Follow Slashdot stories on Twitter


Forgot your password?

Comment But will they share their code? (Score 5, Insightful) 271

Spammers are unlikely to share their results with the rest of the world. They're motivated by financial rewards, and there is absolutely no incentive to publicize their methodology in any format.

Not only would the "good guys" learn from it -- and thus potentially defeat the spammers' discovery -- but other spammers would simply steal their work.

Comment Put Your Money Where Your Mouth Is (Score 5, Insightful) 705

The United States has 5,914 strategic nuclear warheads, followed closely by Russia with 4,237 deployable warheads. (Source: Arms Control ). The rest of the members of the nuclear club -- UK, France, China, India, Pakistan, North Korea, and Israel -- have less than 1,000 combined nuclear weapons. Clearly, if Obama wants the world to take him seriously, he needs to restart the START-II treaty and disassemble his own stockpile before he can expect others to do the same.

Comment Re:You have the date. What's the next instruction? (Score 5, Informative) 214

I have personally analyzed Downadup, so I can speak from experience here.

Downadup.A had the potential to contact a randomly generated domain and download and run a signed executable from it. The problem with the Downadup.A version of the worm is that the domain generation algorithm was decyphered, and it only generated 250 unique domains per day. This made it easy for security researchers to register the domains before the worm authors could, and thus Downadup.A was nullified.

Downadup.C is a worse breed: the domain generation algorithm was bumped from 250 domains per day to 50,000 domains per day. It's now a nearly impossible task for security researchers to register every possible domain Downadup.C will attempt to download code from. As an aside, Downadup.C also actively fights against security-related processes: it has a list of several Anti-Virus and Anti-Malware programs that it automatically kills if the user attempts to run it.

One thing to note about all Downadup variants: you would think that, if the security researchers could force Downadup to run an executable of their choice by registering a domain, couldn't they force Downadup to run remove_downadup.exe? Not so. Downadup cryptographically verifies the signatures of any executable it runs with a 4096-bit key. If the signature doesn't match, it doesn't run the program.

Downadup is easily the most advanced worm I have ever analyzed. Its anti-debugging techniques are impeccable, and the code is completely solid. I would love to meet the authors over a beer to ask how they did it, and then stab them in the face.

If you'd like more information on Downadup from a technical perspective, here's an excellent analysis of the worm:

Slashdot Top Deals

What hath Bob wrought?