Sunday, November 20, 2011

Kororaa Linux 16 Beta

Chris Smart has announced the availability of the first beta release of Kororaa Linux 16, a Fedora-based distribution with GNOME or KDE desktops and many usability enhancements: "The first beta of Kororaa 16 (code name 'Chum') has been released and is available for download, in 32-bit and 64-bit editions for KDE and GNOME. This new release includes major updates of most packages including the Linux kernel, office and desktops (KDE 4.7 and GNOME 3.2). The GNOME 3 desktop has a custom theme available, as well as several extensions to provide an enhanced user experience (and help ease the transition from GNOME 2.x). It also comes with the GNOME Tweak Tool to allow further customisation. The KDE desktop has a custom layout with specific default applications, such as Firefox for the web and VLC for media." Read the full release announcement for a full list of tweaks and enhancements. Download (MD5) links: Kororaa-16-Beta-i686-Live-KDE.iso (1,639MB), Kororaa-16-Beta-i686-Live-GNOME.iso (1,421MB), Kororaa-16-Beta-x86_64-Live-KDE.iso (1,655MB), Kororaa-16-Beta-x86_64-Live-GNOME.iso (1,445MB).

Thursday, November 10, 2011

Sabayon Linux 7 "Experimental"

Fabio Erculiani has announced the availability of three experimental editions of Sabayon Linux 7, containing the LXDE desktop environment, Enlightenment 17 and the Awesome window manager: "Directly from our 'Breaking Stuff' department, three new Sabayon 7 releases have seen the light. These releases all go under the 'Experimental' umbrella: 'LXDE' is a minimal, CD-sized flavour geared towards low-end computers, shipping the LXDE desktop environment; 'E17' is a minimal, CD-sized flavour made for people wanting to showcase the magic of Enlightenment 17; 'Awesome' window manager flavour. Features: latest and greatest package updates from repositories; Linux kernel 3.1...." Here is the brief release announcement. Download links: Sabayon_7_x86_LXDE.iso (644MB, MD5, torrent), Sabayon_7_amd64_LXDE.iso (673MB, MD5, torrent), Sabayon_7_x86_E17.iso (649MB, MD5, torrent), Sabayon_7_amd64_E17.iso (677MB, MD5, torrent), Sabayon_7_x86_Awesome.iso (651MB, MD5, torrent), Sabayon_7_amd64_Awesome.iso (684MB, MD5, torrent).

Oracle Solaris 11

Oracle has announced the release of Oracle Solaris 11, a UNIX operating system originally developed by Sun Microsystems and known for its scalability and innovative enterprise features: "Oracle today announced availability of Oracle Solaris 11, the first Cloud OS. Oracle Solaris 11 is designed to meet the security, performance and scalability requirements of cloud-based deployments allowing customers to run their most demanding enterprise applications in private, hybrid, or public clouds. As the first fully virtualized operating system (OS), Oracle Solaris 11 provides comprehensive, built-in virtualization capabilities for OS, network and storage resources. Oracle Solaris 11 offers comprehensive management across the entire infrastructure - operating system, physical hardware, networking and storage, as well as the virtualization layer." See the press release and read the detailed release notes to learn more. A variety of ISO images for x86 and SPARC architectures, including a live CD image and an image for USB drives, are available for free download from this page (after creating and signing in to an account).

Wednesday, November 2, 2011

Kwort Linux 3.2

David Cortarello has announced the release of Kwort Linux 3.2, a CRUX-based desktop distribution (with Openbox) designed for intermediate and advanced Linux users: "Almost a year has passed since Kwort's last stable release, and today I'm rolling out a new release of our system. This is a major upgrade of almost every software package included in Kwort 3.14, except the toolchain. The most noticeable changes include: move from to LibreOffice; a new kernel 3 series, Firefox 7.0.1 (not installed by default but you can install it from the CD image) and the latest version of Chromium. Other than what's noticeable, there are tons of improvements under the hood, like the inclusion of LVM2 and mdadm for logical volume management and raid support, the ext4 file system supported in the installation and some nice improvements in kpkg." Visit the distribution's home page to read the release announcement. Download the installation CD image from here: kwort-3.2.iso (393MB, MD5).

Tuesday, October 25, 2011

openSUSE 12.1 RC1

Although available since last week, the first of the two planned openSUSE release candidates 12.1 was finally announced earlier today: "The first release candidate of openSUSE 12.1 is now floating over the web. The next release of openSUSE is expected to bring a large number of improvements and changes. Many of these are the 'usual' updates any Linux distribution offers. These include the latest Firefox, GNOME 3.2 and KDE's Plasma Workspace 4.7. Under the hood, we have Linux kernel 3.1 and we expect to be the first to ship Google's new programming language Go. We also overhauled our boot procedure introducing systemd and GRUB 2. But we also have some really unique treats. The coolest among those is Snapper, a Btrfs-based tool which allows you to view the differences between current and previous versions of files on your system and lets you roll back the changes." The release announcement. Download (mirrors): openSUSE-KDE-LiveCD-Build0379-i686.iso (664MB, MD5, torrent), openSUSE-GNOME-LiveCD-Build0379-i686.iso (666MB, MD5, torrent), openSUSE-KDE-LiveCD-Build0379-x86_64.iso (677MB, MD5, torrent), openSUSE-GNOME-LiveCD-Build0379-x86_64.iso (679MB, MD5, torrent).

Sunday, October 23, 2011

Finnix 103

Ryan Finnie has announced the release of Finnix 103, a Debian-based live CD for system administrators, now also with a new "forensic mode": "Finnix 103 released. Finnix 103 includes a new forensic mode. When booted with the 'forensic' or 'forensics' boot flags, Finnix changes its behavior to minimize the chance of loading suspect code or writing to suspect media. These changes include cryptographic hash verification of discovered Finnix CD media, locking block devices, and avoiding swap, LVM, RAID, crypt and network auto-detection. Entropy generation added. Modern Linux distributions add to their random number generator (RNG) entropy pool by saving some random data before shutdown, and adding it back into the pool during start-up. A live CD cannot normally do this, so Finnix includes a new feature to generate random data to be fed into the pool...." The release announcement. Download (MD5): finnix-103.iso (113MB, torrent), finnix-ppc-103.iso (115MB, torrent).

Tuesday, October 11, 2011

Sabayon Linux 7

Fabio Erculiani has announced the release of Sabayon Linux 7, a Gentoo-based desktop distribution with KDE 4.7, GNOME 3.2 and Xfce 4.8 desktops: "More busy than busy bees, we're once again here to announce the immediate availability of Sabayon 7. Linux kernel 3.0, GNOME 3.2, KDE 4.7, Xfce 4.8, LibreOffice 3.4 are just some of the things you will find inside the box. During this cycle, the development team spent a lot of time on integrating GNOME 3.2 the way users might actually start to love it. At the same time, Sabayon Xfce has been promoted to non-experimental release, for those missing GNOME 2." Read the release announcement for a list of features and improvements. Download: Sabayon_Linux_7_x86_K.iso (2,035MB, MD5, torrent), Sabayon_Linux_7_x86_G.iso (1,611MB, MD5, torrent), Sabayon_Linux_7_amd64_K.iso (2,257MB, MD5, torrent), Sabayon_Linux_7_amd64_G.iso (1,840MB, MD5, torrent).

Sunday, October 9, 2011

Fedora 16 Beta

Dennis Gilmore has announced the availability of the beta release of Fedora 16: "We are proud to announce the availability of the beta release of Fedora 16. It includes a variety of features both over and under the hood that show off the power and flexibility of the advancing state of free software. Examples include: system boot - Fedora 16 introduces GRUB 2, the long-awaited next-generation boot-loader for Linux; services management - this release features better integration of Systemd via conversion to native Systemd services from legacy init scripts in many software components; desktop updates - the two major desktop environments have been updated to the latest releases." Read the rest of the release announcement for more details. Download (torrents): Fedora-16-Beta-i686-Live-Desktop.iso (581MB, SHA256, torrent), Fedora-16-Beta-i686-Live-KDE.iso (670MB, SHA256, torrent), Fedora-16-Beta-x86_64-Live-Desktop.iso (582MB, SHA256, torrent), Fedora-16-Beta-x86_64-Live-KDE.iso (670MB, SHA256, torrent).

Wednesday, September 21, 2011

Kororaa 15

Chris Smart has announced the release of Kororaa 15, a Fedora-based distribution with GNOME or KDE desktops and various beginner-friendly enhancements: "Kororaa 15 has been released and is available for download, in 32-bit and 64-bit variants with KDE 4.6 and GNOME 3. This release includes Ubuntu's Jockey Device Driver manager, which has replaced the Add/Remove Extras script for configuring third-party drivers. Kororaa 15 comes with an RPM meta-package to install and configure Adobe Flash. Users still on Kororaa 14 may wish to upgrade to 15 and should do so via a new install. Users who wish to stay with GNOME 2.x should not upgrade to 15, as it comes with GNOME 3. The KDE desktop has a custom layout with specific default applications, such as Firefox for the web and VLC for media." Read the rest of the release announcement for a full list of major changes and a couple of screenshots. Download (MD5): Kororaa-15-i686-Live-KDE.iso (1,558MB), Kororaa-15-i686-Live-GNOME.iso (1,343MB), Kororaa-15-x86_64-Live-KDE.iso (1,588MB), Kororaa-15-x86_64-Live-GNOME.iso (1,371MB).

Tuesday, September 20, 2011

Fuduntu 14.11

Andrew Wyatt has announced the release of Fuduntu 14.11, the latest update of the Fedora-based desktop distribution and live DVD: "The Fuduntu quarterly installation ISO image (14.11) is now available for immediate download. As with all Fuduntu releases, this release continues our tradition of small incremental improvements. It is important to note that existing Fuduntu users will roll up to this version through the normal update process, and do not need to download or install from this media to benefit from this release. This release is considered the first official Fuduntu 'rolling-release' ISO image. Major updates included in this release: Linux kernel 3.0.3, Chromium 13, Flash, VLC 1.1.11. This quarterly release also includes a roll-up of the latest patches." Here is the brief release announcement with two screenshots. Download (MD5): Fuduntu-14.11-i386-LiveDVD.iso (913MB), Fuduntu-14.11-x86_64-LiveDVD.iso (942MB).

Monday, September 19, 2011

Pardus Linux 2011.2

Gökçen Eraslan has announced the release of Pardus Linux 2011.2, an updated version of the project's desktop Linux distribution with custom package management and many user-friendly features: "Pardus Linux 2011.2 is now available. Here are the important updates shipped with Pardus 2011.2: NetworkManager is updated to, problems about adding VPN connections have been fixed, handle WLAN security passwords gracefully while upgrading distribution; ModemManager is updated to 0.5, improvements for Samsung modems, support access technology reporting for Qualcomm Gobi modems, fix communication with Nokia N900 devices; CUPS is updated to 1.4.8; LibreOffice is updated to 3.4.3, fixed crash closing document with footnotes; MPlayer - fixed crash playing subtitled videos which was triggered by FreeType 2.4.6 security update." Read the complete release announcement for a full list of bug fixes. Download the installation or the installable live DVD images: Pardus-2011.2-i686.iso (1,168MB, MD5), Pardus-2011.2-x86_64.iso (1,186MB, MD5), Pardus-2011.2-Live-i686.iso (1,346MB, MD5), Pardus-2011.2-Live-x86_64.iso (1,369MB, MD5).

Sunday, September 18, 2011

GeeXboX 2.0

Benjamin Zores has announced the release of GeeXboX 2.0, a major new version of the media centre purposed Linux distribution for embedded devices and desktop computers: "After countless years of development, the 2.0 release of GeeXboX (code name 'Love It or Shove It') has landed. This new GeeXboX 2.0 is radically different from the 1.x series and, sorry to disappoint some of you, will not provide the same level of services. We are now doing much more things than we used to do with 1.x, but unfortunately a few things have to be left behind. But the GeeXboX philosophy remains the same and we still aim at targeting the most PCs and devices as possible, in as lightweight as possible a way. GeeXboX now also support many embedded devices running ARM SoCs and many more will be added in the months to come. These devices just make the perfect fanless, energy-efficient HTPC and GeeXboX just makes the perfect media center distribution for those." See the complete release announcement for a full list of features. Download (MD5): geexbox-2.0-i386.iso (72.0MB), geexbox-2.0-x86_64.iso (73.0MB).

Qomo Linux 3.0

Qomo Linux, previously known as Everest Linux, is a community distribution maintained by the Linux-Ren community in China with support from Red Flag and other companies. Qomo Linux 3.0 was released partially in celebration of the Free Software Day of 2011. It is based on the latest stable version of the Linux kernel patched by the community with abundant hardware support. Systemd preempts upstart to speed up the booting process, and certain package descriptions have been translated into Chinese for better localization. LibreOffice is now the productivity suite, but is only available from the online software repository simply for reducing the footprint of the ISO image. Check the brief announcement (in Chinese) with a few screenshots. Download: Qomo-3.0-i686-Live.iso (681MB, MD5).

Trisquel GNU/Linux 5.0

Rubén Rodríguez has announced the release of Trisquel GNU/Linux 5.0, an Ubuntu-based distribution carefully stripped of all non-free components in order to comply with Free Software Foundation's four software freedoms: "In what we can now call it a tradition, we celebrate the Software Freedom Day by publishing our latest release: Trisquel GNU/Linux 5.0 STS, code name 'Dagda'. Today we publish both the standard GNOME-based and the lightweight LXDE-based 'Mini' editions. Current Trisquel 4.5 users can upgrade using the update-manager application, without the need for re-installation. Advanced installations -- server, RAID/LVM, encrypted, etc -- can be done using the 'netinstall' images. The standard edition includes, among many others, the following packages: Linux-libre kernel 2.6.38, GNOME 2.6.32, LibreOffice 3.3.3, Abrowser (our unbranded Mozilla-based web browser) 6.0.2." Here is the full release announcement with several screenshots. Download: trisquel_5.0_i686.iso (676MB, MD5, torrent), trisquel_5.0_amd64.iso (696MB, MD5, torrent), trisquel-mini_5.0_i686.iso (453MB, MD5, torrent), trisquel-mini_5.0_amd64.iso (465MB, MD5, torrent).

Saturday, September 17, 2011


Klaus Knopper has announced the release of KNOPPIX 6.7.1, an updated version of the popular Debian-based live CD and DVD featuring the LXDE desktop. Despite the minor version bump, this release contains a rather large number of updates: "Version 6.7.1 has been updated from Debian 'Squeeze' with the usual picks from Debian 'testing' and 'unstable'; it uses Linux kernel 3.0.4 and X.Org Server 1.11; experimental free nouveau graphics modules supporting NVIDIA cards; replaced with LibreOffice 3.4.3; Chromium 13.0.782.220 and Firefox 6.0.2 web browsers; optional 64-bit kernel via 'knoppix64' boot option, supporting systems with more than 4 GB of RAM and chroot to 64-bit installations for system rescue tasks; new boot option for mounting the KNOPPIX compressed file system from a stored ISO file; boot option 'grub' for starting a bootloader shell in system rescue tasks...." See the KNOPPIX 6.7.1 release page for further details. Download: KNOPPIX_V6.7.1CD-EN.iso (700MB, MD5), KNOPPIX_V6.7.1CD-DE.iso (700MB, MD5), KNOPPIX_V6.7.1DVD-EN.iso (3,772MB, MD5), KNOPPIX_V6.7.1DVD-DE.iso (3,772MB, MD5).

Thursday, September 8, 2011

Bodhi Linux 1.2.0

Jeff Hoogland has announced the release of Bodhi Linux 1.2.0, an Ubuntu-based distribution featuring the latest development build of the Enlightenment 17 desktop: "20,000 forum posts and over 100,000 downloads later the Bodhi team and I are proud to announce our second point release - Bodhi Linux 1.2.0. Current Bodhi users can easily update their system to this latest release. This release is largely for keeping packages up to date, so the following are the core system packages that have been updated for this release: Linux kernel 3.0, Enlightenment built from SVN on 2011-09-06, Midori 0.4.0. There is more to this release than just packages though. Our document team has been working furiously to improve our documentation, both on our Wiki and our locally installed pages. Our recently published 'Bodhi Guide to Enlightenment' is also now stored locally for offline use in the Midori web browser." See the full release announcement for more information. Download: bodhi_1.2.0.iso (369MB, MD5).

Tuesday, September 6, 2011

Magic: The Gathering comics announced

IDW has confirmed they are working with Wizards of the Coast (the Hasbro subsidiary which publishes the Magic: The Gathering trading card game) on a comic book adaptation of the popular game.
The new line - which will simply be called Magic: The Gathering will not be based on the MTG novels or any other existing MTG stories.
Instead, a new, original planeswalker is being introduced as the protagonist, though he will be adventuring in the story-world of the game, surrounded by known characters and creatures.
A previous attempt at a comic book adaptation of the property over ten years ago was met with a cold reception, but in that time, the canon of the story-world has grown much deeper through the card game and the accompanying novels.
They will attempt to create additional appeal for the comics by offering exclusive Magic cards within the issues. These cards will not have new abilities, but will utilize card art which is not found in the normal booster packs.
The line, which will begin as a four-book miniseries, is written by author and game designer Matt Forbeck and illustrated by Martín Cóccolo. IDW’s Denton J. Tripton will serve as editor.
"Magic: The Gathering is an incredibly strong property which spawned a new entertainment category, and there is so much to be done creatively with comics,” says Tipton. "I’m really looking forward to telling new stories in the many worlds of Magic, which have been near and dear to my heart since the mid-90s.”
The plan is to keep the line going if this initial arc is successful, and to eventually collect the arcs into graphic novels. The comics and novels will sell at comic book stores as well as wherever MTG cards are sold.

Friday, September 2, 2011

Ubuntu 11.10 Beta 1

Kate Stewart has announced the availability of the first beta release of Ubuntu 11.10, code name "Oneiric Ocelot": "The Ubuntu team is pleased to announce Ubuntu 11.10 Beta 1. Some of the new features now available are: DVD images have been revised into extended desktop images with additional language support and a few extra applications, and thereby reduced to a more manageable size of around 1.5 GB. 'Lenses' (formerly 'Places') now integrate multiple sources and advanced filtering like ratings, range, categories. Thunderbird is included as default email client including menu and launcher integration." Read the release announcement and release notes for more detailed information and known issues. Download (SHA256): ubuntu-11.10-beta1-desktop-i386.iso (699MB, torrent), ubuntu-11.10-beta1-desktop-amd64.iso (691MB, torrent). Beta 1 CD/DVD images for Kubuntu (download, release notes), Xubuntu (download), Lubuntu (download), Ubuntu Studio (download), Edubuntu (download) and Mythbuntu (download) are also available.

openSUSE 12.1 Milestone 5

Bryen Yunashko has announced the availability of the third milestone release of openSUSE 12.1: "openSUSE 12.1's milestone 5 is now ready for download. Here are some interesting things you can expect to see when you try milestone 5: further changes have been made to systemd which replaces the SysInitV system, the default is still SysInitV but we encourage testing of systemd so that we can switch the default for the next release; we are focusing on the GPL-ed OpenJDK version now, this milestone is the last one that comes with the binary Java provided by Oracle; GNOME 3.1.5 is another step closer to GNOME 3.2; glibc has been updated to version 2.14." For more details please see the full release announcement. Download (mirrors): openSUSE-KDE-LiveCD-Build0250-i686.iso (696MB, MD5, torrent), openSUSE-GNOME-LiveCD-Build0250-i686.iso (664MB, MD5, torrent), openSUSE-KDE-LiveCD-Build0250-x86_64.iso (689MB, MD5, torrent), openSUSE-GNOME-LiveCD-Build0250-x86_64.iso (678MB, MD5, torrent).

Monday, August 29, 2011

Mandriva Linux 2011

Viacheslav Kaloshin has announced the release of Mandriva Linux 2011, code name "Hydrogen": "We are happy to announce that Mandriva 2011 is out." Some of the main new features in this release include hybrid live/installation DVD images, a revised system installer, new graphics theme, RPM 5, a series of new desktop utilities from Rosa Labs, and KDE as the only officially supported desktop environment: "GNOME, Xfce and other desktop environments and window managers are no longer included in the official Mandriva packages. However, contribution packages from the Mandriva community are available for these desktop environments. Starting from Mandriva 2011 only KDE 4 is officially supported." Here is the brief release announcement, but more details can be found in the release notes and on this 2011 tour page. Download: Mandriva.2011.i586.1.iso (1,647MB, MD5), Mandriva.2011.x86_64.1.iso (1,692MB, MD5).

Wednesday, August 24, 2011

Fedora 16 Alpha

Featuring the GRUB 2 bootloader, a GNOME 3.1 development release, and improved support for virtualisation, the alpha release of Fedora 16 is ready for testing: "The Fedora 16 'Verne' alpha release is available. This release of Fedora includes a variety of features both over and under the hood that show off the power and flexibility of the advancing state of free software. Fedora 16 introduces GRUB 2, the long-awaited next-generation bootloader for Linux. GRUB 2 automatically recognizes other operating systems, supports LVM2 and LUKS partitions, and is more customizable than the previous version." Read the release announcement and release notes for a full list of new features. Download (torrents): Fedora-16-Alpha-i686-Live-Desktop.iso (585MB, SHA256, torrent), Fedora-16-Alpha-i686-Live-KDE.iso (646MB, SHA256, torrent), Fedora-16-Alpha-x86_64-Live-Desktop.iso (585MB, SHA256, torrent), Fedora-16-Alpha-x86_64-Live-KDE.iso (645MB, SHA256, torrent).

Sunday, August 21, 2011

Arch Linux 2011.08.19

Dieter Plaetinck has announced the release of Arch Linux 2011.08.19, the first new release of the Arch Linux installation media in 15 months: "Time for a much needed update to the Arch installation media, as the last release (2010.05) is not only quite outdated, but now yields broken installations if you do a netinstall. What has changed in this period of more than a year? Experimental support for Btrfs and NILFS2; support syslinux bootloader; changes to configuration formats to support new rc.conf and Linux 3.0; make selecting source more flexible; show package descriptions when installing packages; snapshot of current core, including Linux kernel 3.0.3, pacman 3.5.4, glibc 2.14, mkinitcpio 0.7.2, initscripts 2011.07.3 and netcfg 2.6.7...." Read the rest of the release announcement for further details. Download (MD5): archlinux-2011.08.19-core-i686.iso (371MB, torrent), archlinux-2011.08.19-core-x86_64.iso (377MB, torrent).

Saturday, August 20, 2011

IPFire 2.9 Core 51

Arne Fitzenreiter has announced the release of IPFire 2.9 Core 51, an updated build of the project's specialist distribution for firewalls: "Core 51 is addressing several security issues in the Linux kernel as well as stability fixes, performance optimization and driver updates. It is recommended to install this update as soon as possible and please take notice that a reboot is required to complete the installation. The update includes the latest Linux long-term kernel of the 2.6.32 series ( and includes a lot of security fixes and driver improvements. A couple of years ago, there have been problems with some TCP/IP options so these options were disabled to cause less trouble. As technology has developed, these options have now been re-enabled which improves the network throughput a lot." Read the rest of the release announcement for more details and a list of updated device drivers. Download (SHA1): ipfire-2.9.i586-full-core51.iso (73.4MB, torrent).

Thursday, August 18, 2011

Tuquito 5

Mario Colque has announced the release of Tuquito 5, an Argentinian distribution based on the latest stable Ubuntu. This is a CD edition that includes the most commonly used applications, the LibreOffice office suite, an audio player, and printer drivers. Missing from the CD (but installable with just one click) are audio and video codecs, the GIMP, VLC and many other software applications. It is also possible to upgrade to the "DVD" edition - there is a menu item for this under the Administration submenu. Major components: Linux kernel 2.6.38, GNOME 2.32.1, X.Org 7.6, Nautilus 2.32.2 Elementary. Other new features and programs include the Déjà Dup backup utility, F-Spot and gThumb (replacing Shotwell), significant performance improvements in Tuquito Control Center and Program Manager, new start-up theme. Read the full release announcement (in Spanish) for further details and some screenshots. Download (MD5): tuquito-5-gnome-cd-nocodecs-32bit.iso (661MB), tuquito-5-gnome-cd-nocodecs-64bit.iso (682MB).

Thursday, August 11, 2011

ConnochaetOS 0.9.0

Henry Jensen has announced the release of ConnochaetOS 0.9.0, a lightweight desktop distribution, formerly known as DeLi Linux, designed for old and low-resource computers (Pentium I, 64 MB of RAM): "I am pleased to announce the release of ConnochaetOS 0.9.0. After one year of development and after three years after the last release of its predecessor, DeLi Linux, this is the first stable release of ConnochaetOS. In the last weeks since RC1 we simplified the installer once again, fixed some more bugs and updated the kernel, the web browser XXXTerm and other packages, and produced some documentation. ConnochaetOS 0.9.0 provides: kernel Linux-Libre, the IceWM desktop 1.3.7, a lightweight WebKit-based web browser - XXXTerm, GOffice...." See the release announcement for more information. Download the installation CD image: connos-0.9.0.iso (391MB, MD5).

Monday, August 8, 2011

Gentoo Linux 11.2

David Abbott has announced the release of Gentoo Linux 11.2, a live DVD (with several desktop environments) that can be used to install Gentoo Linux to a hard disk using Gentoo "stages": "Gentoo Linux is proud to announce the availability of a new live DVD to celebrate the continued collaboration between Gentoo users and developers. The live DVD features a superb list of packages, some of which are listed below. System packages include Linux kernel 3.0 (with Gentoo patches), accessibility support with Speakup, Bash 4.2, glibc 2.13, GCC 4.5.2, Binutils 2.21.1, Python 2.7.2 and 3.2, Perl 5.12.4. Desktop environments and window managers include KDE 4.7.0, GNOME 3.0.0, Xfce 4.8, Enlightenment 1.0.8, Openbox 3.5.0, Fluxbox 1.3.1, XBMC 10.1 Awesome 3.4.10 and LXDE-Meta 0.5.5. Office, graphics, and productivity applications include: LibreOffice 3.3.3, Abiword 2.8.6, Scribus 1.3.9...." See the full release announcement for more information. Download (mirrors): livedvd-x86-amd64-32ul-11.2.iso (2,657MB, SHA256, torrent), livedvd-amd64-multilib-11.2.iso (2,840MB, SHA256, torrent).

Sunday, August 7, 2011


Klaus Knopper has announced the release of KNOPPIX 6.7, a new version of the Debian-based live CD and DVD with LXDE as the default desktop, accompanied by a special edition for visually impaired users: "During the past days, version 6.7 of KNOPPIX has found its way to the mirrors and is now available as DVD and CD image, including the blind-friendly ADRIANE edition." What's new? "Updated from Debian 'Squeeze' with the usual picks from Debian 'testing' and 'unstable'; uses Linux kernel and X.Org 7.6 for supporting most current computer hardware; experimental free Nouveau graphics modules supporting NVIDIA cards, acellerated graphics via kernel mode settings (KMS); LibreOffice 3.3.3; Chromium 12.0.742.112 web browser; optional 64-bit kernel via 'knoppix64' boot option...." Read the detailed release notes for additional information. Links to download the English and German live CD and DVD images: KNOPPIX_V6.7.0CD-EN.iso (697MB, MD5), KNOPPIX_V6.7.0CD-DE.iso (697MB, MD5), KNOPPIX_V6.7.0DVD-EN.iso (3,816MB, MD5), KNOPPIX_V6.7.0DVD-DE.iso (3,816MB, MD5).

Saturday, August 6, 2011

A first look at Hathaway's Selina Kyle

Just hours after we got to see what the new Superman looks like, Warner Bros. has released a photo of Anne Hathaway dressed as Selina Kyle for the new batman film, Dark Knight Rises.

A few websites which have also posted this photo are referring to it as an image of Catwoman, but it's clearly just Selina Kyle. She may be in all black rubber-leather stuff - and she surely looks smoking, but this costume is more likely being used in a pre-Catwoman scene.

Selina Kyle was a 'cat burgalar' long before she was Catwoman, and the film will likely depict at least one such heist before her transformation into the iconic personality.

Now, it's also likely that the Catwoman costume will incorporate elements of this costume, but she's not Catwoman without the ears and claws.

It looks like they were serious when they announced a while back that Anne Hathaway's costume would not be as revealing as past Catwomans (Catwomen?).

We can't see the whole costume here due to the awesome motorbike-thing, but it looks like what she's got is more of a rubber jumpsuit, and while it's not loose, it's not exactly form-fitting.

I mean: compared to Michelle Phifer, who looked like she had to be painted into her shiny faux-leather costume, or Halle Berry who had a lot of exposed skin between the tattered pieces of her cat suit, well, this one looks downright puritan.

Frankly, the costume is more attractive for its slight conservation. I certainly don't think that they will get any complaints from fans over this image.

For those unfamiliar, Catwoman is the planned secondary villain for the upcoming Batman film, Dark Knight Rises, the final in the trilogy by Christopher Nolan.

Selina Kyle/Catwoman has always been an enigmatic figure in Batman's story, all the way back to the 'Golden Age' comics. Her goals have never been too far from the bat's, and occasionally they have even worked together for short times, but while both figures work outside the law to achieve their goals, Batman has never been happy with Catwoman's methods, and so they always come back to odds eventually.

Of course, the main difference is that Catwoman must steal to support her causes, while Batman is self-funded.

Dark Knight Rises is slated for a Summer 2012 release.

Friday, August 5, 2011

Anonymous codes a digital weapon

Anonymous is reportedly coding a JavaScript-powered weapon that exploits SQL vulnerabilities to create a "devastating impact" on targeted servers.

Dubbed RefRef, the new software could replace the ubiquitous Low Orbit Ion Canon (LOIC) fielded by cyber activists waging various DDoS campaigns.

Anonymous codes a digital weapon

RefRef - which is slated to debut in September - works by turning a server's own processing power against itself.

According to the Tech Herald, the targeted server eventually "succumbs" to resource exhaustion. 

Although such an attack vector has existed for a while, cyber activists have traditionally preferred the brute force of a DDoS attack generated by bots or LOICs.

Nevertheless, Anonymous recently tested the new weapon and managed to down Pastebin for a total of 42 minutes.

"Imagine giving a large beast a simple carrot, [and then] watching the best choke itself to death," an Anon promoting RefRef told the Herald.

Another Anon explained that the tool "only makes you vulnerable" if systems remain unpatched and outdated.

"This is how Sony got caught with it's pants down. It axed huge swathes of it's IT security a little while before it got pwned. Basically, [Sony] decided that basic maintenance wasn't good ROI... It's companies like Sony - making idiotic decisions like that - which will be vulnerable to this tool. Proper companies staying on top of things won't be vulnerable after the fifth or sixth attack, at which point patches will be out."

Despite its possible shortcomings, RefRef does appear to be a fairly potent tool, as it can be used on any platform that supports JavaScript, including smartphones and even consoles. 
The versatile nature of the weapon will likely create multiple command points manned by activists from public wifi hotspots such as libraries and Internet cafés.

Ubuntu 11.10 Alpha 3

Kate Stewart has announced the availability of the third alpha release of Ubuntu 11.10, code name "Oneiric Ocelot". This release comes with the new Linux kernel 3.0, while Lubuntu (an Ubuntu variant featuring the LXDE desktop) becomes an official member of the Ubuntu family. From the release notes: "Alpha 3 includes the 3.0.0-7.9 Ubuntu kernel which is based on the mainline 3.0 kernel. Some of the most notable changes between the alpha 2 and alpha 3 release with respect to the kernel include: adopted a 3 digit kernel version, e.g. 3.0.0-x.y; re-base to upstream 3.0 final kernel; enable Overlayfs; enable Realtek RTL8192CU and RTL8188CU WiFi driver; enable support for rt53xx wireless chipset family...." See also the release announcement. Download (SHA256): oneiric-desktop-i386.iso (712MB, torrent), oneiric-desktop-amd64.iso (709MB, torrent). Also made available today were 11.10 alpha 3 releases for Kubuntu (download, release notes), Edubuntu (download), Lubuntu (download) and Mythbuntu (download).

Wednesday, August 3, 2011

TurnKey Linux 11.2

Liraz Siri has announced the release of Turnkey Linux 11.2, an Ubuntu-based set of highly specialised virtual appliances which integrate some of the best open-source software into ready-to-use solutions: "We just updated the website and the TurnKey Hub with the new TurnKey 11.2 maintenance release, which includes: TurnKey Hub support for micro instances, Amazon's free tier and cloud servers backed by persistent network-attached storage volumes (AKA EBS-backed instances); built-in support for TurnKey's new dynamic DNS service; the latest security updates. We've added support for micro instances (613 MB RAM), Amazon EC2's smallest cloud server type which costs less than US$15/month if you run a server 24x7." Read the release announcement and see the virtual appliances page for further information. All of the 40+ appliances are available for download from SourceForge; here is a quick link to the "core" CD image: turnkey-core-11.2-lucid-x86.iso (168MB).

Monday, August 1, 2011

Frugalware Linux 1.5 RC2

The second and final release candidate for Frugalware Linux 1.5, a general-purpose distribution for intermediate and advanced users, has been released for final testing: "The Frugalware developer team is pleased to announce the immediate availability of Frugalware 1.5rc2, the second candidate of the upcoming 1.5 stable release. Here are some of the improvements, fixes and updates since 1.5rc1: Package updates - Linux Kernel, X.Org Server 1.10.3, LXDE updated, 1.0.1 release of the core EFL libraries, Mozilla Firefox 5.0.1, 245 packages updated, 20 new packages. New features: our Vim package gained Python support." Read the brief release announcement and check out the comprehensive changelog for further details. Download the installation DVD image from here: frugalware-1.5rc2-i686-dvd1.iso (4,262MB, SHA1).

Tuesday, July 26, 2011

Underworld: Awakening

Status: Post-production

Friday, July 15, 2011

PCLinuxOS 2011.07 "KDE MiniMe"

Bill Reynolds has announced the release of PCLinuxOS 2011.07 "KDE MiniMe" edition. This product is designed for more advanced users who prefer to install a minimal KDE-based (version 4.6.5) system and extend it later via the distribution's online repositories. From the release announcement: "PCLinuxOS KDE MiniMe 2011.07 for 32-bit computers (works on 64-bit computers too) is now available for download. What's new? The kernel was updated to version Additional kernels, such as a PAE kernel for computers with more than 4 GB of memory, are available from our repositories. A BFS kernel for maximum desktop performance and a standard kernel with group scheduling enabled. X.Org Server was updated to version 1.10.3. Mesa updated to 7.10.3 and libdrm to version 2.4.26." Download: pclinuxos-kde-minime-2011.07.iso (460MB, MD5).

Thursday, July 14, 2011

Linvo GNU/Linux 2010.12.6

Ivo Georgiev has announced the release of Linvo GNU/Linux 2010.12.6, a Slackware-based (installable) live DVD with GNOME 2.32, custom package manager, multimedia codecs support and other user-friendly features: "Linvo 2010.12.6. This is probably the last maintenance release of the GNOME-powered 2010.12 series. It features a couple of bug fixes (e.g. dependency handling) and improvements (e.g. smooth download progress bar) to LinvoApp, the distinctive applications management system. Unfortunately, some applications (mostly obsolete) have been removed from the website because they were not built right by the LinvoApp automatic builder, so now we're down to only 125 applications. Of course, LinvoApp is still beta and you can always use the traditional Gslapt to install software if you miss something which is not in the Applications category." Here is the brief release announcement. Download (MD5): linvo-2010.12.6-x86.iso (737MB).

Tuesday, July 12, 2011

Sabayon Linux 6 "E17", "LXDE", "Xfce"

Fabio Erculiani has announced the availability of three new Sabayon Linux 6 spins, featuring the Enlightenment 17, LXDE and Xfce desktops: "This is the last set of Sabayon 6 releases, we have Sabayon 6 LXDE, a very lightweight desktop environment for elderly systems, that fits on a single 700 MB CD. Then there is Sabayon 6 Xfce, which has been turned into a valid GNOME alternative, breaking the 700 MB size barrier, provided with multimedia and office applications, NVIDIA, AMD GPU drivers and more. Last and probably least, there is Sabayon 6 E17, it's Enlightenment 17 SVN snapshot, for the brave. Here is the full release announcement. Download links: Sabayon_6_x86_E17.iso (652MB, MD5, torrent), Sabayon_6_amd64_E17.iso (684MB, MD5, torrent), Sabayon_6_x86_LXDE.iso (644MB, MD5, torrent), Sabayon_6_amd64_LXDE.iso (677MB, MD5, torrent), Sabayon_6_x86_XFCE.iso (1,179MB, MD5, torrent), Sabayon_6_amd64_XFCE.iso (1,396MB, MD5, torrent).

Pardus Linux 2011.1

Gökçen Eraslan has announced the release of Pardus Linux 2011.1: "Pardus 2011.1 'Dama Dama' is now available. Here are the basic components and their versions shipped within Pardus 2011.1 release: KDE Desktop Environment 4.6.5, Linux kernel, LibreOffice, Mozilla Firefox web browser 5.0, X.Org Server 1.9.5, GIMP 2.6.11, Python 2.7.1, GCC 4.5.3, glibc 2.12. In addition to those updates: lots of bugs have been fixed; 64-bit Skype and WINE package are now in 2011 stable repository; YALI has a System Rescue mode now; work on 2009 - 2011 distribution upgrade interface is about to finish, after the testing is complete, upgrade-manager package will be provided in 2009 repositories to ease the transition; QuickFormat application can be tested now to format USB removable disks easily.... Here is the brief release announcement. Download: Pardus-2011.1-i686.iso (1,160MB, MD5), Pardus-2011.1-x86_64.iso (1,177MB, MD5). Quick links to the live DVD images: Pardus-2011.1-Live-i686.iso (1,338MB, MD5), Pardus-2011.1-Live-x86_64.iso (1,358MB, MD5).

Monday, July 11, 2011

Pinguy OS 11.04 "Ping-Eee"

Antoni Norman has announced the release of a special edition of Pinguy OS for netbooks, an Ubuntu-based distribution with a custom user interface, power-saving features, and extra WiFi drivers: "Pinguy has released Ping-Eee OS 11.04, an Ubuntu-based remaster especially designed for netbooks. It comes with Jupiter (which has Super Hybrid Engine support) and Granola to help with the power consumption and most applications from Pinguy OS: Docky, Nautilus Elementary, Firefox, Thunderbird, Skype, LibreOffice, Dropbox, Deluge, Empathy, VLC, Déjà Dup backup tool, Linux Mint Update Manager, WINE and more. There's also Clementine instead of Rhythmbox. Ping-Eee OS also comes with extra WiFi drivers for many devices which are not normally supported out of the box on other Linux distributions. Here is the full release announcement. Download: Ping-Eee_OS_11.04.1_i686.iso (1,405MB, MD5).

Thursday, July 7, 2011

ArtistX 1.1

Marco Ghirlanda has announced the release of ArtistX 1.1, an Ubuntu-based distribution with a large collection of applications designed for creative artists: "After many years of continuous development and ten versions, the ArtistX 1.1 multimedia studio on a DVD is finally here. It's an Ubuntu 11.04-based live DVD that turns a common computer into a full multimedia production studio. ArtistX 1.1 is created with the Remastersys software for live DVDs and includes the 2.6.38 Linux kernel, GNOME 2.32 and KDE 4.6, Compiz Fusion and about 2,500 free multimedia software packages, nearly everything that exists for the GNU/Linux operating system organized in the GNOME menu. Main features: based on Ubuntu 11.04 'Natty Narwhal' with all updates (from April 2011), Compiz for 3D desktop effects; most of GNU/Linux multimedia packages and the very easy Ubiquity installer." Visit the distribution's home page to read the release announcement and to learn more about the product. Download: artistx_1.1_live_dvd_iso_07_06_2011.iso (3,664MB, MD5).

Monday, July 4, 2011

Parted Magic 6.3

Patrick Verner has announced the release of Parted Magic 6.3, a utility live CD with software for disk management and data rescue tasks. Besides the usual i486 image, Parted Magic now also exists in i686 and x86_64 flavours for more modern computers. From the release announcement: "This release fixes a few obscure typos and bugs in some of our scripts. Pburn and Pfilesearch have been added for testing. There are no menu entries yet, so run 'pburn' from the command line. The main reason for this release was to add more kernel CPU options. Parted Magic now comes in i486, i686, and x86_64 editions. The only testing I've done with x86_64 was on my i7 machine. I've successfully chrooted into a 64-bit Slackware 13.37 and ran some command-line programs. The i686 CPU is set to PIII, so if you are running a PII, use the i486 version instead." Download (MD5): pmagic-6.3.iso (170MB).

Saturday, July 2, 2011

TDL4 – Top Bot

TDSS variants

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.

The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ.

TDL-3 encrypted disk with SHIZ modules

At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.

The changes that had been made to the TDL-3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL-3 source code to cybercriminals who had previously been engaged in the development of SHIZ malware.

Why did the creators of TDL decide to sell source code of the third version of their program? The fact is that by this time, TDL-4 had already come out. The cybercriminals most likely considered the changes in version 4 to be significant enough that they wouldn’t have to worry about competition from those who bought TDL-3.

In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system. This article will take a closer look at how TDL-4 communicates with the network and uploads data to the botnet, which numbered over 4.5 million infected computers at the time of writing.

Yet another affiliate program

The way in which the new version of TDL works hasn’t changed so much as how it is spread - via affiliates. As before, affiliate programs offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer.

Affiliates spreading TDL

Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.

The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.

The ‘indestructible’ botnet

Encrypted network connections

One of the key changes in TDL-4 compared to previous versions is an updated algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.

Readers may recall that one of the distinguishing features of malware from the TDSS family is a configuration file containing descriptions of the key parameters used by various modules to maintain activity logs and communications with command and control servers.

Example of configuration file content

Compared to version 3, there are only negligible changes to the format of the configuration file. The main addition is the bsh parameter, an identifier which identifies the copy of the malware, and which is provided by the command and control sever the first time the bot connects. This identifier acts as one of the encryption keys for subsequent connections to the command and control server.

Part of the code modified to work with the TDL-4 protocol.

Upon protocol initialization, a swap table is created for the bot’s outgoing HTTP requests. This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS.

The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.

An antivirus of its own

Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.

TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.

TDSS module code which searches the system registry for other malicious programs

TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.

Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.

TDSS downloads

Notably, TDL-4 doesn't delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.

Botnet access to the Kad network

One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?

We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:

  1. The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.
  2. Computers infected with TDSS receive the command to download and install the kad.dll module.
  3. Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.
  4. The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
  5. Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.

Encrypted kad.dill updates found on the Kad network

Below is a list of commands from an encrypted ktzerules file.

  • SearchCfg – search Kad for a new ktzerules file
  • LoadExe – download and run the executable file
  • ConfigWrite – write to cfg.ini
  • Search – search Kad for a file
  • Publish – publish a file on Kad
  • Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.

The most interesting command is Knock. This command allows the cybercriminals to create their own Kad P2P, the clients of which are exclusively TDSS-infected computers.

How publicly accessible and closed KAD networks overlap

Essentially, the TDSS botnet kad.dll module is more or less the same as cmd.dll in terms of control function. By running nodes.dat files containing a list of IP addresses of Kad clients in addition to ktzerlrules, which contains a command to download a new nodes.dat file from cybercriminal servers, the owners of the botnet can both include their infected computers in the publicly accessible Kad network and remove them from the network. The publicly accessible Kad network contains no more than 10 TDSS infected computers. This makes replacing the ktzerules file as inefficient as possible, which prevents other cybercriminals from taking control over the botnet. The total number of TDSS infected computers on the closed network number tens of thousands.

Kad.dll code responsible for sending commands from the TDL-4 cybercriminals

Furthermore, access to Kad makes it possible for the cybercriminals to download any files to botnet machines and make them accessible to the P2P users. This includes adult content files and stolen data bases.

The key threat that such a botnet poses is that even when its command and control centers are shut down, the botnet owners will not lose control over infected machines. However, the system does face two major obstacles:

  1. By using the publicly accessible Kad network, the cybercriminals still run the risk of fake botnet commands.
  2. When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used — this means that the authors are in violation of a licensing agreement.

Extended functionality

In addition to its known adware function, TDL-4 has added some new modules to its arsenal. This article has already touched on the ‘antivirus’ function and the P2P module. The owners of TDSS have also added several other modules to their malware, and now offer services such as anonymous network access via infected machines and 64-bit support.

The proxy server module

A file called Socks.dll has been added to TDSS’s svchost.exe; it is used to establish a proxy server on an infected computer. This module facilitates the anonymous viewing of Internet resources via infected machines.

Having control over such a large number of computers with this function, the cybercriminals have started offering anonymous Internet access as a service, at a cost of roughly $100 per month. For the sake of convenience, the cybercriminals have also developed a Firefox add-on that makes it easy to toggle between proxy servers within the browser.

Firefox add-on for anonymous Internet use via the TDSS botnet

64-bit support

The appearance of a 64-bit malicious driver in TDSS was another innovation in malware in 2010. In order to support operations with 64-bit systems in user mode, TDL-4 contains a module called cmd64.dll, a version of cmd.dll for 64-bit systems. However, due to the limitations of working with 64-bit programs, cmd64.dll code only provides communication with the botnet command and control servers.

List of botnet command and control center commands

Working with search engines

The cmd.dll module (see for details) remains almost completely unchanged. This module facilitates communication with the botnet command and control servers and substitutes search results, i.e. fraudulently manipulates advertising systems and search engines. The newest innovation in the list of commands for TDSS is the SetName command, which assigns a number to each infected computer. For search engines and banner networks, TDSS uses the same fake click and traffic technologies as similar malicious programs. However, TDSS has the longest list of search engines for which it substitutes search results.

List of search engines supported by TDSS

Botnet command and control servers

When running, TDSS uses several sources to obtain lists of command and control server addresses. The default list is taken from cmd.dll; if these addresses are inaccessible, then TDSS gets a list from cfg.ini. If for some reason no command and control server listed is accessible, then a list is created from an encrypted file called bckfg.tmp, which the bot receives from the command and control server on first connection. Since the beginning of the year, around 60 command and control centers have been identified across the globe.

Control server
Server address at the
beginning of February
Server address at the
beginning of March
Percentage of
mentions in C&C lists noip noip 0,05% noip 0,43% 0,21% 0,80% 0,22% 6,89% 0,43% noip 0,03% noip noip 2,07% 6,69% noip noip 0,03% noip 6,89% 6,85% noip noip 2,07% 0,14% noip noip 0,24% 0,22% noip noip 2,19% noip noip 0,58% 6,89% 6,85% 2,07% noip noip 0,80% noip 6,89% 0,80% 6,85% noip noip 2,07% noip noip 0,14% noip noip 0,24% 2,19% noip noip 0,58% noip noip 0,05% noip noip 0,05% noip noip 0,14% 0,22% 7,13% 2,19% noip 0,05% noip noip 0,14% noip noip 0,02% noip noip 0,03% noip noip 0,03% noip noip 0,08% noip noip 0,08% noip noip 0,03% noip 2,19% noip noip 0,58% noip noip 2,19% noip noip 0,58% noip 0,21% 6,85% noip noip 2,07% noip noip 0,43% 0,05% noip noip 0,22%

A careful examination of this list reveals that the IP addresses of command and control centers are constantly changing, while some command and control centers are phased out altogether. These changes are due to the use of proxy servers, which hide the true location of the command and control centers.

Command and control server statistics

Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.

According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.

Distribution of TDL-4 infected computers by country

Nearly one-third of all infected computers are in the United States. Going on the prices quoted by affiliate programs, this number of infected computers in the US is worth $250,000, a sum which presumably made its way to the creators of TDSS. Remarkably, there are no Russian users in the statistics. This may be explained by the fact that affiliate marketing programs do not offer payment for infecting computers located in Russia.

To be continued…

This heading of this last section has become traditional in our articles on TDSS. In this case, we have reason to believe that TDSS will continue to evolve. The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware. The botnet, with more than 4.5 million infected computers, is used by cybercriminals to manipulate adware and search engines, provide anonymous Internet access, and acts as a launch pad for other malware.

TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed.