Ryan MacDonald – Page 5

July 20, 2010September 24, 2018

Projects: The personal costs

When you do open source development, especially as an independent developer, there is a constant struggle that must be balanced between that of work and personal obligations. As any open source developer will tell you, 99% of the time, the projects we develop fall strictly into the realm of personal time, no matter how much they may apply to our work field. It is difficult to justify the time that is required in maintaining one let alone a series of active projects when you also work a full-time job while trying to have some semblance of a life.

So, when you are faced with something you are truly passionate about, that constantly rubs up against a barrier that is your job and ever limited personal time, you start to question or more importantly look for change, in how you manage that passion. That is what I am currently faced with, the projects at the moment consume an increasing amount of my personal time on evenings and weekends — which has been that way for a long time — but recently, priorities and life have changed such that I can no longer allow that to be the case. I have managed these projects for almost 8 years, which I would not change for anything, I have and still do love working on them. However, the time has come that I need to start setting measurable, tangible, goals on the cost of maintaining these projects which will allow me, permitting donations or sponsors, to create dedicated time within my work week to manage the projects with focus strictly on them.

That said, I am seeking about $1,000 USD per month in donations or month-to-month sponsorships (which all sponsors will be duly pimped out on the site with a widget and on each project page); at the moment donations only average about $50-200 per month, it varies widely month-to-month towards the lower end. How did I come up with this amount? well it is simply a goal, a target, that reflects the amount of time I spend on the projects per-month (about 60hrs) and what I believe would allow me to take time out of other areas of my life to dedicate consistently that amount of time every month. This would make continuing to work on the projects much easier on me personally, easier on those in my life and easier on me occupationally/financially.

There is a donation tracker widget now on the right sidebar of the site, it simply uses paypal as the checkout process, the tracker will reset every 30 days. If you are interested in becoming a regular contributor or sponsor, please email me at ryan at rfxn.com to discuss it. Thank you in advance for your understanding.

July 6, 2010September 24, 2018

Bot Networks: Jacking the Jackers

One of the more interesting parts of my malware hunting routine is when I notice new command & control hubs for bot networks in the source of ircbot malware content. I am not the type to just look and not play, I always dive into these networks and poke around. When it gets really fun is when the attackers get lazy thinking they are untouchable and leave open their irc networks with a series of simple administrator nick names that can be used to control the bots on the network.

So, what I sometimes do is sign into these irc networks, monitor & log them for a little while for abuse reporting purposes to the network hosting them, then I literally, jack the network from under the attacker and make every single bot exit with by telling all the bots to e.g: “killall -9 perl” which terminates the bot program. Some of the rage from these little kiddies is obscenely retarded but at the same time incredibly fun to watch prepubescent teens get mad over shit they should rightly be tossed into jail for.

Now, on occasion, this does backfire on me, I have had my home internet DDoS to death more than a few times to the point where I had to unplug my cable modem for hours to let the DHCP IP release and renew as a new one. It still is worth it and incredibly fun to ruin these kiddies week or month, with all the hard work they put into these bot networks amassing hundreds upon hundreds of zombies. Just as fun is when the kiddies think they’ve got you all figured out and locked the bot network down, you get a reply from a network administrator over at the company you sent an abuse email too telling you they are looking into the matter then minutes later, the network goes tits up cause the server hosting it was shut down 🙂

Yup that was my story time for the day, I will try post some of the funnier bits from network take down shortly, I will also be putting up some c&c stats into the soon-to-be-released threat statistics section, thats it for now, kthxbye!

June 26, 2010September 24, 2018

Signatures For The Masses

Today I found the time and energy, despite how tedious it was, to go over the last two weeks worth of malware submissions and missed edge IPS data from when I was away. This resulted in a total of 126 new signatures (67 MD5 / 59 HEX) which brings LMD to a total of 2,471 signatures (894 MD5 / 1577 HEX). This now also gives the project a unique distinction among anti-virus and malware detection offerings, as the single largest project, commercial or open source, detecting Linux malware.

To further illustrate the lapse in coverage by other vendors, we can turn to CYMRU analysis of the MD5 hashes in LMD, as discussed on the LMD home page, CRYMRU provides malware data to vendors such as trendmicro, symantec, kaspersky, microsoft, google and more.

KNOWN MALWARE:       301
 % AV DETECT (AVG):  57
 % AV DETECT (LOW):  58
 % AV DETECT (HIGH): 71
 UNKNOWN MALWARE:    593

This in short shows that of all the vendors that CYMRU provides data for, only 301 of LMD’s 894 MD5 signatures are detected by competing solutions and of those threats detected, on average, only 57% of vendors detect each threat. This information really has no other significance than to reinforce the validity of this project and the time I am investing into it, chalk one up for stroking own ego!

New signatures in this update are classified into the following groups, you will notice ALLOT of command shells in this update, including an interesting addition, a JSP command shell!

base64.inject.unclassed     exp.linux.unclassed
jsp.cmdshell.zerocnbct      perl.cmdshell.n0va
perl.ircbot.Arabhack        perl.ircbot.BaMbY
perl.ircbot.devil           perl.ircbot.genol
perl.ircbot.karawan         perl.ircbot.rafflesia
perl.ircbot.UberCracker     perl.md5browser.avi
php.cmdshell.antichat       php.cmdshell.avi
php.cmdshell.aZRaiL         php.cmdshell.DxShell
php.cmdshell.h4ntu          php.cmdshell.hackru
php.cmdshell.KAdot          php.cmdshell.lama
php.cmdshell.Macker         php.cmdshell.myshell
php.cmdshell.NCC            php.cmdshell.r3v3ng4ns
php.cmdshell.s72            php.cmdshell.Safe0ver
php.cmdshell.SimShell       php.cmdshell.SRCrew
php.cmdshell.unclassed      php.cmdshell.winx
php.cmdshell.wls            php.cmdshell.xakep
php.cmdshell.ZaCo           php.include.remote
php.mailer.DALLAS           php.rshell.0wned

June 24, 2010September 24, 2018

I am Back: Signature Updates

I am back, fresh off a trip home to Montreal, which I must say was an absolutely amazing time. It has left me reflecting on a lot of things, most importantly that there really is no place like home — I miss Montreal more than I can even describe. That said though, time to get back into the mix of things — there is a mountain of malware submissions to review, 91 to be exact. Today I really could not find the energy or time to go through them all but I did process the edge IPS data to extract some in the wild signature data which generated 8 new signatures that are now live. In the coming days, I will work through the malware submissions and get those signatures out as soon as possible.

May 27, 2010September 24, 2018

rfxn.com In Numbers

Yup, nothing to see here except numbers…

2,018: Downloads of the newest project, Linux Malware Detect, month to date.
2,294: Signatures for Linux Malware Detect.
6,207: Downloads for all projects for the month to date.
14,176: Google results with link backs to rfxn.com or related domains (i.e: r-fx.org, rfxn.org etc..).
30,061: Active APF installations relative to unique IP’s fetching the reserved.networks file daily.
70,826: Project downloads for the last 12 months, May 2009 – April 2010.
133,931: Total visitor session to rfxn.com, month to date.
258,154: The number of web sites protected by APF (passed unique install IP’s to domainsbyip.com).
1,231,604: Total hits to rfxn.com, month to date.