So a joker decided to embed some Anti Virus bait in the blockchain, just a few bytes is enough to make the software go nuts deleting a whole lot of files the Bitcoin client needs. The solution the Bitcoin developers suggest is pure old-school malware style, XOR the blocks to hide it from the Anti Virus suites. Classic.
In one of the comments in that article: "I can't wait until someone legally changes their name to one of these sequences and we find out that all sorts of government databases didn't have functioning backups..."
>Just for fun, there's about 8000 reachable nodes on the network at the time of writing. Assuming that a large portion of the network is unreachable (NAT, filtering, intermittent, just not listening), it's probably safe to assume there's probably at least 50,000 nodes with the complete blockchain. If we XOR just the chainstate, we cause 50000 * 430 MB of disk writes, 50000 * 430 * 2 MB read and write combined, somewhere in the region of 43TB. If we XOR the entire blockchain on disk we cause 50000 * 21000 * 2 MB of IO, around 1.95PB of RW across the wider Bitcoin network. Incredible.
This is an old trick. A little while ago someone was putting the EICAR test string in email subject lines, headers, inside PDF files, in mime headers, and in other random places. He managed to crash a lot of enterprise level AV solutions and email servers. If you want to be a dick, just copy and paste that string everywhere you can. The AV will treat it like a real threat.
MSE was top-notch when it was first released. It aced all the malware detection benchmarks, not to mention it was completely ad-free and extremely lightweight, which was unheard of in the free antivirus market. The high detection rate and low performance impact made lots of Windows users flock to MSE, myself included.
Nowadays, MSE is still lightweight, but it sits at the bottom of every malware detection benchmark. I've been recommending MSE to everyone around me, but recently they started getting all sorts of malware despite keeping MSE up to date. All of these were easily detected and removed by avast!, BitDefender, and Malwarebytes, but MSE just sat there like a cow, oblivious to the malware's presence.
Why has Microsoft let MSE rot like this? Now that MSE is built into Windows 8, are they afraid of getting slapped with antitrust fines if they shipped an antivirus that can actually compete with third-party offerings?
This year, I'm moving my family off of MSE. So long, it was good while it lasted. But third-party antiviruses have caught up in the meantime, and now they're just as lightweight as MSE.
Nah I will stick with MSE because the alternative for me is not to use an antivirus. If you ever want to know how to bring a 8-core i7 to its knees, install Norton. MSE is the only antivirus that is lightweight, stays out of your way and the least annoying of everything out there and not to mention its free with no ads. Sure, it doesn't have an heuristic scanning but it did once do a good job of detecting a malware that both Avast and Norton missed, which is good enough trust for me. The best feature is that it doesn't have a girl screaming "Avast, Your database have been updated." or "Your license is about to expire in 90days unless you pay $$$" every 4 hours.
Don't download anything sketchy, keep an updated version of your browser, don't run yourself as root and your should be fine for 99.9% infections out there. For the rest just keep MSE around.
It's sad. However instead of ditching it entirely I have moved to a combination of MSE for real-time protection and Malwarebytes as backup, which I run every month or so to get anything that might manage to slip through.
I noticed the same. MSE is generally great, but it feels like IE 6 back in 2005 (no investment in years)... :(
Running a multi GB backup with Microsoft's robocopy cmd utility crashes the MSE service. That's really annoying.
Given that "Microsoft Forefront" is a rebranded MSE (it can be controlled over the network), I wonder why its real-time scanner can't handle ~100MB/s IO for several hours.
I seem to remember just having some text copy+pasted into IRC channels used to send peoples anti virus software into meltdown.. but this was sometime like 2000-2001
For a while, some security suites would freak out and terminate an IRC connection if they saw the text "start keylogger" show up. You could get people to drop by saying it in a channel, for instance.
If I remember correctly, it used to be the case that if you could get the string +++ATH0 transmitted to somebody in the clear, you could hang up their dialup connection because it was a control code for Hayes modems that ended up being standardised on. Badly written firmware in modems meant that this was often interpreted even when it wasn't transmitted in a control code context.
There were a few others, but that's the one i remember. the part after DCC SEND doesn't matter as long as it was longer than 8 characters i think it was.
I think this is another great example of how modern AV software can be used as a tool of mass censorship. They can simply add signatures for any file contents they disagree with (or some other organisation with the appropriate power requests to do so), and it will disappear from their user's computers under the pretense of being malicious. Users will trust them in order to "stay safe".
That's why I believe in behavioural monitoring rather than signature-based approaches, since what's malicious is really the activity itself.
The simple solution is to not allow your anti-virus software to scan anything that cannot malware. There are exceptions to the rule of course such as MP3s that had executable code, but why does it need to scan every single file on your system?
Full disclosure: I used to work for an AV software company and personally think that AV is a dead technology.
It's visibles that you used to work for an AV company and haven't followed the advances of the industry.
As you don't mention any of the modern day technologies like heuristics and file reputation in cloud.
It's true that the world is full of auto morphing malwares, but you can still detect them new variants through heuristics. Which in turn delivers the results to what is generally known as some sort of Antivirus Cloud Lookup or File Reputation Lookup.
Also the AV industry shares information between them. So in the background you don't have anymore analysts looking at every sample file. Instead there's automation that analyses each incoming sample.
The old scan databases you prefer to are usually last line of defense now days if all the other technologies before haven't been able to show the file to be known good file or bad file.
Full disclosure: I currently work for computer security company.
Errrrr, anything can contain malware. For exampe if software that uses the blockchain file has a vulnerability that can be exploited by writing stuff into the blockchain.
OR they could have just used the string from EICAR test file [1].
Since I don't use bitcoin, let me ask, does everyone have to download the whole blockchain to their computer in order to mine or receive/sent the coins? Wouldn't the blockchain be in XX GB size by now?
The string from the EICAR test file has been in the current testnet chain since the start in order to try to spot these issues before they bothered users.
Unfortunately, it appears that AV software completely ignores files larger than 32 MBytes, so it won't notice them in the blockchain— just the chainstate. And so the grand idea of putting the triggers in coinbases didn't work there.
The other fun thing is that the EICAR test trigger is too long to easily stuff in a transaction. Unfortunately there are other "signatures" which are as short as 16 bytes.
Not sure about mining, but I would assume yes the blockchain is needed.
In order to have a wallet and just use bitcoin no the user does not need to download the whole blockchain depending on the wallet software. There are wallets that use public shared remote servers to access the blockchain that are reputable in the community.
You don't need the entire blockchain to send/receive. Only when running a "Full node". If you are not intending to keep your node online for 24/7 you can use a SPV style client like Electrum or Multibit. They are lightweight clients without a blockchain attached.
After some consideration and the feedback here https://news.ycombinator.com/item?id=7543196
I decided to inform one major antivirus vendor about it.
They offered their thanks for the warning, but also the opinion that false alerts would be strongly limited since the virus signatures are in files that would generally not be scanned.
The scope of this remains to be seen, but apparently at least Microsoft Security Essentials doesn't handle this entirely without problems.
> It appears to be a joke or prank, simply because this particular virus does nothing more than periodically show "YOUR COMPUTER HAS BEEN STONED" on one out of every eight computer boot-ups, and is over 25 years old.
The Xkcd would go "We thought we sanitised our input but we still lost this years student records.
Did you really name your son Little Bobby Drop [DOS/STONED]{16 byte malware Signature}?"
The malicious code would have exploit software that handles the block chain. In addition, the size of the transaction affects your transaction fee, so you'd have to take that into account. Effectively, it's not good business if you're looking to do something like that unless you know you'll get a good payout.
[+] [-] nwh|12 years ago|reply
https://github.com/bitcoin/bitcoin/issues/4069
[+] [-] cjg|12 years ago|reply
[+] [-] voltagex_|12 years ago|reply
>Just for fun, there's about 8000 reachable nodes on the network at the time of writing. Assuming that a large portion of the network is unreachable (NAT, filtering, intermittent, just not listening), it's probably safe to assume there's probably at least 50,000 nodes with the complete blockchain. If we XOR just the chainstate, we cause 50000 * 430 MB of disk writes, 50000 * 430 * 2 MB read and write combined, somewhere in the region of 43TB. If we XOR the entire blockchain on disk we cause 50000 * 21000 * 2 MB of IO, around 1.95PB of RW across the wider Bitcoin network. Incredible.
[+] [-] drzaiusapelord|12 years ago|reply
[+] [-] windsurfer|12 years ago|reply
[+] [-] mahdavi|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] kijin|12 years ago|reply
Nowadays, MSE is still lightweight, but it sits at the bottom of every malware detection benchmark. I've been recommending MSE to everyone around me, but recently they started getting all sorts of malware despite keeping MSE up to date. All of these were easily detected and removed by avast!, BitDefender, and Malwarebytes, but MSE just sat there like a cow, oblivious to the malware's presence.
Why has Microsoft let MSE rot like this? Now that MSE is built into Windows 8, are they afraid of getting slapped with antitrust fines if they shipped an antivirus that can actually compete with third-party offerings?
This year, I'm moving my family off of MSE. So long, it was good while it lasted. But third-party antiviruses have caught up in the meantime, and now they're just as lightweight as MSE.
[+] [-] nivla|12 years ago|reply
Don't download anything sketchy, keep an updated version of your browser, don't run yourself as root and your should be fine for 99.9% infections out there. For the rest just keep MSE around.
[+] [-] spain|12 years ago|reply
[+] [-] frik|12 years ago|reply
Running a multi GB backup with Microsoft's robocopy cmd utility crashes the MSE service. That's really annoying.
Given that "Microsoft Forefront" is a rebranded MSE (it can be controlled over the network), I wonder why its real-time scanner can't handle ~100MB/s IO for several hours.
[+] [-] bobbles|12 years ago|reply
[+] [-] duskwuff|12 years ago|reply
[+] [-] JimDabell|12 years ago|reply
[+] [-] simcop2387|12 years ago|reply
There were a few others, but that's the one i remember. the part after DCC SEND doesn't matter as long as it was longer than 8 characters i think it was.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] userbinator|12 years ago|reply
That's why I believe in behavioural monitoring rather than signature-based approaches, since what's malicious is really the activity itself.
[+] [-] afreak|12 years ago|reply
Full disclosure: I used to work for an AV software company and personally think that AV is a dead technology.
[+] [-] tom-|12 years ago|reply
It's true that the world is full of auto morphing malwares, but you can still detect them new variants through heuristics. Which in turn delivers the results to what is generally known as some sort of Antivirus Cloud Lookup or File Reputation Lookup.
Also the AV industry shares information between them. So in the background you don't have anymore analysts looking at every sample file. Instead there's automation that analyses each incoming sample.
The old scan databases you prefer to are usually last line of defense now days if all the other technologies before haven't been able to show the file to be known good file or bad file.
Full disclosure: I currently work for computer security company.
[+] [-] jacobwcarlson|12 years ago|reply
[+] [-] aw3c2|12 years ago|reply
[+] [-] DerpDerpDerp|12 years ago|reply
[+] [-] nivla|12 years ago|reply
Since I don't use bitcoin, let me ask, does everyone have to download the whole blockchain to their computer in order to mine or receive/sent the coins? Wouldn't the blockchain be in XX GB size by now?
[1] http://en.wikipedia.org/wiki/EICAR_test_file
[+] [-] nullc|12 years ago|reply
Unfortunately, it appears that AV software completely ignores files larger than 32 MBytes, so it won't notice them in the blockchain— just the chainstate. And so the grand idea of putting the triggers in coinbases didn't work there.
The other fun thing is that the EICAR test trigger is too long to easily stuff in a transaction. Unfortunately there are other "signatures" which are as short as 16 bytes.
[+] [-] codystebbins|12 years ago|reply
In order to have a wallet and just use bitcoin no the user does not need to download the whole blockchain depending on the wallet software. There are wallets that use public shared remote servers to access the blockchain that are reputable in the community.
https://electrum.org/
https://multibit.org/
https://darkwallet.unsystem.net/ (don't use yet, alpha)
[+] [-] servowire|12 years ago|reply
[+] [-] bowmessage|12 years ago|reply
[+] [-] etiam|12 years ago|reply
After some consideration and the feedback here https://news.ycombinator.com/item?id=7543196 I decided to inform one major antivirus vendor about it. They offered their thanks for the warning, but also the opinion that false alerts would be strongly limited since the virus signatures are in files that would generally not be scanned. The scope of this remains to be seen, but apparently at least Microsoft Security Essentials doesn't handle this entirely without problems.
[+] [-] izietto|12 years ago|reply
> It appears to be a joke or prank, simply because this particular virus does nothing more than periodically show "YOUR COMPUTER HAS BEEN STONED" on one out of every eight computer boot-ups, and is over 25 years old.
When viruses were mainly jokes...
[+] [-] jamedjo|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] afreak|12 years ago|reply