REMnux, an Ubuntu Fork to Reverse Engineer Malware

REMnux is a nifty security tool based on Ubuntu. It is essentially a stripped down version of Ubuntu to create a sandbox environment and test for exploits remotely. The  official website defines REMnux as,

REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on  Ubuntu and is maintained by Lenny Zeltser.

REMnux comes pre-loaded with an array of security related tools to check network activity, check memory activity and to debug and understand code execution.

The features of REMnux are best explained as,

REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for  analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.

Setting up of virtual environments is an essential step in checking security hacks and REMnux does exactly that. The download is a VMware virtual machine file, which is actually a stripped down version of Ubuntu. Adobe and JavaScript vulnerability scanning tools are available by default making this an excellent tester for browser security.

Try REMnux  here.

UK Officials Suggest Moving To FOSS To Cut Cost

The UK Government is facing a budget shortfall of around 155 Billion Pounds. So, UK Prime Minister, David Cameroon, had called upon the  government  officials to suggest measures to cut cost.

Two of the thirty one proposed ideas published by the Treasury department cost calls for moving from Microsoft products, like Windows, Office etc., to open-source ones like Linux, OpenOffice etc.

This is what a proposal says:

In terms of spending less, what about migrating the whole of government (the NHS, education etc.) from Microsoft products to Linux and open-source software like Openoffice.

There are plenty of open-source alternative to the Microsoft products. Linux distros, like Ubuntu, Mint, OpenSUSE etc. can easily replace Microsoft Windows for almost all applications. Another open-source software, OpenOffice is a very strong competitor to Microsoft Office. The best thing about all these open-source products is that almost all of them are free. So, you can save a lot of money which would have otherwise been spent on the license for the Microsoft products.

Chancellor of the Exchequer George Osborne is already in  favor  of switching to open-source software. Last year, in The Times Of London, he had written:

We need to follow the example of businesses all over the world and take advantage of open-source technology.

This is all good news for the open-source community but bitter news for Microsoft, for whom Windows and Office are reportedly the biggest source of income.

[source: BussinessWeek]

Testing The Single Window Mode In GIMP

GIMP is one of the most powerful open-source image editing application, rivaling even some of the commercial application out there. One thing that usually turn off people who have migrated to GIMP from other professional software is the extremely different interface that GIMP has. While other software utilizes a single window interface,  GIMP has a multi-window interface.

The GIMP developers have decided to incorporate a single window interface as well in the next release, i.e GIMP 2.8. Well, these is all old news actually and you might have read about it before.  However, it would be interesting to know how it is coming along. So, I decided to install the latest GIMP release (unstable), i.e. GIMP 2.7.3 and test it out.

Single Window Mode!

This is the multi-window mode that GIMP has always had and it is also the default mode in GIMP 2.7.3. However we are not here to talk about this. So, the single window mode can be enabled at Windows -> Single-window mode.

As you can see, the dockable dialogs like Tool Options, Color etc. are not in their own window anymore. They all have been integrated with the main window in Photoshop-fashion. I must say this looks a lot cleaner and more organized than the multi-window mode. The tabs in the windows in multi-windows mode still remains as tabs in the single-windows mode too. However, right now GIMP cannot remember the single-window mode and always starts with the multi-windows mode. This is just a minor issue and will be fixed before GIMP 2.8.

The position and layout of the docks are completely configurable. You can have them arranged in tabs, as different panels on either side of the image or on the same side, in the same panel one above the other etc. However, you cannot put them below or above the image (and for good reasons).

Image Tabs

One thing that has been  discussed  quite a bit is how different opened images will be handled in the single-window mode. In the multi-window mode, different windows are opened for different images. However this is not acceptable in the single-window mode. Here, tabs comes to the rescue.

In the single window mode, when multiple images are opened, they are all opened in the same window and tabs are introduced to navigate between them.

So, there you have it, a brief tour of the single window mode that will be introduced in GIMP 2.8.

If you want to test it, you can find installation instructions here.

Wine 1.2 Release Candidate 6 Released

The sixth release candidate of Wine 1.2 has been released. This release bring about a number bug fixes and some translation updates.

Wine is an application which allows Microsoft Windows programs to run in Unix-like operating systems (Linux, BSD, Solaris etc.).

Wine 1.2 was originally scheduled for release last month but it ran into a number of troubles in the way. Since the fifth release candidate, Wine 1.2 RC6, includes 42 new bug fixes. However there are still 48 other known bugs still left. Unless all these remaining bugs are fixed, the final release is unlikely. You can see the list of remaining bugs here.

You follow the instructions given here to install Wine 1.2 RC6 in Ubuntu 10.04.

If you are using Fedora, install instructions can be found here.

Ubuntu 10.10 Maverick Meerkat Alpha 2 Released

The second alpha of Ubuntu 10.10 Maverick Meerkat is finally here. While there is no visual change from Ubuntu 10.04, there are plenty of changes under the hood.

If you want want to download it, here is the link: Ubuntu 10.10 Maverick Meerkat Alpha 2

Remember that this is only an alpha release and is meant for testing purposes only.

Whats new in Ubuntu 10.10 Alpha 2? Here is a brief description of the changes.

Support For Btrfs

With the second alpha of Maverick, Ubuntu finally supports Btrfs. Btrfs is a new file system with a lot on interesting features like snapshot, roll-back etc. EXT4 is still the default file-system though.

Software Center

The Ubuntu Software Center has now got some changes. Featured applications are shown main screen instead of just a link. There is also a place where new applications will be featured.

The Software Center also has Twitter integration so that you can share your favorite applications with the world.

Aptitude has been removed

Ubuntu 10.10 Alpha 2 no longer comes with aptitude installed. The reason stated for the removal is that it does almost the same function as apt-get and most people seem to prefer apt-get. You can still install it from the repository if you want.

New Application and File Menu in UNE

The Unity interface for Ubuntu Netbook Edition 10.10 Alpha 2 now has a new applications and file menu. It is now much more functional than the previous one.

New Skype SDK Brings Better Hardware Support

Skype is the best online voice and video suite and has a marked presence across various platforms, including the mobile platform. Skype has recently announced a new SDK, which will let developers integrate Skype functionalities into their applications as well as hardware.


This new SDK, which they are calling SkypeKit, has a full voice and video call support along with a support for IM through Skype network. Currently, only desktop applications can use this API. Skype has a separate runtime of its own that cannot be integrated with web services. The SDK also includes SILK, which is Skype’s flagship in-house audio compression tool.

Another new feature in this SDK is the availability of hardware support with which, developers can integrate Skype into hardware, like television and cellphones. Although this open SDK allows developers to use the API in their applications, the prices for using Skype’s communication networks using this API is not yet revealed. However, Skype has hinted a certification fees and a restriction on block usage of its network, which would mean a good amount of limitations.

Skype also has plans for its Skype Shop and plans to make an app store out of it. This is sensible enough as Skype is sure to build a wider presence with the features offered by this SDK.

The SDK is a closed beta for Linux only and requires invites for use. Windows and Mac versions will be available soon. Download the SDK  here.


Canonical Joins The Open Invention Network

The OIN has just announced a new Association Program and Canonical is its first member under this program.

The  Open Invention Network (OIN) is a  company that acquires  patents and licenses them  royalty free to entities which, in turn, agree not to assert their own patents against  Linux or Linux-related applications.

Now that Canonical is an OIN member, it will help and support the group in resolving patent disputes. Canonical sheds some more light on this job saying,

By becoming an OIN Associate Member, we are supporting the broad OIN mission and its commitment to enable and protect Linux’s advancement.

Keith Bergelt,  who is also the CEO of the organization leads it and is an expert in FOSS. He is a specialist in patents and licensing. His activities have saved Linux from the bindings of harsh Microsoft anti-Linux patents over the past few years.

Both OIN and Canonical are highlighting the “Freedom of Action” they wish to achieve through this association. With this freedom, they wish to unite companies, individuals and groups who are committed to improving Linux.

Canonical is one of the most powerful associates any open source network can have and this association can turn up favorably for the Open Source community, Linux in particular.


(Read more about the OIN here)

How to Hide Porn in Linux? This is Hilarious and Ingenious at the Same Time.

A large part of this world believes that the Internet has been successful because of the availability of free porn. Though, it is one thing to have porn on your computer and another thing to hide it like a pro.


The folks at Reddit continue to amaze me. This thread at Reddit tells us how to hide porn effectively using Linux. I will quote the exact talk excerpt for you to have a good ROFL moment.

<Pryoidain> What are you trying to hide?
<asaph> Nothing that needs encryption, I just want it to be tricky to find.
<Pryoidain> got a separate /tmp partion?
<asaph> of course.
<Pryoidain> unmount it then copy shit to /tmp. It will actually copy it to the /tmp directory on the ROOT filesystem. then when you remount /tmp, the directory becomes a pointer, pointing to the real one, but without removing any of your files in the physical directory on the root system.
<Pryoidain> No one will ever find them unless /tmp fails to mount, or they’re looking for it. even if they’re looking for it, they’ll see them in /tmp and assume their garbage, that is if you name them right.
<asaph> …that’s fucking genius.
<Pryoidain> I know, I’ve been hiding my porn under the /boot directory for about 3 years now.

The talk goes on to explain how effective the method is in hiding stuff you want to remain unseen. Now, that is what I call geekiness and it is the best abuse of the Linux file system. Worried about the files appearing on search? Well, another solution talks of doing a chmod 700 on the directory. See the thread here.

So, what is your preferred method of hiding porn? Believe me; I do not want to know.

Transmission 2.0 Released with Improved Features

Transmission is the most popular and a widely used bit-torrent platform available for the Linux platform. Transmission has touched a new milestone with the release of version 2.0.

Transmission was born nearly five years ago and many people would look down upon it because it could reach only version 2.0 in these five years. We must remember here that, this is a community driven project and is not able to release regular updates and push fast releases. Though, it has already gained millions of users and has a strong user’s base by now.

Transmission  reveled  in its light user interface though, in the wake of recent demand for a feature rich interface, it is walking the footsteps of other torrent clients. It being the only torrent client available by default on many Linux distributions, this new Transmission will be loved by people.

Charles Kerr, the developer of Transmission talked to Torrent Freak on Transmission 2.0 saying,

We’ve profiled the code for CPU bottlenecks and removed them. Startup, peer management, blocklists, and verifying local data are all faster. Transmission 2.0 is also smarter about detecting and handling network lag.

Given the success Transmission enjoys on Linux and Mac, it is also aiming for the Windows platform. Though, there is a serious lack of developers to work on this field and an even tougher competition for Transmission to stand a chance.


Linux Version Of Unreal IRC Servers Contained Trojans Since 2009

In a startling revelation, the administrators of  UnrealIRCD, one of the most popular IRC servers revealed that the Linux version of UnreadlIRCd version contained a backdoor in it. The backdoor could be executed by user, regardless of security privileges on the server. To rub salt on the wounds, the file was replaced on certain mirrors, way back in November 2009 and went unnoticed till yesterday.

The backdoor works by examining and parsing any incoming packets, looking specifically at the string “AB”. Any Linux command, followed by the string “AB” would be parsed and executed using system() function call, making it a very dangerous combo in the hands of a malicious user.

The administrators state that the following versions of UnrealIRCD are safe:

  • Official  precompiled  Windows (SSL and non-ssl) binaries
  • CVS versions
  • 3.2.8 and any earlier versions are not affected
  • Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe

Verifying that the version you have is not the backdoor version:

There are couple of ways to verify that you have legitimate version –

  • Calculate the MD5 sum

Running ‘md5sum Unreal3.2.8.1.tar.gz’  will calculate the md5 sum: The official version has a md5 of 7b741e94e867c0a7370553fd01506c66 , while the Backdoored version has a md5 of  752e46f2d873c1679fa99de3f52a274d

  • Examine struct.h h

Running  grep DEBUG3_DOLOG_SYSTEM include/struct.h will perform a regex search for the pattern.  If it outputs two lines, then you’re running the backdoored/trojanized version.  If it outputs nothing, then the version is clean.

What to do if you’re running the backdoored version ?

If the above steps indicate you have a backdoor version, then following steps must be taken:

Verified md5sums

Below are the verified md5 checksums:

  • 7b741e94e867c0a7370553fd01506c66 for Unreal3.2.8.1.tar.gz
  • 5a6941385cd04f19d9f4241e5c912d18 for   Unreal3.2.8.1.exe
  • a54eafa6861b6219f4f28451450cdbd3 for  Unreal3.2.8.1-SSL.exe

Could anything have been done to prevent this ?

Perhaps. Fact that the md5sum was published on the site, and and yet nothing was done indicates that nobody bothered to verify the md5sum. You might argue that md5checksums could be altered, but this would be the case if the server was broken into, but in this case, the source files were altered, so the md5sum difference would have shown up.

The files could’ve been signed using PGP, but again, not sure how many people would be bothered to verify the signatures.

Response from UnrealIRCD team

The UnrealIRCd admins have come out full with a full disclosure, and they should be applauded for doing that, rather than covering up the matter. They have released an advisory, so keep an eye for any updates to this file. They have also stated that they will start PGP/GPG signing of releases.

Learnings from the incident

Most of these have been said  ad nauseam, yet it needs to be repeated:

  • Never download files from unverified sources.
  • Always rely on files packaged by your distribution’s package manager.
  • If you’re downloading sources, ensure that you’ve verified the authenticity. Most publish the md5/SHA1 checksums,  if there’s any deviation then do inform the site admins.