Why Friends Don’t Let Friends Use Windows: Torpig

For those of you still using Windows, here’s a sobering look at why you shouldn’t: an analysis of the Torpig botnet by an academic group that managed to take over its command & control structure for a few days.

The report is tech-heavy, but well worth the effort to plow through.

Here are some of the high points…

Why do the bad guys do this? It’s all about the money, honey:

In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different institutions.

… we extracted 1,660 unique credit and debit card numbers from our
collected data.

Does an antivirus program help?

Torpig has been distributed to its victims as part of Mebroot. Mebroot is a rootkit that takes control of a machine by replacing the system’s Master Boot Record (MBR). This allows Mebroot to be executed at boot time, before the operating system is loaded, and to remain undetected by most anti-virus tools

In these attacks, web pages on legitimate but vulnerable web sites are modified with the inclusion of HTML tags that cause the victim’s browser to request JavaScript code from a[nother] web site under control of the attackers. This JavaScript code launches a number of exploits against the browser or some of its components, such as ActiveX controls and plugins. If any exploit is successful, an executable is downloaded from the drive-by-download server to the victim machine, and it is executed.

What happens next?

Mebroot injects these modules […] into a number of applications. These applications include the Service Control Manager (services.exe), the file manager, and 29 other popular applications, such as web browsers (e.g., Internet Explorer, Firefox, Opera), FTP clients (Leech-FTP, CuteFTP), email clients (e.g., Thunderbird, Outlook, Eudora), instant messengers (e.g., Skype, ICQ), and system programs (e.g., the command line interpreter cmd.exe). After the injection, Torpig can inspect all the data handled by these programs and identify and store interesting pieces of information, such as credentials for online accounts and stored passwords.

If you think hiding behind a firewall router will save you, you’re wrong:

By looking at the IP addresses in the Torpig headers we are able to determine that 144,236 (78.9%) of the infected machines were behind a NAT, VPN, proxy, or firewall.

If you think you’ve got a secure password, you’re wrong:

Torpig bots stole 297,962 unique credentials (i.e., username and password pairs), sent by 52,540 different Torpig-infected machines over the ten days we controlled the botnet

If you think a separate password manager will save you, you’re wrong.

It is also interesting to observe that 38% of the credentials stolen by Torpig were obtained from the password manager of browsers, rather than by intercepting an actual login session.

Somewhat more info on Mebroot from F-Secure.

Remember, the virus / worm / Trojan / botnet attacks you read about all the time only affect Windows machines. Linux isn’t invulnerable, but it’s certainly safer right now. If you’re running Windows, it’s only a matter of time until your PC is not your own, no matter how smart you think you are.

If you have one or two must-gotta-use Windows programs, set up a dedicated Token Windows Box and use it only for those programs. Network it (behind a firewall) if you like, but don’t do any email / Web browsing / messaging / VOIP on it. Just Say No!

For everything else, run some version of Linux. It’ll do what you need to get done with less hassle and far less risk. It’s free for the download, free for the installation, and includes all the functions you’re used to paying money for. Just Do It!

If you think using Linux is too much of a hassle, imagine what putting your finances back together will be like. Remember, the bad guys will steal everything you’ve ever put on your PC, destroy your identity, and never get caught.

Now you know… why are you still stalling?

There’s No Undo Key in CNC

The Axis user interface for EMC2 has a manual command entry mode, wherein you can type G-Code statements and EMC2 will do exactly what you say. That’s handy for positioning to exact coordinates, but I rarely use it for actual machining, as it’s just too easy to mis-type a command and plow a trench through the clamps.

OK, on a Sherline mini-mill, you’d maybe just snap off a carbide end mill, but you get the general idea.

I was making a simple front panel from some ancient nubbly coated aluminum sheet. The LCD and power switch rectangles went swimmingly.

Then I tried to mill an oval for the test prod wires using G42.1 cutter diameter compensation. I did a trial run 1 mm above the surface, figured out how to make it do what I wanted, then punched the cutter through the sheet at the center of the oval and entered (what I thought were) the same commands by picking them from the history list.

EMC2 now handles concave corners by automagically inserting fillets, so it must run one command behind your typing. I drove the cutter to the upper-right end of the oval (no motion) so it could engage cutter comp mode, entered the G2 right endcap arc to the lower edge (cuts straight to upper right), and then did something wrong with the next command.

Epoxy-patched front panel hole
Epoxy-patched front panel hole

The cutter carved the endcap properly, then neatly pirouetted around the end and started chewing out an arc in the other direction. Even looking at the command trace I can’t figure out what I mistyped, but as it turns out it doesn’t matter… I was using the wrong dimensions for the hole anyway.

So it’s now patched with epoxy backed up by a small square of aluminum. When it’s done curing, I’ll manually drill a pair of holes at the right coordinates, manually file out the oval, shoot a couple of coats of paint, and it’ll be OK.

Nobody will ever know!

If I recall correctly, Joe Martin of Sherline was the first person to observe that, unlike word processing programs, CNC machines lack an Undo key…

Update: Like this…

Patched panel - rear view
Patched panel - rear view

The shoot-a-couple-of-coats thing did not go well: a maple seed landed on the front panel. Ah, well, it’s close enough. Here’s a trial fit; the bellyband height extenders on the sides need a dab of epoxy and a shot of paint, too, but I may never get a round ‘tuit for that.

Front panel trial fit
Front panel trial fit

It’s the long-awaited Equivalent Series Resistance meter…