Yahoo! has expanded its partnerships with four top U.S. universities to advance cloud computing research. The University of California at Berkeley, Cornell University and the University of Massachusetts at Amherst will join Carnegie Mellon University in using Yahoo!’s cloud computing cluster to conduct large-scale systems software research and explore new applications that analyze Internet-scale data sets, ranging from voting records to online news sources.

To date, academic researchers have had limited access to Internet-scale supercomputers for conducting systems and applications research. To help alleviate this obstacle, Yahoo! is granting these four universities access to the Yahoo! cloud computing cluster. The Yahoo! cluster, also known as M45, has been operational since November 2007 and in use by Carnegie Mellon. The cluster has approximately 4,000 processor-cores and 1.5 petabytes of disks.

“We have been using the Yahoo! cluster for more than a year now and have made significant progress in a number of key research areas, resulting in the publication of more than two dozen academic papers,” said Randal E. Bryant, dean of the School of Computer Science at Carnegie Mellon.

“Our researchers were able to extract and process documents from the Web in a way that was not possible before, changing the way we think about research problems. We were also able to conduct research over a corpus of 200 million Web pages, processing two orders of magnitude more data. We conducted systems software research, comparing, for example, the performance of the Hadoop file system and other parallel file systems. The simultaneous access to applications and systems software has been a real benefit and we look forward to our continued partnership with Yahoo! and joint contributions to the cloud computing community.”

Yahoo!’s M45 cluster runs Hadoop, an open source distributed file system and parallel execution environment that enables its users to process massive amounts of data. Apache Hadoop is an open source project of the Apache Software Foundation, to which Yahoo! engineers have been the primary contributors to date.

“Hadoop powers many of our most broadly used and complex systems at Yahoo!, from Web search to optimizing content for the home page,” said Shelton Shugar, SVP of cloud computing at Yahoo!.

“Continuing to invest in the open source community and in technologies like Hadoop is an important element in our efforts to drive breakthroughs in Internet-scale computing and ultimately to continually improve the quality of the consumer experience of Yahoo!. By partnering with these top educational institutions to share our M45 cluster and our technical expertise, we hope to further key insights into the next generation of systems software research and development.”

“We are very excited about the new research partnership with Yahoo!,” said Shankar Sastry, dean of the College of Engineering at the University of California, Berkeley.

“Access to the cluster is a first step in helping us analyze the vast amounts of societal-scale information available on the Web, such as voting records, online news sources and polling data. The Yahoo! cluster will also enable us to conduct computationally intensive econometrics research, combining economic theory with statistics to analyze and test large-scale economic relationships.”

“Our partnership with Yahoo! will enable us to attack problems ranging from wildlife preservation and biodiversity, to balancing socio-economic needs and the environment, to large-scale deployment and management of renewable energy sources,” said Bob Constable, dean of the faculty of Computing and Information Science at Cornell University.

“We recently established the Institute of Computational Sustainability at Cornell to focus on computational problems in these areas, and Yahoo!’s cluster will help us solve large scale optimization and machine learning problems to find better ways to manage our natural resources.”

“Our vision is to improve upon current technology through the processing of large data sets,” said Jim Kurose, dean of College of Natural Sciences and Mathematics at the University of Massachusetts, Amherst.

“Yahoo!’s supercomputing cluster will enable us to do data-intensive research on a large set of scanned books drawn from the Internet Archive’s million-book collection. The latter includes 8.5 terabytes of text and half a petabyte of scanned images. Research on such large datasets would not be possible without the use of clusters like the one Yahoo! is offering us access to.”

Partnership with these universities is the next step in expanding Yahoo!’s leadership in supporting cloud computing research. In July 2008, Yahoo! joined forces with HP, Intel, the University of Illinois at Urbana-Champaign, the Infocomm Development Authority (IDA) in Singapore, and the Karlsruhe Institute of Technology (KIT) in Germany to create Open Cirrus, a global, multi-data center, open source testbed for advancing cloud computing research and education. The partnership with Illinois also includes the National Science Foundation, creating a cloud computing cluster that is made available to the entire reach of the NSF academic community.

The international partnership promotes open collaboration among industry, academia and governments by removing the financial and logistical barriers to research in data-intensive, Internet-scale computing. As the Yahoo! M45 cluster is part of the Open Cirrus cloud computing testbed, the above universities will also gain access to and be part of the Open Cirrus community.

“Yahoo! is dedicated to working with leading universities to solve some of the most critical computing challenges facing our industry,” said Ron Brachman, VP and head of Yahoo! Academic Relations.

“The ability to access and analyze massive data sets is becoming increasingly crucial to the advancement of Internet-related computer science and cross-disciplinary research. By expanding our university-facing cloud computing program to partner with more universities, we hope to catalyze data-intensive computing research, furthering our commitment to the global, collaborative research community advancing the new sciences of the Internet.”

Computer spies have broken into the US Defence Department’s costliest weapons programme ever, the $300 billion Joint Strike Fighter project, the Wall Street Journal reported Tuesday.

Similar incidents have also breached the Air Force’s air traffic control system in recent months, it said citing unnamed ‘current and former government officials familiar with the attacks.

‘In the case of the fighter jet programme, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials were quoted as saying, potentially making it easier to defend against the craft.

Many details couldn’t be learned, including the specific identity of the attackers, and the scope of the damage to the US defence programme, either in financial or security terms, the Journal said.

In addition, while the spies were able to download sizable amounts of data related to the jet fighter, they weren’t able to access the most sensitive material, which is stored on computers not connected to the Internet, it said.

Former US officials cited by the Journal said the attacks appear to have originated in China. However, it can be extremely difficult to determine the true origin because it is easy to mask identities online. The Joint Strike Fighter, also known as the F-35 Lightning II, is the costliest and most technically challenging weapons programme the Pentagon has ever attempted.

The plane, led by Lockheed Martin Corp., relies on 7.5 million lines of computer code, which the Government Accountability Office said is more than triple the amount used in the current top Air Force fighter. The Journal said six current and former officials familiar with the matter confirmed that the fighter programme had been repeatedly broken into. The Air Force has launched an investigation.

The intruders entered through vulnerabilities in the networks of two or three contractors helping to build the high-tech fighter jet, it said citing people who have been briefed on the matter.

Pentagon officials declined to comment directly on the Joint Strike Fighter compromises. Pentagon systems ‘are probed daily’, Air Force Lt. Col. Eric Butterbaugh, a Pentagon spokesman, was quoted as saying.

Joint Strike Fighter test aircraft are already flying, and money to build the jet is included in the Pentagon’s budget for this year and next.
Source :- IANS

Google is set to make changes to its search ranking algorithm to combat the spate of links leading to malicious web pages appearing at the top of Google’s search results, according to an inside source.
Obviously if Google fails to do something about this manipulation, users will lose trust and the good ole days of Google will be over fast. A Googler speaking on condition of anonymity told WebProNews a ranking change is pending that tackles spam of this kind. Once the change goes live, users shouldn’t see it “nearly as often.”

A report from security company PandaLabs identified over a million links targeting malicious webpages ranking for auto part searches. Google noted that many of the phrases mentioned in the report were rare. A phrase like [1989 Nissan Pickup Truck Engine Check Light Troubleshooting], for example, only appears on attack sites set up by spammers, which explains why Google brought back so many attack sites in response to it and similar queries.
Google’s response seems also an admission of how difficult it is to provide fresh, timely search results while simultaneously combating spammers. Part of the appeal of Twitter to many people is the platform’s ability to provide real-time information; the live Web works remarkably well there so far because Twitter’s set up isn’t very conducive to spam (yet). At least Twitter has to some extent control over accounts.
Google, on the other hand, cannot control for content appearing on the Web at large, and historically its famous algorithm performed better than any other at weeding out spammy webpages and malicious results. Unfortunately, that was a version of the Web that was more static. The live Web presents entirely new challenges manifesting as the first major weakness the search engine has faced.

The company naturally didn’t have a comment on the recently pondered “link velocity” ranking factor. Search engine optimization experts have identified the speed at which organic links appear as a possible important influence.

Link velocity therefore aids in explaining how blackhatters were able to manipulate search results by dropping enormous amounts of link spam into comment and discussion areas of social sites. The freshness or buzzy nature of a query also aided in this pursuit, and cyber criminals merely have to follow Google Trends and Google News to know which keywords and phrases to target.

Cisco Systems Inc. has issued three security patches to fix bugs that could crash its products and is drawing a warning from the SANS Internet Storm Center.

The updates, issued Wednesday, fix denial-of-service bugs in the SSH (Secure Shell) software in Cisco’s Internetworking Operating System (IOS), which is used to power its routers, and in the Cisco Service Control Engine, which provides carrier-grade networking services.

Cisco has also patched a privilege-escalation vulnerability in its Voice Portal automated telephone customer service software.

In its security advisories, Cisco said that all of the bugs had been discovered by its own researchers, but SANS warned that researchers are likely reverse-engineering the patches and may release exploit code publicly.

These particular updates are getting extra attention from the security community, which is now closely investigating how malicious software might work on IOS, an operating system that has largely evaded serious scrutiny. On Thursday, for example, Core Security Technologies analyst Sebastian Muniz is slated to give a widely anticipated presentation on a Cisco rootkit he calls the DIK (for “da IOS rootkit”) at the EuSecWest Applied Security Conference in London.

Cisco recently changed its software update policy, saying it will now issue IOS patches only in March and September each year, unless forced to rush out a fix for serious bugs that are publicly disclosed or actively exploited. On Wednesday, a Cisco spokesman couldn’t immediately say whether his company considered the IOS patch, which fixes a flaw in the SSH server, an out-of-cycle update.

But Core Chief Technology Officer Ivan Arce said that Cisco’s SSH bug fix is not connected to his company’s rootkit presentation. “It is more likely that this is related to an ongoing distributed SSH brute-forcing attack that a few people reported in the incidents mailing list last week,” he said in an e-mail interview.

The SSH server is used by administers to remotely log into a router using encryption. Bugs in the software could let an attacker repeatedly reload the device or access “spurious” parts of the router’s memory and could be used to disable the hardware in a denial-of-service attack, Cisco said.

“While the ‘Exploitation and Public Announcements’ portion of all three advisories states that the [vulnerabilities] were discovered in-house, it’s a pretty safe bet that a fair number of security researchers are feverishly reverse-engineering the updates to develop exploits,” wrote SANS Internet Storm Center contributor George Bakos in a blog posting.

“Anytime we see a ‘spurious memory access’ leading to a denial of service, thoughts immediately go to arbitrary code execution. There is no evidence that this is possible, but in light of the recent work in IOS rootkits, [vulnerabilities] in Cisco devices should not be taken lightly,” he wrote.

Use Virtual Private Networks for Secure Internet Data Transfer

Data sent across the public Internet is generally not protected from prying eyes, but you can make your Internet communications secure and extend your private network with a virtual private network (VPN) connection. A VPN connection uses encryption and tunneling to transfer data securely on the Internet to a remote access VPN server on your workplace network. Using a VPN helps you save money by using the public Internet instead of making long—distance phone calls to connect securely with your private network.

To make a VPN connection, you must be already connected to the Internet. You can make a VPN connection by first dialing an Internet service provider (ISP) or by using an existing connection to the Internet.

To make a VPN connection

1.	Open Network Connections. (Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.)
2.	Under Network Tasks, click Create a new connection, and then click Next.
3.	On the Welcome to the New Connection Wizard page of the New Connection Wizard, click Next.
4.	On the Network Connection Type page, click Connect to the network at my workplace, and then click Next as shown below.
5.	On the Network Connection page, click Virtual Private Network connection, and then click Next as shown below.
6.	On the Connection Name page, type the name of the connection or your company name, and then click Next. An example is shown below.
7.	If you are using a dial-up connection to an ISP to connect to the Internet, the Public Network page is displayed. In Automatically dial this initial connection, select the name of the connection used to dial your ISP, and then click Next. An example is shown below.
8.	On the VPN Server Selection page, type the Domain Name System (DNS) name or Internet Protocol (IP) address of your company’s VPN server on the Internet, and then click Next. An example is shown below.
9.	On the Completing the New Connection Wizard page, click Finish.
10.	A Connect dialog box is displayed. Type the user name and password to access your company’s private network and then click Connect. An example is shown below.

In computing, the SSH File Transfer Protocol (sometimes called Secure File Transfer Protocol or SFTP) is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with version two of the SSH protocol (TCP port 22) to provide secure file transfer, but is intended to be usable with other protocols as well.

Compared to the earlier SCP protocol, which allows only file transfers, the SFTP protocol allows for a range of operations on remote files – it is more like a remote file system protocol. An SFTP client’s extra capabilities compared to an SCP client include resuming interrupted transfers, directory listings, and remote file removal. For these reasons it is relatively simple to implement a GUI SFTP client compared with a GUI SCP client.

SFTP attempts to be more platform-independent than SCP; for instance, with SCP, the expansion of wildcards specified by the client is up to the server, whereas SFTP’s design avoids this problem. While SCP is most frequently implemented on Unix platforms, SFTP servers are commonly available on most platforms.

SFTP is not FTP run over SSH, but rather a new protocol designed from the ground up by the IETF SECSH working group. It is sometimes confused with Simple File Transfer Protocol.

The protocol itself does not provide authentication and security; it expects the underlying protocol to secure this. SFTP is most often used as subsystem of SSH protocol version 2 implementations, having been designed by the same working group. However, it is possible to run it over SSH-1 (and some implementations support this) or other data streams. Running SFTP server over SSH-1 is not platform independent as SSH-1 does not support the concept of subsystems. An SFTP client willing to connect to an SSH-1 server needs to know the path to the SFTP server binary on the server side.

The Secure Internet Live Conferencing (SILC) protocol defines the SFTP as its default file transfer protocol. In SILC the SFTP data is not protected with SSH but SILC’s secure packet protocol is used to encapsulate the SFTP data into SILC packet and to deliver it peer-to-peer. This is possible as SFTP is designed to be protocol independent.

For uploads, the transferred files may be associated with their basic attributes, such as timestamps. This is an advantage over the common FTP protocol, which does not have provision for uploads to include the original date/time stamp attribute.

Standardization

The protocol is not yet an Internet standard. The latest specification is an expired Internet Draft, which defines version 6 of the protocol. Currently the most widely used version is 3, implemented by the popular OpenSSH SFTP server. Many Microsoft Windows-based SFTP implementations use version 4 of the protocol, which has weakened its ties with the Unix platform.

The Internet Engineering Task Force (IETF) “Secsh Status Pages” search tool contains links to all versions of the Internet draft-ietf-secsh-filexfer which describes this protocol.

Description
Microsoft DirectX is prone to a remote code-execution vulnerability because the DirectShow component fails to properly handle compressed media files. Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the user running the application that uses DirectX. Failed exploit attempts will result in a denial-of-service condition.

Technologies Affected
Microsoft DirectX 8.1
Microsoft DirectX 9.0
Microsoft DirectX 9.0 a
Microsoft DirectX 9.0 c
Microsoft DirectX 9.0 b

Recommendations
Run all software as a nonprivileged user with minimal access rights.
To limit the potential damage that a successful exploit may achieve, run all nonadministrative software as a regular user with the least amount of privileges required to successfully operate.
Do not accept or execute files from untrusted or unknown sources.
To reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.
Do not follow links provided by unknown or untrusted sources.
Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
Implement multiple redundant layers of security.
Since this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.

The vendor has released an advisory along with fixes. Please see the references for details.

References
Source: Microsoft Security Bulletin MS09-011
URL: http://www.microsoft.com/technet/security/Bulletin/MS09-011.mspx

Source: Microsoft DirectX Homepage
URL: http://msdn.microsoft.com/directx/

Hackers who write bot-type viruses have one goal in mind: infect as many machines as possible and preserve the network of zombie (virus-infected) computers. This network of infected machines is called a botnet. Once a machine is infected with a bot, the virus sits quietly in the background and waits for a command from the hacker. For this reason many people are not aware that their computer has been infected with a bot.

The infection cycle looks like this:

1. Virus author sends out email spam containing viruses, or uses some other method of social engineering to trick people into installing the virus on their computer.
2. Infected computers log into an IRC server or other communications medium to form a network of infected systems. This is known as a botnet.
3. The author uses the botnet to send out more spam using the infected computers.
4. Users infect their computers by clicking on links in spam, and the process starts again.
5. At any time, a spammer may purchase access to this botnet from the author to send spam, or a cybercriminal may do this and use the infected machines to attack critical network resources, such as a company server or a website.

Researchers have discovered a new variant of the Conficker Worm on April 9, 2009. This variant updates earlier infections via its peer to peer (P2P) network as well as resuming scan-and-infect activity against unpatched systems. Public reporting indicates that this variant attempts to download additional malicious code onto victim systems, possibly including copies of the Waledac Trojan, a spam-oriented malicious application which has previously propagated only via bogus email messages containing malicious links.

US-CERT is aware of public reports indicating a widespread infection of the Conficker/Downadup worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across a corporate network, if the network servers are not patched with the MS08-067 patch from Microsoft.

Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
http://www.mcafee.com

If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet – in the case for home users.

Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Please see below for a few of those sites. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:

Symantec:

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Microsoft:

http://support.microsoft.com/kb/962007

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistanc

The Storm botnet or Storm worm botnet is a remotely-controlled network of “zombie” computers (or “botnet”) that has been linked by the Storm Worm, a Trojan horse spread through e-mail spam. Some have estimated that by September 2007 the Storm botnet was running on anywhere from 1 million to 50 million computer systems. Other sources have placed the size of the botnet to be around 250,000 to 1 million compromised systems. More conservatively, one network security analyst claims to have developed software that has crawled the botnet and estimates that it controls 160,000 infected computers. The Storm botnet was first identified around January 2007, with the Storm worm at one point accounting for 8% of all malware on Microsoft Windows computers.

The Storm botnet has been used in a variety of criminal activities. Its controllers, and the authors of the Storm Worm, have not yet been identified. The Storm botnet has displayed defensive behaviors that indicated that its controllers were actively protecting the botnet against attempts at tracking and disabling it. The botnet has specifically attacked the online operations of some security vendors and researchers who attempted to investigate the botnet. Security expert Joe Stewart revealed that in late 2007, the operators of the botnet began to further decentralize their operations, in possible plans to sell portions of the Storm botnet to other operators. Some reports as of late 2007 indicated the Storm botnet to be in decline, but many security experts reported that they expect the botnet to remain a major security risk online, and the United States Federal Bureau of Investigation considers the botnet a major risk to increased bank fraud, identity theft, and other cybercrimes.

The botnet reportedly is powerful enough as of September 2007 to force entire countries off the Internet, and is estimated to be capable of executing more instructions per second than some of the world’s top supercomputers. However, it is not a completely accurate comparison, according to security analyst James Turner, who said that comparing a botnet to a supercomputer is like comparing an army of snipers to a nuclear weapon. Bradley Anstis, of the United Kingdom security firm Marshal, said, “The more worrying thing is bandwidth. Just calculate four million times a standard ADSL connection. That’s a lot of bandwidth. It’s quite worrying. Having resources like that at their disposal—distributed around the world with a high presence and in a lot of countries—means they can deliver very effective distributed attacks against hosts.”
First detected on the Internet in January 2007, the Storm botnet and worm are so-called because of the storm-related subject lines its infectious e-mail employed initially, such as “230 dead as storm batters Europe.” Later provocative subjects included, “Chinese missile shot down USA aircraft,” and “U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel.” It is suspected by some information security professionals that well-known fugitive spammers, including Leo Kuvayev, may be involved in the operation and control of the Storm botnet. According to technology journalist Daniel Tynan, writing under his “Robert X. Cringely” pseudonym, a great portion of the fault for the existence of the Storm botnet lay with Microsoft and Adobe Systems. Other sources state that Storm Worm’s primary method of victim acquisition is through enticing users via frequently changing social engineering schemes. According to Patrick Runald, the Storm botnet has a strong American focus, and likely has agents working to support it within the United States. Some experts, however, believe the Storm botnet controllers are Russian, some pointing specifically at the Russian Business Network, citing that the Storm software mentions a hatred of the Moscow-based security firm Kaspersky Lab, and includes the Russian word “buldozhka,” which means “bulldog.
The botnet, or zombie network, comprises computers running Microsoft Windows as their operating system. Once infected, a computer becomes known as a bot. This bot then performs automated tasks—anything from gathering data on the user, to attacking web sites, to forwarding infected e-mail—without its owner’s knowledge or permission. Estimates indicate that 5,000 to 6,000 computers are dedicated to propagating the spread of the worm through the use of e-mails with infected attachments; 1.2 billion virus messages have been sent by the botnet through September 2007, including a record 57 million on August 22, 2007 alone. Lawrence Baldwin, a computer forensics specialist, was quoted as saying, “Cumulatively, Storm is sending billions of messages a day. It could be double digits in the billions, easily.” One of the methods used to entice victims to infection-hosting web sites are offers of free music, for artists such as Beyoncé Knowles, Kelly Clarkson, Rihanna, The Eagles, Foo Fighters, R. Kelly, and Velvet Revolver. Signature-based detection, the main defense of most computer systems against virus and malware infections, is hampered by the large number of Storm variants.

Back-end servers that control the spread of the botnet and Storm worm automatically re-encode their distributed infection software twice an hour, for new transmissions, making it difficult for anti-virus vendors to stop the virus and infection spread. Additionally, the location of the remote servers which control the botnet are hidden behind a constantly changing DNS technique called ‘fast flux’, making it difficult to find and stop virus hosting sites and mail servers. In short, the name and location of such machines are frequently changed and rotated, often on a minute by minute basis. The Storm botnet’s operators control the system via peer-to-peer techniques, making external monitoring and disabling of the system more difficult. There is no central “command-and-control point” in the Storm botnet that can be shut down. The botnet also makes use of encrypted traffic. Efforts to infect computers usually revolve around convincing people to download e-mail attachments which contain the virus through subtle manipulation. In one instance, the botnet’s controllers took advantage of the National Football League’s opening weekend, sending out mail offering “football tracking programs” which did nothing more than infect a user’s computer. According to Matt Sergeant, chief anti-spam technologist at MessageLabs, “In terms of power, [the botnet] utterly blows the supercomputers away. If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It’s very frightening that criminals have access to that much computing power, but there’s not much we can do about it.” It is estimated that only 10%-20% of the total capacity and power of the Storm botnet is currently being used.

Computer security expert Joe Stewart detailed the process by which compromised machines join the botnet: attempts to join the botnet are made by launching a series of EXE files on the computer system in question, in stages. Usually, they are named in a sequence from game0.exe through game5.exe, or similar. It will then continue launching executables in turn. They typically perform the following:

1. game0.exe – Backdoor/downloader
2. game1.exe – SMTP relay
3. game2.exe – E-mail address stealer
4. game3.exe – E-mail virus spreader
5. game4.exe – Distributed denial of service (DDos) attack tool
6. game5.exe – Updated copy of Storm Worm dropper

At each stage the compromised system will connect into the botnet; fast flux DNS makes tracking this process exceptionally difficult. This code is run from %windir%system32wincom32.sys on a Windows system, via a kernel rootkit, and all connections back to the botnet are sent through a modified version of the eDonkey/Overnet communications protocol.