Inspirated

While I was at SysNet, we had been working on a project we called “Shrimp” — Software-defined Home Router Intelligent Monitoring Point. The goal of the project was to provide a framework for easy programmatic access to network monitoring on low-cost, commodity, home router devices. One of the requirements was to have an IDS on the home routers for which we chose Bro — the leading framework for semantic analysis of network traffic.

The OpenWRT OS was chosen as the target platform. Its SDK contained a cross-compile toolchain for CMake projects. However, during the compilation Bro tried to run the binpac and bifcl executables for processing intermediate files. The executables refused to run on the build platform if the target platform architecture was different (mostly the case, e.g., we were building on x86-64 and target was arm).

The (not-so-pretty ™) workaround we used was to build Bro twice. Once for the host, and once for the target. The CMake files were then patched to first generate binpac and bifcl binaries if they weren’t provided and then use the provided binaries if they were defined at make time. The first compile generated the binaries on x86-64 and the second compile (for arm) used the earlier binaries to process the bif files.

The Makefile and patches are available in this tarball: openwrt-bro.tar.gz, while the compiled ipk package is also available for installation. Here is a test execution of Bro on OpenWRT:

# bro –v

bro version 2.0

# cat test.bro

event bro_init()
{
	print "Hello World!";
}

event new_connection(c: connection)
{
	print "New connection created";
}

# bro test.bro

Hello World!

# bro -i br-lan test.bro

Hello World!
New connection created
New connection created

# ls

conn.log           notice_policy.log  reporter.log       weird.log
dns.log            packet_filter.log  test.bro

A heap of thanks to Zaafar for dealing with my messy code and providing the links to hosted files !

Update: The virus seems to have affected only GoDaddy websites, hence the change in title.

Few hours ago I opened my website and noticed some rather strange Javascript hanging around the bottom. After some inspection, it became evident that every page on my blog was trying to load an IFrame to some place called ninoplas.com. Turns out, I wasn’t alone and there are other users as well who are affected by this. Judging by the fact that different blogs were attacked at the same time, this was in all probability the result of a security hole in some plugin or the core itself.

The virus acted by adding a piece of encrypted code on the first line of all PHP files on the server. It’s rather unsettling to consider the extend of damage that could have been caused with the write access to those files. Still, the damage could be rectified by simply deleting those lines. I wrote a tiny script for doing this job which cleans the ninoplas virus from all the PHP files in the current directory:

clean-ninoplas.sh

Warning: While this script has worked for me, I am in no way providing any guarantee for how it behaves on other blogs. Backup your blog as well as database before executing this script.
You have been warned.

Using the fix is a simple matter of:

-bash-$ cd wordpress
-bash-$ wget http://inspirated.com/uploads/clean-ninoplas.sh
-bash-$ sh clean-ninoplas.sh

And don’t forget to backup everything again after cleaning up. The security hole — if there is one — has still not been tracked and if it’s in the core or some plugin which you’re still using, the virus might not be so benevolent next time.

“Research is what I’m doing when I don’t know what I’m doing.” — Wernher von Braun

As soon as the next semester rolls over, I will be joining nexGIN RC as a research student. My task will be to participate in developmental efforts on the National ICT R&D funded project “An Intelligent Secure Kernel for Next Generation Mobile Computing Devices”. Here’s an excerpt from the project’s executive summary:

The project aims to develop secure kernel framework that enable self-monitoring, and consequently self-healing operation for an operating system of mobile devices. This is expected to produce a fully functional Secure Linux Kernel that will be run on tablet PCs / smartphones. The developed framework will be fully aware of system conditions and resource usage and will schedule different threads intelligently based on each thread/process’ behavior, thus providing a truly secure computing experience in which malware that manages to escape detection by intrusion detection systems gets thwarted in the scheduler.

From the looks of it, there will be substantial poking around Linux involved in this one. So even though my research area primarily revolved around back-heeled through balls, spoon-chip goals, splendid crosses, powerful curlers, Totti, De Rossi, Batistuta, Montella, Ibrahimovic and Cruyff until now, I’ll be trying to redirect the efforts towards kernel development. What could possibly be more fun? Oh yes, watching Roma top the Champions League Group A ahead of Chelsea, but digressing that much isn’t suitable for a single post .

The blasts go off, the government comes under pressure, and going by the books, they pull out an egregiously absurd law out of their asses: They inculpate WiFi hotspots, as one of them was used by the terrorists to send an email.

“We cannot blame anyone if we forget to lock our own rooms. The ISPs should provide all these features of password and password protection,” said a Ministry of Communication and Information Technology Indian Computer Emergency Response Team (CERTC-in) senior official an incompetent dork.

First of all, I do not sympathize with terrorists’ motives because of Indians getting targeted (as distasteful as that sounds, some people did suggest it when I argued with them about WiFi-blaming being ridiculous). With that said, I find it hard to believe that clamping down on hotspot security is going to reduce the level of terrorist threats. The Indian government shall have to outlaw real life mailboxes, phone-calls and anonymity all together as well as install GPS-trackers on every Indian resident for an approach like this to work. On the other hand, exploiting public fear by labeling inane regulations as being Anti-Terrorist is much more convenient than implementing adept law enforcing, don’t you think so?