”: In this kind of attack, the controller orders each bot to connect a large number of clones to the victim IRC network.

  9. Manipulating online polls/games

    Online polls/games are getting more and more attention and it is rather easy to manipulate them with botnets.

  10. Mass identity theft

    Bogus emails (“phishing mails”) … also host multiple fake websites pretending to be Ebay, PayPal, or a bank …

Who runs botnets?

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

An event that is not that unusual is that somebody steals a botnet from someone else. … bots are often “secured” by some sensitive information, e.g. channel name or server password. If one is able to obtain all this information, he is able to update the bots within another botnet to another bot binary, thus stealing the bots from another botnet. …

Something which is interesting, but rarely seen, is botnet owners discussing issues in their bot channel. …

Our observations showed that often botnets are run by young males with surprisingly limited programming skills. … we also observed some more advanced attackers: these persons join the control channel only seldom. They use only 1 character nicks, issue a command and leave afterwards. The updates of the bots they run are very professional. Probably these people use the botnets for commercial usage and “sell” the services. A low percentage use their botnets for financial gain. …

Another possibility is to install special software to steal information. We had one very interesting case in which attackers stole Diablo 2 items from the compromised computers and sold them on eBay. … Some botnets are used to send spam: you can rent a botnet. The operators give you a SOCKS v4 server list with the IP addresses of the hosts and the ports their proxy runs on. …

… some attackers are highly skilled and organized, potentially belonging to well organized crime structures. Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly. Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon.

An analysis of botnets

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

A botnet is a network of compromised machines that can be remotely controlled by an attacker. … With the help of honeynets we can observe the people who run botnets … Due to the wealth of data logged, it is possible to reconstruct the actions of attackers, the tools they use, and study them in detail. …

We have identified many different versions of IRC-based bots … The bot joins a specific IRC channel on an IRC server and waits there for further commands. This allows an attacker to remotely control this bot and use it for fun and also for profit. Attackers even go a step further and bring different bots together. Such a structure, consisting of many compromised machines which can be managed from an IRC channel, is called a botnet. IRC is not the best solution since the communication between bots and their controllers is rather bloated, a simpler communication protocol would suffice. But IRC offers several advantages: IRC Servers are freely available and are easy to set up, and many attackers have years of IRC communication experience.

… Even a relatively small botnet with only 1000 bots can cause a great deal of damage. These 1000 bots have a combined bandwidth (1000 home PCs with an average upstream of 128KBit/s can offer more than 100MBit/s) that is probably higher than the Internet connection of most corporate systems. In addition, the IP distribution of the bots makes ingress filter construction, maintenance, and deployment difficult. In addition, incident response is hampered by the large number of separate organizations involved. Another use for botnets is stealing sensitive information or identity theft: Searching some thousands home PCs for password.txt, or sniffing their traffic, can be effective.

The spreading mechanisms used by bots is a leading cause for “background noise” on the Internet, especially on TCP ports 445 and 135. … These malware scan large network ranges for new vulnerable computers and infect them, thus acting similar to a worm or virus. … most traffic targets the ports used for resource sharing on machines running all versions of Microsoft’s Windows operating system …

The traffic on these four ports [445/TCP, 139/TCP, 137/UDP, 135/TCP] cause more then 80 percent of the whole traffic captured. …

Lessons Learned

  • Number of botnets

    … able to track little more than 100 botnets during the last four months. … at the moment we are tracking about 35 active botnets.

  • Number of hosts

    During these few months, we saw 226,585 unique IP addresses joining at least one of the channels we monitored. … If an IRCd is modified not to show joining clients in a channel, we don’t see IPs here. Furthermore some IRCds obfuscate the joining clients IP address and obfuscated IP addresses do not count as seen, too. … this would mean that more then one million hosts are compromised and can be controlled by malicious attackers.

  • Typical size of Botnets

    Some botnets consist of only a few hundred bots. In contrast to this, we have also monitored several large botnets with up to 50.000 hosts. … botnets with over several hundred thousands hosts have been reported in the past. … We know about a home computer which got infected by 16 (sic!) different bots, so its hard to make an estimation about world bot population here.

  • Dimension of DDoS-attacks

    From the beginning of November 2004 until the end of January 2005, we were able to observe 226 DDoS-attacks against 99 unique targets.

  • Spreading of botnets

    “.advscan lsass 150 5 0 -r -s” and other commands are the most frequent observed messages. Through this and similar commands, bots spread and search for vulnerable systems.

  • Harvesting of information

    … harvesting of information from all compromised machines. With the help of a command like “.getcdkeys” the operator of the botnet is able to request a list of CD-keys (e.g. for Windows or games) from all bots.

  • “Updates” within botnets

    … observed updates of botnets quite frequently. … bots are instructed to download a piece of software from the Internet and then execute it. … bots can be dynamically updated and be further enhanced. … In total, we have collected 329 binaries. … Most of the other binary files are either adware …, proxy servers … or Browser Helper Objects.

Robot on the run

From The Age:

Scientists running a pioneering experiment with “living robots” which think for themselves said they were amazed to find one escaping from the centre where it “lives”.

The small unit, called Gaak, was one of 12 taking part in a “survival of the fittest” test at the Magna science centre in Rotherham, South Yorkshire, which has been running since March.

Gaak made its bid for freedom yesterday after it had been taken out of the arena where hundreds of visitors watch the machines learning as they do daily battle for minor repairs.

Professor Noel Sharkey said he turned his back on the drone and returned 15 minutes later to find it had forced its way out of the small make-shift paddock it was being kept in.

He later found it had travelled down an access slope, through the front door of the centre and was eventually discovered at the main entrance to the car park when a visitor nearly flattened it with his car. …

And he added: “But there’s no need to worry, as although they can escape they are perfectly harmless and won’t be taking over just yet.”