[opensource-dev] Malicious payloads in third-party, viewers: is the policy worth anything?

Michael Daniel m.a.daniel at iup.edu
Sun Aug 22 01:36:59 PDT 2010


Since I am a student on summer break until next week, I have way too 
much time on my hands, and I like numbers (famous last words) so I did 
some analysis of modular systems attack on iheartanime.com.

I think the amount of data involved has been understated in many 
discussions I've seen so far, so I'll show my work, but long story 
short:  4.2 terrabytes of data transfer are involved with this attack 
(2.1 tb up and 2.1 tb down).

I used the screen cap from the following URL to find exactly what was 
downloaded every time somebody logged in with the emerald viewer during 
this attack:
http://alphavilleherald.com/images/2010/08/modular-bing.jpg

I used Google Chrome's inspect element feature to find the sizes of the 
files downloaded (right click, inspect element - resources - size).

This is what I came up with:

http://iheartanime.com/griffblog.php?article=omnomnomnomnom     163.20k
 times 20 loads is 3264k
http://iheartanime.com/images/emerald-explore-sounds.png               
50.03k
http://iheartanime.com/images/emerald-windows-disclosure.png        55.09kb
http://iheartanime.com/images/emerald-mac-disclosure.png                
66.90kb
http://iheartanime.com/images/emerald-linux-disclosure.png            
    67.32kb
http://iheartanime.com/images/imgsearch-v0.0.2.png                    
     152.37k
http://iheartanime.com/images/FRIENDLY%20GREETINGS.jpg        77.32k
http://iheartanime.com/images/inertia-test.jpg                        
              113.51k
http://iheartanime.com/images/inertia-login.jpg    `                    
            25.78k
http://iheartanime.com/images/inuyertia.jpg                            
            153.68k
http://iheartanime.com/images/neillife.jpg                            
                102.22k
http://iheartanime.com/images/background-v2.png                        
    130.64k
http://iheartanime.com/images/background.png                            
        77.40k

Total size:  4336.26kb, or 4.33626mb per emerald login.

According to the alphaville herald article, "Gazov told the Herald he 
saw 16,541,673 page hits referred by the Emerald login pages over three 
days".  I'm sure he has the server logs to back him up, so lets see what 
happens if we take him at his word (which I would do, as he seems pretty 
honest to me).
link:  
http://alphavilleherald.com/2010/08/emerald-viewer-login-screen-sneak-ddos-attack.html

I count 32 page hits per login, so we divide 16541673 by 32 to get the 
number of emerald logins during the attack.
16541673 hits / 32 page loads = 516927.28125 logins from emerald

Since it's not an even number, Hazim's numbers must be off a bit.  That 
is no surprise, since his server was under such strain.  Lets round it 
up to 516928 logins from emerald during the attack.

510678 logins during the attack * 4.33626mb requested per login = 
2214432.58428mb requested from iheartanime.com

I used an online calculator at the following link to translate that into 
terrabytes:
http://www.matisse.net/bitcalc/

It works out to 2.11184748104095 Terrabytes of bandwidth stolen from 
Hazim in 3 days!

As we all know, this bandwidth was not just stolen from Hazim.  It was 
also stolen from Emerald users, so if we multiply that by two we get a 
grand total of 4.22369496154786 terrabyts stolen in three days.  To make 
this more concrete, that's over 4.2 tb of transfer.  If you'll pardon 
the archaic reference, the library of congress, if compressed, could fit 
into 4.2 tb almost two times.  That's a lot of data.
Citation for LOC measurement:  http://bit.ly/9TRWUX

The crazy part is that modular systems shows absolutely no remorse at 
all for stealing Hazim's bandwidth.  Most hosts give unlimited 
bandwidth, but some do not.  If, for example, his hosting was at 
nextpoint.net, their hosting plans all come with 2000gb of transfer, so 
he would have gone over by 162.53182058594gb.  They charge $4.50 per gb 
for overage, so that would have worked out to $731.39 in damages to 
Hazim, not counting his regular traffic.  Aren't there laws against this 
kind of thing?

Nextpoint.net reference:  
http://www.nexpoint.net/support/policies/billing.cfm

Video of the emerald team talking about how ridiculous it would be to 
apologize to Hazim, among other things: 
http://www.youtube.com/watch?v=rwmVj9u7C3U

Somebody in the video (I'm assuming the person is Arabella Steadham) 
said, "I'm not going to apologize to Hazim, I mean, why would I?," as 
others agree that they could care less about him.  They also said that 
their users take their account names and passwords too seriously.

I don't see how the third party directory can retain any respectability 
at all if they don't remove Emerald.  I'd be happy if each and every 
member of Modular Systems was banned from SL, but I know there are 
politics involved, so that probably won't happen.

Anyway, I'm sorry if I distracted this list from more important things 
going on with snowstorm.  Given the discussion going on in this thread, 
I thought some people on this list might find these numbers 
interesting.  I can't wait to see what you guys come up with for 
snowstorm at the end of the first sprint.

Cheers!
~Bubblesort Triskaidekaphobia


More information about the opensource-dev mailing list