:: 06-Oct-2000 07:22 (Friday) ::

With some of the bad things that have been happening with stats lately,
I thought it’d be nice to report something good for a change. :)

First, I’ve made a few changes to the old rc5 statsrun code recently that
have had a dramatic impact on the run time. Retroactive team joins used
to take an hour; it’s now under a minute. Email ranking for yesterday used
to take over an hour; it’s down to a few minutes. The overall run is back
down to a ‘reasonable’ amount of time (it was back in the 6-10 hour range,
depending on when it started running (the heavier activity during the US
day would slow it down)).

Here’s the real good news though: I’ve been running some rc5 logs through
the new stats system. Here’s a sample…

[10:46:56] Spawning daily.pl for rc5 [10:47:01] Beginning daily processing
routines [10:51:30] retire.sql 5 completed successfully (276 seconds)
[10:53:24] dy_appendday.sql 5 completed successfully (100 seconds)
[10:56:39] em_update.sql 5 completed successfully (183 seconds) [10:58:03]
em_rank.sql 5 completed successfully (85 seconds) [11:02:30] tm_update.sql
5 completed successfully (274 seconds) [11:02:45] tm_rank.sql 5 completed
successfully (14 seconds) [11:03:02] dy_dailyblocks.sql 5 completed
successfully (16 seconds) [11:03:56] Looking for new logs, last log
processed was 20001005-14 [11:04:09] ogr20001005-15.log.gz received: 35,857
bytes in 1.5 seconds (23.9 KB/s) [11:04:16] ogr20001005-15.log.gz
successfully decompressed (82.8% compression) [11:04:18]
ogr20001005-15.log.gz successfully filtered through ./logmod_ogr.pl.
[11:04:47] ./workdir/ogr20001005-15.log.filtered successfully BCP’d; 2,275
rows at 58.33 rows/second. [11:05:04] ogr20001005-15.log.gz successfully
processed. [11:05:31] audit.sql 5 completed successfully (141 seconds)
[11:05:38] clearday.sql 5 completed successfully (15 seconds) [11:11:46]
backup.sql 5 completed successfully (368 seconds) [11:11:51] Daily
processing for 20000902 has completed [11:12:02] daily.pl complete for
rc5

This means that the rc5 run took less than half an hour, even though a
OGR hourly run snuck in the middle. Compare that to the 3+ hours that the
statsrun takes with the old system! Granted, there are only 3 days worth
of rc5 data in the new system at this time, but due to the design of the
system, that should not have a large impact on the amount of time the run
takes.

We are still in the process of creating a version of the new php code for
rc5, but we should be ready to drop the old system entirely in the very
near future.

:: 03-Oct-2000 03:04 (Tuesday) ::

Slight change in plans… the RC5 run didn’t plow right into the run that’s
needed for Oct 02 like I thought it would, so I’m running the OGR stats
now. They should be up soon, and as soon as they are, I’ll start RC5.

:: 03-Oct-2000 00:59 (Tuesday) ::

Quick update on stats…

RC5 has been running for 20 hours or so now. It’s a bit past 50% done on
the second day of RC5 that it had to run. Of course, in that time, another
day has elapsed, so there will be yet one more RC5 run before OGR stats
run. OGR stats should kick off early this morning. Sorry for the delay.

:: 02-Oct-2000 03:08 (Monday) ::

As I’m sure many of you are aware, there was a problem with all the
statsruns last night (someone must have told the box that I’d be out of
town). I’m working on it now, and the OGR stats will hopefully be up in
an hour or so. I’ll run the RC5 stats immediately after that, so everything
should be fine in the morning.

:: 24-Sep-2000 13:19 (Sunday) ::

I have created a simple program that can be run on Win9x machines to
attempt to remove files associated with this most recent “MSINIT” worm,
as well as the VBS.Network and VBS.NetLog worms). You can download this
utility (with full source) from the following location:
http://www1.distributed.net/~bovine/wormfree.zip

:: 24-Sep-2000 12:51 (Sunday) ::

We have recently discovered that a new infectious worm has recently begun
circulating throughout the Internet and includes a hidden payload of our
dnetc.exe client. We have already discredited all stats credit for that
participant’s email address. As stated by our policies at
http://www.distributed.net/legal/policy.html and by our trojan horse
disclaimer at http://www.distributed.net/trojans.html, performing these
types of malicious activities are not condoned at all and these matters
are aggressively pursued by distributed.net.

This worm propagates by randomly selecting an arbitrary IP address and
attempting to connect to the “C” file share on that machine. If it is
successful in accessing that share, it will copy several files into the
remote machine’s “\WINDOWS\Start Menu\Programs\StartUp\” and
“\WINDOWS\SYSTEM\” directories:

+ MSxxx.EXE ~22016 bytes (size and filename varies slightly)
+ MSCLIENT.EXE 4096 bytes
+ INFO.DLL (text file log of other infected computers)
+ DNETC.EXE 186188 bytes (official release v2.8010-463-CTR-00071214)
+ DNETC.INI (containing the email address bymer@inec.kiev.ua)

Note that the presence of DNETC.EXE and DNETC.INI (but with another email
address) on a computer may potentially represent an authorized installation
of our client software, knowingly done by the owner of the machine, so it
not reasonable to indiscriminately delete all instances of those filenames
should you find them.

Please note that the MSxxx.EXE file will vary slightly and will contain
the first numerical component of your computer’s IP address and possibly
a few extra characters. For example, the following filenames have been
encountered: MS216.EXE, MSI216.EXE, MSI211.EXE. It has been discovered
that some instances of this worm’s file is secondarily infected with the
FunLove.4099 virus, so the filesize may be slightly larger that 22016
bytes if so.

Additionally, as a part of the infection, the following line may be added
to the remote computer’s \WINDOWS\WIN.INI file:

load=c:\windows\system\msxxx.exe (filename varies)

Once either of the first two EXEs have executed once, under the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ registry key,
the following registry value may be added:

MSINIT=c:\windows\system\msxxx.exe (filename varies)

Since the worm also executes “dnetc.exe -hide -install”, there will also
be the addition of another registry value to automatically start the client
as well. Note that the existence of that other registry value in itself
may not necessarily imply an unauthorized installation of our software by
the worm, such as if the owner of the machine had legitimately installed
our client software.

The propagation of this worm is possible solely because many Win9x computer
owners unknowingly choose to share their entire hard drives un-passworded
and with full read/write control granted. Readers are encouraged to warn
others about the dangers of sharing directories (and full hard disks)
without strong passwords.

:: 23-Sep-2000 04:14 (Saturday) ::

OGR progress report:

As of 23:59 22-sept-2000 there were 2,264,082 unique OGR-25 stubs returned,
out of 12,207,683, or 14.89% complete

As of 23:59 22-sept-2000 all but 7 unique OGR-24 stubs had been returned
and about 49% had valid pass-2 returns

:: 20-Sep-2000 21:41 (Wednesday) ::

Something got botched when I re-ran OGR stats for 9/18, so I’ll be
re-running them again. }:8/

:: 19-Sep-2000 19:52 (Tuesday) ::

Stats will be late again today :( The automation got a bit cowfused last
night, so I had to manually start the run, and I didn’t notice the problem
until 1000GMT or so. The problem with that is stats take a *very* long
time to run when they are competing with users for disk/CPU, so they take
forever when they run during the day. If they don’t finish soon, I’ll shut
off apache for a while so that they can finish.

Sorry for the inconvenience.

:: 18-Sep-2000 19:01 (Monday) ::

The RC5 statsrun didn’t happen last night due to a problem with the
automated log transfer. I’ll start them running in a few minutes. Sorry
for the inconvenience.