Saturday, January 24, 2009

Conficker ("Downadup") is nasty

My eldest son's computer contracted a nasty bit of malware a couple of weeks ago, which I had to remove manually (NONE of the antivirus software caught it). And believe me, tracking it down and removing it manually without knowing what it was was no easy thing. He's lucky I'm his dad, otherwise the repair could have been hugely expensive.

It was the "Conficker" worm, aka "Downadup".

Fortunately for everyone else, Microsoft has now added it to the Malicious Software Removal Tool. (MSRT). Here's their description:
  • Account lockout policies are being tripped.
  • Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
  • Domain controllers respond slowly to client requests.
  • The network is congested.
  • Various security-related Web sites cannot be accessed.
It's that last bullet that's a lot more nasty than Microsoft's description suggests. You can't get to McAfee, AVG, AntiVir... anything security related, including Windows Update and the links to the MSRT. So you're best off keeping a copy of the MSRT on a USB drive or mini-CD.

Something not mentioned above is the fact that it can spread onto floppies and USB drives. When it does that, it adds a program to drive (My son's was named setup.exe) and it adds an Autorun.inf file that runs setup.exe (or whatever) when the drive is placed in another machine. This should go without saying, but ALWAYS make sure that AutoPlay is TURNED OFF on ALL removable drives on ALL of your machines. The convenience of having a program run automatically NEVER NEVER NEVER justifies risking the hundreds of dollars of damage that this ill-concieved feature can cause you. Turn it off. Otherwise you could accidentally infect the computer that you're getting the fix from!

You can disable AutoPlay on your drives manually, but it's easier to use TweakUI. Get that here: You can temporarily disable AutoPlay by holding down the SHIFT key while inserting a disk.

Then apply updates to Windows. On the network, Conficker spreads using an exploit that was patched four months ago. If he'd regularly updated it my son's computer would have been immune.

This is a nasty, nasty worm. Exercise a little bit of care and you won't contract it at all. But this is Windows... and running Windows means you have to be paranoid about security, because the OS does little to help you out. Relax your paranoia and you'll be in serious bad shape, as my son found out.

Tuesday, January 06, 2009

Why BitTorrent is Slow

Every BitTorrent vendor promises you that BitTorrent provides blazingly fast downloads. This is a lie. Weeeell, it's not technically a lie, and it's not an intentional lie, but in practice it's a lie nonetheless.

Here's the theory. BitTorrent works by having many users share pieces of the file among themselves. Seeds have complete copies of the file, and peers don't. By sending different pieces of the file to different peers, the seed reduces its own traffic, since each peer can then share the pieces it has with the peers that don't have them. A tracker facilitates all these exchanges, but it doesn't have a copy of the file at all. Since you can download many pieces from different sources at once, you have the potential of getting the file very quickly even though the upload speed from each individual source is slow.

Here's the practice. For many of the files most likely to be distributed on BitTorrent, there are few seeds, since people who are looking for the file stop their BitTorrent client (or remove the file from their queues) as soon as they've received the full file. So unless you're downloading an insanely popular file with a large number of seeds, you won't realize BitTorrent's potential. The more likely scenario is that all the seeds drop off, leaving only a bunch of peers, each eventually having identical partial copies of the file. And once they drop off, seeds have very little reason (save altruism) to log back on again with that complete file in their queue. Which means that the remaining peers will never receive the complete file at all. This is why BitTorrent clients display that lovely little infinity sign in the ETA column. This is not amazingly fast by anybody's definition. And that's why BitTorrent's supposed advantages are a lie. (Weeell, often a lie.)

So what files are most likely to be distributed on BitTorrent? Large files that are distributed by people who can't afford the server bandwidth to distribute them themselves. Many people apparently feel that they can just distribute the file on BitTorrent and be done with it, trusting that it's going to be "out there". It's a naive and wrong assumption.

How to fix it? BitTorrent has to be used as it's intended to be used. First, peers need to stop removing files from their queues as soon as they're complete. LEAVE IT UP. BitTorrent uploads are slow anyway, so they're not affecting your own machine's performance much. If you want this thing to work you have to be willing to share, and encourage others to do the same for you. And if it's YOUR file and you really want it to be distributed, then leave at least one seed up all the time. Because if you're planning on others to do it for you, you need another plan.

In general, though, if you're looking for a hard-to-find file, and not the latest Linux distribution, plan on a BitTorrent download taking days or weeks. And if you find any server anywhere that's offering the file as an HTTP or FTP download, take it.

And why am I writing this? Because once again I'm on the second week of a BitTorrent download.

UPDATE: here's an apples to apples comparison. I'm currently downloading a Star Trek:Phase II episode... roughly 4GB. On BitTorrent I see 20 active seeds and 16 active peers. There's no way that this shouldn't be a super-fast download, right? Wrong. 26.5 kbps is the fastest download time I've seen yet. Each peer is trickling out data at 1 or 2 kbps. So yeah, it's faster than any single peer, but add them all together and it still sucks. With 26.3% of the file already downloaded, the ETA for the rest is still almost 3 days. Meanwhile, I decided to get it from a server. The same 4GB DVD downloaded in 3 hours.

Second real-world example, and one more reason why BitTorrent is slow. Last night I downloaded a 20MB audio file via BitTorrent. It took over 12 hours, even though there were 20 seeds. Why? Because there were no peers. Why should that make a difference? Because BitTorrent operates on enforced altruism: the more you upload, the faster your download will be. The problem comes when there's no opportunity to upload at all. If you're the only person who currently wants the file you are screwed to the tune of half a day for a file that arrives via HTTP download in a couple of minutes.

BitTorrent is only fast for wildly popular files, but only for narrow definitions of the word "popular". If by "popular" you mean it's actively being sought and downloaded by a large number of people, then MAYBE, but -- as my DVD example shows -- probably not. But if by "popular" you mean it's broadly available, everybody has it, but not many people are currently looking for it... BitTorrent is the worst way to download the file.