So a joker decided to embed some Anti Virus bait in the blockchain, just a few bytes is enough to make the software go nuts deleting a whole lot of files the Bitcoin client needs. The solution the Bitcoin developers suggest is pure old-school malware style, XOR the blocks to hide it from the Anti Virus suites. Classic.
In one of the comments in that article: "I can't wait until someone legally changes their name to one of these sequences and we find out that all sorts of government databases didn't have functioning backups..."
I think you could put the "EICAR Test String" easily in a lot of databases, maybe as the answer to a security question, a special "delivery instruction"...
>Just for fun, there's about 8000 reachable nodes on the network at the time of writing. Assuming that a large portion of the network is unreachable (NAT, filtering, intermittent, just not listening), it's probably safe to assume there's probably at least 50,000 nodes with the complete blockchain. If we XOR just the chainstate, we cause 50000 * 430 MB of disk writes, 50000 * 430 * 2 MB read and write combined, somewhere in the region of 43TB. If we XOR the entire blockchain on disk we cause 50000 * 21000 * 2 MB of IO, around 1.95PB of RW across the wider Bitcoin network. Incredible.
8000 nodes listening on IPv4. There's probably hundreds of thousands of non listening ones. Not every node is listening, not every wallet is a node. You can still be trustless even without a copy of the blockchain at hand.
You're basically right though, there are regular calls on /r/bitcoin for people to run a full node because the number has gone down recently. I decided set one up on my dedicated host due to one of these.
Interesting - I have been meaning to look into how the blockchain works (I missed the get-rich-quick rush and dismissed it all until heard Andreessen explain the reasons)
Simply run bitcoin-qt or bitcoind all the time and make sure that you have port 8333 open to the outside world (if you have a router, this usually means forwarding 8333).
It takes a few hours to a half day for the node to catch up, depending on your bandwidth and CPU, but after that it requires relatively little processing time. But you do need ~20 GB of free hard drive space for the blockchain.
Full nodes host the memory pool for the txid's - So they serve a purpose: Making transactions propagate over the network. And serve blocks to nodes that are not up-to-date (And clients).
This is an old trick. A little while ago someone was putting the EICAR test string in email subject lines, headers, inside PDF files, in mime headers, and in other random places. He managed to crash a lot of enterprise level AV solutions and email servers. If you want to be a dick, just copy and paste that string everywhere you can. The AV will treat it like a real threat.
MSE was top-notch when it was first released. It aced all the malware detection benchmarks, not to mention it was completely ad-free and extremely lightweight, which was unheard of in the free antivirus market. The high detection rate and low performance impact made lots of Windows users flock to MSE, myself included.
Nowadays, MSE is still lightweight, but it sits at the bottom of every malware detection benchmark. I've been recommending MSE to everyone around me, but recently they started getting all sorts of malware despite keeping MSE up to date. All of these were easily detected and removed by avast!, BitDefender, and Malwarebytes, but MSE just sat there like a cow, oblivious to the malware's presence.
Why has Microsoft let MSE rot like this? Now that MSE is built into Windows 8, are they afraid of getting slapped with antitrust fines if they shipped an antivirus that can actually compete with third-party offerings?
This year, I'm moving my family off of MSE. So long, it was good while it lasted. But third-party antiviruses have caught up in the meantime, and now they're just as lightweight as MSE.
Nah I will stick with MSE because the alternative for me is not to use an antivirus. If you ever want to know how to bring a 8-core i7 to its knees, install Norton. MSE is the only antivirus that is lightweight, stays out of your way and the least annoying of everything out there and not to mention its free with no ads. Sure, it doesn't have an heuristic scanning but it did once do a good job of detecting a malware that both Avast and Norton missed, which is good enough trust for me. The best feature is that it doesn't have a girl screaming "Avast, Your database have been updated." or "Your license is about to expire in 90days unless you pay $$$" every 4 hours.
Don't download anything sketchy, keep an updated version of your browser, don't run yourself as root and your should be fine for 99.9% infections out there. For the rest just keep MSE around.
You forgot the top two other pieces of advice - Make sure you have a decent adaptive firewall, and run anything even slightly worrisome in a virtual machine, never on your main operating system.
You are right, those too. I would also recommend Sandboxie[1], not sure on its effectiveness but the convenience to just right click and run apps in its own sandbox is huge. Does anyone know an open source alternative to it?
Also on Windows, consider looking at Software Restriction Policies. For my host partition, I have things configured to deny execute for anything not in Windows (and excluding some temp/cache dirs). So if I step away for a minute and someone tries to download and run an exe, Windows should prevent it. Would also prevent me from drunkenly saving cute.jpg.exe to my desktop and running it.
It's sad. However instead of ditching it entirely I have moved to a combination of MSE for real-time protection and Malwarebytes as backup, which I run every month or so to get anything that might manage to slip through.
I've been doing exactly that, but by the time Malwarebytes catches the virus, the damage might already be done. So even if you use Malwarebytes for occasional scans, there is legitimate need for better realtime protection.
Maybe I should get the paid version of Malwarebytes that can also do realtime scans?
The support team was unwilling to acknowledge and escalate my report that it failed to install the correct msvcrt, it just hopes it is already present.
(Which usually isn't a big deal, but it's not a way end user software should ever fail either)
I noticed the same. MSE is generally great, but it feels like IE 6 back in 2005 (no investment in years)... :(
Running a multi GB backup with Microsoft's robocopy cmd utility crashes the MSE service. That's really annoying.
Given that "Microsoft Forefront" is a rebranded MSE (it can be controlled over the network), I wonder why its real-time scanner can't handle ~100MB/s IO for several hours.
I seem to remember just having some text copy+pasted into IRC channels used to send peoples anti virus software into meltdown.. but this was sometime like 2000-2001
For a while, some security suites would freak out and terminate an IRC connection if they saw the text "start keylogger" show up. You could get people to drop by saying it in a channel, for instance.
If I remember correctly, it used to be the case that if you could get the string +++ATH0 transmitted to somebody in the clear, you could hang up their dialup connection because it was a control code for Hayes modems that ended up being standardised on. Badly written firmware in modems meant that this was often interpreted even when it wasn't transmitted in a control code context.
BitCom, a trashy DOS based terminal program, would lower the signal on the DTR pin, which would hang up the modem instantly, when it saw the text, "NO CARRIER" on a line by itself. Obviously, that line got dropped in forums and chat rooms as the "word of the day for BitCom users" on a regular basis.
Actually, it wasn't "badly written firmware". Hayes modems actually looked for "+++", then a second or so of no traffic, before they would switch into command-mode, and that delay was patented. So "Hayes-compatible" modems would implement the system without the delay, and as a result were vulnerable to remote DoS.
To extend this a little further, various brands of modems (at least Rockwell) supported it but came with it disabled by default. You could enable it before dialling up by setting an S register
This reminds me how the string %English% transferred via SMS crashed some old Siemens phones and GSM modules because of error in detection of embedded images.
And how recently string سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ could crash some versions of iOS and OS X.
There were a few others, but that's the one i remember. the part after DCC SEND doesn't matter as long as it was longer than 8 characters i think it was.
I think this is another great example of how modern AV software can be used as a tool of mass censorship. They can simply add signatures for any file contents they disagree with (or some other organisation with the appropriate power requests to do so), and it will disappear from their user's computers under the pretense of being malicious. Users will trust them in order to "stay safe".
That's why I believe in behavioural monitoring rather than signature-based approaches, since what's malicious is really the activity itself.
The simple solution is to not allow your anti-virus software to scan anything that cannot malware. There are exceptions to the rule of course such as MP3s that had executable code, but why does it need to scan every single file on your system?
Full disclosure: I used to work for an AV software company and personally think that AV is a dead technology.
It's visibles that you used to work for an AV company and haven't followed the advances of the industry.
As you don't mention any of the modern day technologies like heuristics and file reputation in cloud.
It's true that the world is full of auto morphing malwares, but you can still detect them new variants through heuristics. Which in turn delivers the results to what is generally known as some sort of Antivirus Cloud Lookup or File Reputation Lookup.
Also the AV industry shares information between them. So in the background you don't have anymore analysts looking at every sample file. Instead there's automation that analyses each incoming sample.
The old scan databases you prefer to are usually last line of defense now days if all the other technologies before haven't been able to show the file to be known good file or bad file.
Full disclosure: I currently work for computer security company.
I have most definitely followed the advances in the industry because I worked in it in the past few years.
Heuristics are not a new thing in the AV industry and have been in the works even before the dotcom boom. Even with advances in it, it has been proven to either not scale or be absolutely worthless.
Anti-virus "cloud lookup" is just a stop-gap between signature updates. It's not a new idea and all you're doing with that is cataloging MD5s and making them available via whatever network server you choose to use. It's still a signature.
Here's a perfect example of why AV is useless: until 64-bit Windows was commonplace and before XP support was dropped, it was ineffective in stopping the likes of Aleurion (also known as "TDSS" or "TDL").
How did this malware work? Well, in its many, many different permutations, it would get dropped on a machine, become executed, and if the machine was running XP Service Pack 2 or less, it would make use of a vulnerability in the print spooler, get system-level control over the computer, and then it would infect the master boot record with its own bootloader.
How does AV remove it? Well since every time you reboot, it restores its copy of the malware, all it can do is scream that the world is falling because it can do absolutely squat about it. You have to remove it from the bootloader and then do a scan afterward while having taken the system offline.
What fixed the problem? Well applying a patch in the OS is what fixes the issue once and for all--SP3 was the easy way.
If heuristics really worked as you suggest it does, we wouldn't see Cryptolocker and the likes getting around AV. AV evasion is better than ever and heuristics have done absolutely nothing to solve the problem.
Not all Turing-complete languages are scanned. For example, CSS3 is Turing-complete but by default it is not looked at by AV scanners.
However, one can do some nasty things using CSS. An example would be when a troll was posted on a site that appeared to show some sort of Linux-based privilege escalation when in fact it had several <span> tags scattered about that would have not shown up in the browser but did so when text was copied.
This sort of thing can however be defeated by just scanning the web content coming through (and most modern AV software has this already), but even then an attack like that isn't simply going to be just picked up so easily.
I am well aware of where files can create havoc Turing-complete or not (such as my MP3 example), but at the very same time you're going to have headaches if you decide to scan every single file.
This again goes back to my whole point of saying that AV is a dead technology because you really shouldn't trust any file but it is not effective to scan everything either.
Errrrr, anything can contain malware. For exampe if software that uses the blockchain file has a vulnerability that can be exploited by writing stuff into the blockchain.
There are many articles describing why but really it comes down to this: malware authors can pump out so many copies of their software at once that signature-based detections in which the AV industry relies on are no longer reliable or effective.
We're at a point now where what may have worked as a defence against stuff being found on floppy drives just isn't able to scale for today's modern infrastructure.
AV is really a last-line of defence against being forgetful, and nothing more.
I'm not sure what should I not forget when I visit a hacked web forum which sends me to an exploit kit, that knows an unpatched, possible zero day, vulnerability from my browser?
You're oversimplifying modern AV by acting like it's just a signature based file scanner. That's just a one defence of many in a good AV product.
What the problem described in the story is that files are being picked up by an overzealous AV scanner doing disk-based scanning. It's reading non-executable data as executable and throwing alerts or performing whatever actions are dictated as per policy.
AV is not there to stop zero-day attacks--if it were, I would not be having this conversation today.
What you're describing is web filtering and this can be achieved using methods either internal or external--an external example would be a solution from OpenDNS and an internal can be whatever appliance makes you happy. AV vendors have thrown in web filtering as a part of their suite, but it still relies on your system being up to date and not already infected. An external solution to your endpoint is a far better solution really.
I am not oversimplifying things when I say that AV is ineffective at stopping CryptoLocker because file-based detections are useless when there are thousands of copies of the malware generated every day.
AV is dead because there is not enough manpower and coverage to stop things like CryptoLocker. It is better to spend those resources trying to prevent the spread of malware using other methods.
Because a kid can write a working trojan that escapes AV detection? (Two very young studends I know did, POC took less than 50 loc in AHK. That included a plausible "installer" as well as auto update feature).
The idea of having a program that is allowed to scan and check every single files/ memory blocks seems to be, at the very least inefficient and against the principle of isolation to me.
May be because I'm just biased because the damn thing used to start running every time my gaming session is heating up ...
OR they could have just used the string from EICAR test file [1].
Since I don't use bitcoin, let me ask, does everyone have to download the whole blockchain to their computer in order to mine or receive/sent the coins? Wouldn't the blockchain be in XX GB size by now?
The string from the EICAR test file has been in the current testnet chain since the start in order to try to spot these issues before they bothered users.
Unfortunately, it appears that AV software completely ignores files larger than 32 MBytes, so it won't notice them in the blockchain— just the chainstate. And so the grand idea of putting the triggers in coinbases didn't work there.
The other fun thing is that the EICAR test trigger is too long to easily stuff in a transaction. Unfortunately there are other "signatures" which are as short as 16 bytes.
Not sure about mining, but I would assume yes the blockchain is needed.
In order to have a wallet and just use bitcoin no the user does not need to download the whole blockchain depending on the wallet software. There are wallets that use public shared remote servers to access the blockchain that are reputable in the community.
You don't need the entire blockchain to send/receive. Only when running a "Full node". If you are not intending to keep your node online for 24/7 you can use a SPV style client like Electrum or Multibit. They are lightweight clients without a blockchain attached.
If you use a client such as Electrum, it uses a server based model to index the Blockchain. The advantage of this is primarily "instant" start up time of the client.
No they don't. Mining software that connects to pools is independent of having a blockchain copy. There are also several bitcoin wallet implementations that don't require a full copy of the blockchain.
After some consideration and the feedback here https://news.ycombinator.com/item?id=7543196
I decided to inform one major antivirus vendor about it.
They offered their thanks for the warning, but also the opinion that false alerts would be strongly limited since the virus signatures are in files that would generally not be scanned.
The scope of this remains to be seen, but apparently at least Microsoft Security Essentials doesn't handle this entirely without problems.
> It appears to be a joke or prank, simply because this particular virus does nothing more than periodically show "YOUR COMPUTER HAS BEEN STONED" on one out of every eight computer boot-ups, and is over 25 years old.
The Xkcd would go "We thought we sanitised our input but we still lost this years student records.
Did you really name your son Little Bobby Drop [DOS/STONED]{16 byte malware Signature}?"
The malicious code would have exploit software that handles the block chain. In addition, the size of the transaction affects your transaction fee, so you'd have to take that into account. Effectively, it's not good business if you're looking to do something like that unless you know you'll get a good payout.
https://github.com/bitcoin/bitcoin/issues/4069