During a break after I presented a talk on Cyber warfare last night, I had a number of questions relating to the proported meltdown today -

• “Should we keep our machines off?”
• “How do we stop this?”
• “How do I stop getting infected?”
• “What antivirus must we buy?”

Here in deepest darkest africa, we have two unintended benefits that come form the general means of network engineering done here. Both stem in reality from the paucity of real bandwidth currently (and historically available).  The first is that most organisations block direct port 80/tcp (http) and related port access to the Internet, forcing the requirements to use proxy servers. This cuts off confickers ability to update. In the resedential SOHO market, theoreticlaly direct end to end port 80 access is possible , but more often than not there is a transparent proxy in the way. I doubt ISPs are doing any domain filtering on these however. What works as a means of self limitation is that fact that should any massive wave of attacks spring forth from the SOHO /Residential type users, it will be cut short as they rappidly burn though their “bandwidth cap” – in most cases 1-3 Gig.

What is interesting is what the actual next move will be.  I think its highly unlikley that this will be used for an all-out offensive and then disposed of. The authors have carefully engineered through four releases of the Hybridised Malware, and in essence have made a fairly substantial investment.   The most likely scenario is that tis is yet another botnet for sale – albeit a potentially massive one.

Botnets themselves are nothign new, we have seen what Storm has done ( and is still doing).

For  now we bunker down and wait…..

After some hunting, I narrowed the culprit down to the Nvida graphics drivers post version 169.39. Driver Release 175.16 was the first to show the issue, 175.19 made it worse.

My solution at the time roll back 169.19 and sacrifice some of the support for my CUDA enabled cards.  Last week I took the plunge and went for 178.13, which while resolving some other issues still broke the Remote desktop functionality.

The solution appears to be a tweek is needed in ones registry.

1. Start, Run, type regedit and press OK
2. Navigate to the Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
3. Right click in the Details pane and Select New –> DWORD Value
4. Name it  SessionImageSize
5. After it is created, double click on it and change its value to: 20 ( this is based on recommendations from here) and effectively maps to raising the session memory to 32 MB.
6. Save and Reboot

I tried this and no luck.  For my particular configuration SLI motherboards with Running 3 heads ofa 7600GT and 7300GS, I needed to raise the SessionImageSize value to 41 implying the use of 64MB of memory.  I’m not sure if this is due to the large amount of ram in the system ( 4gigs) or the particular use of two non SLI’d cards. the ‘default’ value of 20 seems to have solved the problem on my other Intel based system running a single  8500GT.

Microsoft take on the issue  is contained in KB886212 which proposes the solution of try another driver or rollback the driver.

Searching for “SessionImageSize” in the Microsoft knowledge base doesn’t seem to help either

Its worth nothign that the problem is occuring across different chipsets, Graphics cards, and on both SP2 and SP3 systems. The fix of increating the SessionImageSize to 0×41 seems to be working fine on a Windows Server 2003 (SP2) system as well.

Apache’s mod_rewrite seems to be the obvious candidate for making this as transparent as possible. In essence what needed to happen was incoming requests for:

"GET /blog/?flav=rss&category=Security HTTP/1.0" and
"GET /blog/?flav=rss HTTP/1.0" respectively need to be converted into:


http://lair.moria.org/blog/archives/category/security/feed

and

http://lair.moria.org/blog/feed respectively

This was achieved matching on the QUERY_STRING variable within apache. The real trick came trying to get the new URLS to appear clean. This proved to be more difficult than I expected. My initial rewrite rules resulted int he following:

"GET /blog/?flav=rss HTTP/1.0" 301 249 "
"GET /blog/feed/?flav=rss HTTP/1.0" 200 54274 ""

The agent was directed to the right url but it still looks ugly. Note the use of a HTTP/301 status code indicating permanently moved rather than a 302 which mod_redirect usually provides. The solution to the appending of the query string turned out to be to force my own null string onto the redirect. The Apache Wiki was where I finally found the right answer. so the way to remove a QUERY_STRING is to append a blank string “?” to the redirect .

The final setup in my .htaccess for WordPress looks as follows:

RewriteCond %{QUERY_STRING} ^flav=rss$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/feed? [R=301,L]
RewriteCond %{QUERY_STRING} ^flav=rss&(category)=Security$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/archives/category/security/feed? [R=301,L]
RewriteCond %{QUERY_STRING} ^flav=atom$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/feed/atom? [R=301,L]

For some time my Laptop and Desktop XP systems have been misbehaving, intermittently when going into hibernate, the desktop much more since it got its upgrade to 4 gigs of Ram. Symptoms include just going blank with heaps of hard disk activity and then just sitting with the HDD light flickering, or stating that there are insufficient resources available — despite heaps of free disk space on the system drive.The other evening I had ad enough and went on a hunt for a potential solution other than the “re-install windows” solution.

This was particularly irritating when the laptop failed to hibernate, and you get home to find a rather warm laptop bag. The other problem being in light of the joyous power cuts we have been experiencing, my UPS software is configured to hibernate on power fail rather than shut down something which wasn’t happening and the UPS batteries were ending up draining. After trying the logical solutions of enable/disable hibernate, defrag the drive, removing the hiberfile.sys, rinse repeat etc. with no tangible effect it was time to look elsewhere.

The solution

The solution was surprisingly simple once I got the right sequence of terms plugged into Google. Microsoft has published a hotfix (Microsoft KB 909095) for exactly this issue. Although billed as:

The computer occasionally does not hibernate and you receive an “Insufficient System Resources Exist to Complete the API” error message in Windows XP with Service Pack 2, in Windows XP Tablet PC Edition 2005, or in Windows XP Media Center Edition 2005

It installs fine on any XP SP2 system, as stated further down in the Microsoft page. With some trepidation I applied to my desktop fully expecting a warning or complaint – none occurred. A reboot later I had hibernate working perfectly again. The cause of the problem is :

To prepare the computer to hibernate, the Windows kernel power manager requires a block of contiguous memory. The size of this contiguous memory is proportional to the number of physical memory regions that the computer is using. A computer that uses lots of RAM is likely to use more physical memory regions when the computer prepares to hibernate. Therefore, a larger amount of contiguous memory is required to prepare the computer to hibernate.

Additionally, the number of physical memory regions varies according to the programs, services, and device drivers that the computer uses. Therefore, the hibernate feature occasionally fails.

What I found interesting is that both systems are up to date, and I’ve never been offered this in any of the Windows update sessions, despite the hotfix being available since August 2006!