daily online news

I’ve recently seen a great Black Hat presentation by Felix (FX) Lindner (see pic 2) and a blog posting by Petko D. Petkov (PDP) (see pic 1) on the subject of hacking routers. What seems to be clear is that they are becoming a bigger target. PDP, of the gnucitizen group, recently hosted a “Router Hacking Challenge”, where the idea was to share various attacks against a wide array of routers. In a post to the Full Disclosure mailing list, PDP summarizes the findings:

Here is a quick summary, in no particular order, of the types of vulnerabilities we are exhibiting:

• authentication bypass
• a-to-c attacks
• csrf (cross-site request forgeries)
• xss (cross-site scripting)
• call-jacking - like making your phone dial numbers or even survey room’s sound where the phone resides
• obfuscation/encryption deficiencies
• UPnP, DHCP and mDNS problems - although not officially reported, most devices are affected
• SNMP injection attacks due to poor SNMP creds
• memory overwrites - well it is possible to overwrite the admin password while being in memory and therefore be able to login as admin
• stealing config files
• cross-file upload attacks - this is within the group of csrf attacks
• remote war-driving - way cool
• factory restore attacks
• information disclosure
• etc, etc, etc

I had a chance to talk to PDP about the results of the challenge and what he sees in the near future with router hacking:

Nate: PDP, there’s a lot of flaws that the challenge uncovered, were there a few that stood out to you as being the most impactful?

PDP: Most of the flaws are quite impactful, but I like those that are different from the others; however, very often these are not the ones that are most severe. The authbypass bugs are most severe, as they give you full access to the device without the need to login. Personally, I like the call-jacking stuff and the SNMP injection stuff, but it could be because I was working on these as well so I might be a bit prejudice.

Nate: Yeah, I read the pages you posted about call-jacking and SNMP injection, very cool stuff. Could you just give me a brief run through of the two attacks?

PDP: The call-jacking is like the old days of phone phreaking. Basically, you can do all sorts of things with VOIP phones; however, not all attacks are related to breaking SIP. In the case of SNOM, the attack consists of exploiting a feature in the web interface which allows attackers to survey the sound in the room where the phone is located. This is pretty cool, and you can do that remotely if the device is visible on the Internet side or if you know where the device is inside and your trick someone to arrive on your malicious page. The SNMP injection and the SIP injection attacks are also very fun. We did not mention any SIP vulnerabilities, but there are few that we found that we are keeping private for now.

As I mentioned, a great talk on the subject of hacking routers was also given at Black Hat Federal this year, by Felix (FX) Lindner. Felix and his company Recruity Labs, are currently working on a tool that will allow much more powerful monitoring, debugging, and post mortem crash analysis on the Cisco IOS than the currently accepted practices. Felix mentions the following in a whitepaper on the subject:

Vulnerabilities in Cisco IOS are as common as with any other functionally rich and widely deployed operating system platform. The architecture of IOS; however, makes exploitation a non-trivial task. In the past, the common operating systems provide soft enough targets to maintain an ongoing stream of new vulnerabilities that could be used to break into the machines directly. Recently, the major operating system vendors, first and foremost Microsoft, increased code security significantly. Additionally exploit mitigation techniques and OS hardening have become the standard on all major platforms.

Cisco IOS, therefore, moves further into the focus, as the bennefits start to measure up to the effort required. Non-publicly operating groups will certainly follow an equivalent path, as infrastructure compromises are still highly rewarding and almost impossible to detect.

During his talk at Black Hat Federal, Felix suggested that it’s not a question of if router hacking will become more prevalent, but when will it and more importantly, has it already.

-Nate

A security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password.

Adam Boileau first demonstrated the hack, which affects Windows XP computers but has not yet been tested with Windows Vista, at a security conference in Sydney in 2006, but Microsoft has yet to develop a fix.

Interviewed in ITRadio's Risky Business podcast, Boileau said the tool, released to the public today, could "unlock locked Windows machines or login without a password ... merely by plugging in your Firewire cable and running a command".

Boileau, a consultant with Immunity Inc., said he did not release the tool publicly in 2006 because "Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble".

But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website.

To use the tool, hackers must connect a Linux-based computer to a Firewire port on the target machine. The machine is then tricked into allowing the attacking computer to have read and write access to its memory.

With full access to the memory, the tool can then modify Windows' password protection code, which is stored there, and render it ineffective.

Older desktop computers do not come equipped with Firewire ports, which are needed for the hack to work, but many recent models do. Most laptops made in the last few years include Firewire ports.

Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.

"If you have a Firewire port, disable it when you aren't using it," Ducklin said.

"That way, if someone does plug into your port unexpectedly, your side of the Firewire link is dead, so they can't interact with your PC, legitimately or otherwise."

Ducklin also advised people to be careful when giving others physical access to their computer.

"I know people who'd think three times about asking passing strangers to take their photo in front of the Opera House in case they did a runner with the camera, yet who are much more casual with their laptop PC, as long as it's software-locked, even though the hardware alone is worth five times as much as the camera," he said.

Microsoft was unavailable for comment at the time of publication.

Pirates have succeeded in making cracking, rather than simply circumventing, Windows Vista product activation easier than ever before.

A crack from pirate group Pantheon allows pirated Vista installations to be activated and made fully operational. The approach avoids reliance on beta activation or time stamp hacks, instead concentrating on flaws in the volume activation process.

Pantheon's approach piggybacks on the volume license activation process used by Redmond's tier-one OEMs such as HP, Dell, and ASUS. In order to minimise support calls (and user inconvenience), Microsoft allows preferred partners to pre-install versions of Vista that don't require activation.

This System-Locked Pre-Installation 2.0 scheme allows OEMs to embed specific licensing information into the OS so the product can be activated without been verified by Microsoft.

Pirates have come up with a software bundle that includes certificate files from ASUS, Dell, HP, and Lenovo along with OEM product keys for Vista Home Basic, Home Premium, and Ultimate. It also comes with a BIOS driver that allows certificate information from (for example) HP to be installed on any suitably powerful machine, regardless of manufacturer.

Malware writers behind the Storm worm have launched a new spam campaign designed to bring more users into its extensive botnet.

The latest round of emails are disguised as greeting cards and contain subject lines such as 'Your ecard joke is waiting,' 'You have an ecard' and 'We have a ecard surprise.'

The body of the message contains a text link leading to a web page advertising an online 'greeting card' supposedly sent to the user.

On clicking either the image or the link, the user downloads an executable file that installs the Storm malware.

Infected machines are then connected to a customised peer-to-peer network which is used to control the botnet and install new versions of the worm.

This malware connects the user to Storm's huge botnet, which has been linked to spam runs and phishing attacks, and is said to be among the greatest threats on the internet.

As Storm's run nears 14 months, security companies are stepping up their efforts to slow the worm.

ThreatStop has made its normally private list of blocked Storm domains available to the general public, allowing users to copy the list and use it with firewall software to block traffic from known Storm distributors.

"We are taking this action because our users and test beds have seen that a significant amount of Storm worm traffic is blocked by the DShield lists that we propagate," said the company.

"When the internet as a whole is under assault like this we, as good netizens, should do our part to help."

Customers of top companies -- including Bank of America, HSBC, Sprint and AT&T -- are suffering the most identity theft, according to a survey of complaints to the U.S. Federal Trade Commission published last week.

The study, Measuring Identity Theft at Top Banks, found that the Bank of America, AT&T, Sprint and JP Morgan were associated with the largest number of identity theft complaints each month. When the data was compared to the size of the bank's existing deposits (a similar measure of size was not available for telecommunications companies), the survey found that HSBC, Bank of America and Washington Mutual were the top-three most defrauded institutions.

The report is based on three months of complaints obtained through a Freedom of Information Act (FOIA) request by Chris Hoofnagle, a senior fellow at the Berkeley Center for Law & Technology. Hoofnagle stressed that the quality of the data posed problems. Consumers were asked to name institutions where fraudulent accounts were created or where their accounts were affected by fraudulent activity. While the size of banks could be estimated by the amount of money they held in deposits, no such measure is available for telecommunications firms.

Hoofnagle stressed that getting better data to consumers is extremely important.

"If data were available on this crime, consumers could choose safer institutions, regulators could focus attention on problem actors, and businesses themselves could compete to protect customers from this crime," he stated in the paper.

In 2007, the impact of reported data breaches skyrocketed, with 163 million records containing some type of personally identifiable information (PII) being reported lost or stolen during the year. Information from cases investigated by the U.S. Secret Service found that the average identity thief is a first time criminal and not known to the victim. (The case data could be skewed, however, by the fact that people known to the victim might not be reported to the police.) While breaches have skyrocketed, estimates of the losses due to account fraud and identity theft have fallen, to $15.6 million in 2006, according to an annual survey.

For the latest study, Hoofnagle was only given access to three random months of data in 2006, because the Federal Trade Commission said the task of vetting the information and deleting any identifiable information for an entire year's worth of data was too onerous.

One of the U.S. Department of Homeland Security's most prominent Real ID cheerleaders made a more timid than usual push on Tuesday for states to adopt the controversial identification card standards.

Stewart Baker, the department's assistant secretary for policy, has touted what he perceives as the privacy-protective, identity theft-preventive features of the congressionally mandated Real ID driver's license regime during the past year.

But, clearly fearing criticism during a Tuesday morning speech at the spring meeting of the National Association of Attorneys General, he saved any mention of the program until the tail end of a 20-minute speech about the perils of identity theft.

"One thing I will say," Baker said, almost couching his imminent pitch as something of an afterthought. "One of the key ways to catch identity thieves is better security for driver's licenses."

The former National Security Agency general counsel then launched into a kinder, gentler defense of Real ID, first acknowledging he expected "to get a little pushback on this."

"Real ID has a bad bumper sticker reputation," Baker said, "but what it boils down to is a set of standards for obtaining driver's licenses, so it's harder to obtain fraudulent driver's licenses."

Baker and other proponents argue that the scheme, which was passed as part of an emergency spending bill by Congress in 2005, is necessary to prevent terrorists, criminals, and illegal immigrants from successfully obtaining and using fraudulent driver's licenses. (For that reason, it's a "pro-consumer" and "antiterrorism" measure, Baker said Tuesday.) Privacy and civil liberties advocates, however, say the regime doesn't have enough checks built in to prevent abuse of information encoded on the licenses, and a number of states have balked at the cost of the mandate.

Homeland Security is pushing states "pretty hard" to come into compliance with Real ID requirements over the next 18 months and has gotten a "decent" response so far, Baker said. According to an agency-produced map, 45 states and the District of Columbia have already received deadline extensions, which means their driver's licenses will continue to be accepted for boarding airplanes and entering federal buildings come May 11, 2008, when the new rules kick in. But another five states--Maine, Montana, South Carolina, New Hampshire, and Delaware--have said they will not comply.

Baker, for his part, characterized that continued resistance as "ideological and, in my opinion, based on misconceptions." Citing fake driver's licenses used by Oklahoma City bomber Timothy McVeigh and September 11 hijackers, he suggested the Real ID plan's requirements were something of an inevitability, even if they may be a bit costly.

"That's my proposal," Baker said at the close of his speech. "If you've got better ideas, then I'd really like to hear it."

None of the two dozen or so attorneys general present at the meeting raised their hands with questions or comments.

"It must be really early in the morning if Real ID doesn't get a bite," he quipped with a chuckle, before being handed a medallion as a "token of appreciation" from his hosts.

Cybercrooks are developing covert tools to test malware before releasing it.

The effectiveness of malicious code is largely determined by whether or not it's detected by anti-virus scanners. By replicating the scans of leading security products using test tools located on underground forums and web pages, miscreants gain the chance to fine-tune their creations to make sure they aren't picked up by anti-virus heuristic (generic) detection.

The underground tools are technically similar to Hispasec’s legitimate Virus Total tool, according to Spanish anti-virus firm Panda Software. It notes that the increased interest in underground testing tools coincides with the removal of the "do not distribute the sample" option in Virus Total. The now compulsory feature means that samples of files scanned by Virus Total are sent to security firms.

Back in the day malware authors wanted to make a name for themselves by causing trouble; these days they're more interested in making sure of extending the half-life of money-making malware by making sure it attracts the minimum of attention and, as far as possible, creeps in under the radar of anti-virus tools. Non-disclosure testing of malware toolkits prior to this release aids this process, as well as creating income for unscrupulous coders happy to work for VXers.

"This recent increase of malware collaboration is very worrying and poses an active threat to security systems," said Dominic Hoskins of Panda Security UK. "Participating in such forums, exchanging knowledge and testing new malware ideas helps cybercrooks facilitate the development of more effective malware."

A website promoting the town of Mildenhall has been shut down after it unintentionally became the recipient of hundreds of classified emails, including messages detailing the planned flight path of President Bush.

Over more than a decade, www.mildenhall.com received emails detailing all kinds of secret military information that were intended for official Air Force personnel. One detailed where Air Force One could be found in the air during a planned visit to the region by President Bush. Others included battlefield strategy and passwords.

"I was being sent everything from banal chat and jokes, to videos up to 15mb in size," Gary Sinnott, owner of mildenhall.com, said in this article in EDP 24. "Some were classified, some were personal. A lot had some really sensitive information in them."

As owner of mildenhall.com, Sinnott received every email that had that domain name included in the address field. The site was set up to provide information about the town of Mildenhall, which is about a half-hour's drive north east of Cambridge.

Sinnott says he brought the SNAFU to the attention of Air Force officials but was never able to get the problem fixed. At first, they didn't seem to take the matter seriously, but eventually, they "went mental," he said. Officials advised Sinnott to block unrecognizable addresses from his domain and set up an auto-reply reminding people of the address for the official air force base.

But still, the official emails continued to flow in to Sinnott's site. And to make matters worse, some people got angry after Sinnott told them they were sending email to the wrong address and gave his address to spammers. Sinnott was receiving 30,000 pieces of email per day, most of which was junk mail.

So Sinnott pulled the plug on the website. Though he remains the owner of mildenhall.com, it may only be a matter of time before all those emails incorrectly addressed to Air Force personnel at mildenhall.com automatically begin to bounce. And that ought to make security conscious people everywhere breath a little easier.

Alas, according whois records, mildenhall.net and mildenhall.org are in the hands of non-military individuals and mildenhall.us is available to anyone with $35. Given what we now know about the boobs who send confidential information, that ought to give us pause

Codenamed Reynard it aims to recognise "normal" behaviour in online worlds and home in on anomalous activity.

It is likely to develop tools and techniques for intelligence officers who are hunting terrorists and terror groups on the net or in virtual worlds.

The project was welcomed by experts tracking terror groups using the net to organise or carry out attacks.

Growing threat

Brief details about Reynard came to light in a report sent to the US Congress by the Office of the Director of National Intelligence (ODNI) - which co-ordinates the work of US intelligence agencies.

In that report, which talked about the data mining efforts undertaken by the ODNI, Reynard was described as: "a seedling effort to study the emerging phenomenon of social (particularly terrorist) dynamics in virtual worlds and large-scale online games and their implications for the intelligence community".

Using publicly available data Reynard researchers will carry out observational studies to establish "baseline normative behaviors".

Once these are identified, Reynard will "then apply the lessons learned to determine the feasibility of automatically detecting suspicious behavior and actions in the virtual world".

"It's a positive step," said Andrew Cochran, founder and co-chairman of the Counterterrorism Foundation. "For a number of years we were behind in chasing jihadists' presence on the net and detecting it."

"That's a very sensible step at the moment," said Roderick Jones, a vice president of Concentric Solutions and a former special branch officer. "Just to feel their way around them and work out what new intelligence collection methods might be required to deal with this threat, because you won't be able to use traditional law enforcement methods."

New worlds

A senior intelligence officer at the ODNI said Reynard was in its very early stages and it was too soon to say which online worlds it would be studying. He added that any work on it would be purely for research rather than "operational" purposes.

"I think its highly unlikely terrorists would use things like Second Life or World of Warcraft as they do not have the necessary security," said Mr Jones.

"Terrorist use of the internet at the moment relies on password protected forums," he added.

Said Mr Cochran: "All of the major terrorist treatises have been distributed through the internet so taking it to a virtual world with multi-player role games is really an easy step."

It was inevitable that terror groups would make greater use of the internet and the possibilities that virtual spaces offered them, said Mr Jones.

"There's more a chance of things like Jihad worlds coming online in the next five years I think," he said.

The visual richness of virtual worlds made them good places to educate recruits about techniques, said Mr Jones.

Attack pattern

"We can see groups emerging in cyber spaces and virtual communities that would be wholly virtual," he said. "They would organise and radicalise in virtual worlds and attack using cyber methods without becoming a real world presence in any real way."

Many groups were likely to use the expertise and skills they learn in virtual worlds to target key net systems.

Ken Silva, chief technology officer for Verisign which oversees some of the net's core address books, said such an attack could be "devastating".

"We see a continuing growth in the amount of horsepower in the attacks that are directed at infrastructure servers," said Mr Silva.

"We are seeing a large shift from attacks that are directed at individual websites," he said. "The sophistication is getting a little smarter and they are attacking the infrastructure pieces behind them..., which is typically in most production environments the least invested in."

Some of the basic systems of the net, such as the Border Gateway Protocol (BGP) which helps data reach its intended destination, were open to attack.

An accidental misconfiguration of BGP in some routers in Pakistan caused the recent problems with YouTube which left many people unable to reach the video site.

"BGP is essentially a relatively unprotected protocol and is seriously vulnerable to disruption," he said. "Should that happen, it could take a very long time to correct that situation."

"This has to be fought at every level," he said.

Cybercrooks are developing covert tools to test malware before releasing it.

The effectiveness of malicious code is largely determined by whether or not it's detected by anti-virus scanners. By replicating the scans of leading security products using test tools located on underground forums and web pages, miscreants gain the chance to fine-tune their creations to make sure they aren't picked up by anti-virus heuristic (generic) detection.

The underground tools are technically similar to Hispasec’s legitimate Virus Total tool, according to Spanish anti-virus firm Panda Software. It notes that the increased interest in underground testing tools coincides with the removal of the "do not distribute the sample" option in Virus Total. The now compulsory feature means that samples of files scanned by Virus Total are sent to security firms.

Back in the day malware authors wanted to make a name for themselves by causing trouble; these days they're more interested in making sure of extending the half-life of money-making malware by making sure it attracts the minimum of attention and, as far as possible, creeps in under the radar of anti-virus tools. Non-disclosure testing of malware toolkits prior to this release aids this process, as well as creating income for unscrupulous coders happy to work for VXers.

"This recent increase of malware collaboration is very worrying and poses an active threat to security systems," said Dominic Hoskins of Panda Security UK. "Participating in such forums, exchanging knowledge and testing new malware ideas helps cybercrooks facilitate the development of more effective malware."

A website promoting the town of Mildenhall has been shut down because it unintentionally became the recipient of hundreds of classified emails, including messages detailing the planned flight path of President Bush.

According to reports, the closure of www.mildenhall.com came at the prompting of US Air Force chiefs, who were concerned that its resemblance to the official website for the Mildenhall US air base was confusing some people. Evidently, their fears had some basis in fact.

Over more than a decade, mildenhall.com received emails detailing all kinds of secret military information that were intended for official Air Force personnel. One detailed where Air Force One could be found in the air during an planned visit to the region by President Bush. Others included battlefield strategy and passwords.

"I was being sent everything from banal chat and jokes, to videos up to 15mb in size," Gary Sinnott, owner of mildenhall.com, said in this article in EDP 24. "Some were classified, some were personal. A lot had some really sensitive information in them."

As owner of mildenhall.com, Sinnott received every email that had that domain name included in the address field. The site was set up to provide information about the town of Mildenhall, which is about a half-hour's drive north east of Cambridge.

Sinnott says he brought the SNAFU to the attention of Air Force officials but was never able to get the problem fixed. At first, they didn't seem to take the matter seriously, but eventually, they "went mental," he said. Officials advised Sinnott to block unrecognizable addresses from his domain and set up an auto-reply reminding people of the address for the official air force base.

But still, the official emails continued to flow in to Sinnott's site. And to make matters worse, some people got angry after Sinnott told them they were sending email to the wrong address and gave his address to spammers. Sinnott was receiving 30,000 pieces of email per day, most of which was junk mail.

So Sinnott pulled the plug on the website. Though he remains the owner of mildenhall.com, it may only be a matter of time before all those emails incorrectly addressed to Air Force personnel at mildenhall.com automatically begin to bounce. And that ought to make security conscious people everywhere breath a little easier.

Alas, according whois records, mildenhall.net and mildenhall.org are in the hands of non-military individuals and mildenhall.us is available to anyone with $35. Given what we now know about the boobs who send confidential information, that ought to give us pause

Buffer overflows are at the heart of a series of attacks against Facebook and MySpace, security firm Fortify Software has warned.

Criminal hackers now view social networking sites as their best target for attacks, according to Rob Rachwald, director of product marketing at Fortify Software.

Part of the reason is that such sites are designed to be usable by " unsophisticated" consumers, meaning that the barrier to entry for attacks is potentially lower as users are more likely to click on a link that leads to malware.

"A buffer overflow enabled hackers to exploit the Aurigma ActiveX image uploading software used by Facebook, MySpace and other social networking sites, " said Rachwald.

"The bad news is that this exploit is being used in a hacker toolkit currently being offered for download on several Chinese language sites, meaning that novices have been able to stage these attacks, and not just professional hackers."

Rachwald argued that social networking sites can no longer limit protection to their own security practices, but must take in the practices of their suppliers.

"Had Facebook and MySpace required Aurigma to provide proof of a code audit before sourcing the plug-in this latest security issue could have been avoided, " he said.

Their grades have not been posted, but government agencies have generally improved their security this year, as measured by compliance to the Federal Information Security Management Act (FISMA) of 2002, a report issued by the Office of Management and Budget stated on Saturday.

In the report (pdf), the OMB stated that, overall, the government did better in fiscal 2007 with certifying systems and testing security controls and contingency plans than the previous year. The Inspectors General for 22 of the 25 agencies required to comply with FISMA inventoried at least 80 percent of their systems in 2007, compared with 20 agencies that had reached that milestone in 2006. While an improvement over the previous year, only two-thirds of the IGs claimed that their auditing processes were rated "satisfactory" or better.

The increased awareness of their systems have also caused the agencies to report more attacks, the report stated. In 2007, incidents reported to the US Computer Emergency Readiness Team (US-CERT) jumped to 12,986, an increase of 150 percent over the previous year. While nearly a third of the incidents were alarms created by the US-CERT's EINSTEIN network monitoring system and remain uncategorized, about a quarter were classified as improper usage and about 15 percent classified as unauthorized access, according to the OMB report.

In 2006, most of the U.S. government agencies required to file compliance reports by FISMA scored sub-par grades in computer security. The Federal Information Security Management Act of 2002 requires that the agencies secure their information systems according to guidelines developed by the National Institute of Standards and Technology and file annual reports about their compliance. Congress later issues a report assigning letter grades to each agency's performance.

Already, members of Congress and security experts are drafting a report to advise the next president on ways of improving cyber security.

The OMB report noted that four agencies -- the National Aeronautics and Space Administration (NASA) and the Departments of State, Treasury and Defense -- all did significantly better in complying with FISMA. The Department of Defense, however, did not present audits for its compliance nor did it submit a privacy impact assessment, according to the OMB report.

6.51 Changelog
===============
* Fixed a bug with Kellen's Dagger that caused it to sometimes not get disabled when hit
* Fixed Land Mines tooltip
* Increased cast range of Kelen's Dagger
* Undid previous Bottle changes. Bottle now works as follows: Costs 600 gold, does not require mana to refill, auto-fills it when you are near fountain, rune refills it to full, resells at 50% like normal, purchasable at base only, regenerates less than previously, has no usage cooldown.
* Fixed Medusa's Mana Shield from triggering Essence Aura
* Fixed Searing Arrows' tooltip
* Changed Hyperstone purchase hotkey to fix a conflict
* Fixed a bug with Invoker when creating illusions
* Updated Kelen's Dagger tooltip
* Undid some of Morphling's base damage buff from last version
* Fixed Bloodrage tooltip
* Fixed Pulse Nova and Invoker's Reagents from triggering Last Word
* Smokescreen interrupts teleportation once again
* Color coded Invoker's spell descriptions (203050)
* Improved Sange's percentage and Yasha's percentage, and lowered the recent buff on S&Y a little
* Fixed Vladmir's Offering sell cost
* Increased Counter Helix chance by 2%
* Minor bonus armor in True Form
* Improved the effect timing on Split Earth (187877)
* -swapcancel code is triggered when a swap is successful (to prevent other accidental swaps)
* Improved Shuriken Toss cast range
* Added new Backtrack icon (183079)
* Changed Battlefury recipe slightly
* Lowered Poof casting time from 2 to 1.5 seconds
* Lowered Elder Dragon Form's manacost and cooldown a little
* Added neutrals field to -cs
* Changed Phantom Edge's secondary ability from evasion to magic resistance
* Replaced Phantom Assassin's Shadow Strike with a different similar ability (132694)
* Fixed a minor coding bug with Time Lapse
* Fixed Impale based spells from moving Juggernaut during Omnislash
* Added new icon for Melting Strike
* Reduced some lag with Invoker
* Fixed level 1 March of the Machines doing slightly less damage than intended
* Removed stock cooldown on Ironwood Branch
* Added a new system that tracks when you help an ally kill a hero (no gameplay ramifications at this point)
* -swap is now allowed in -sd
* Fixed some minor neutrals' vision and pathing glitches
* Lowered level 1 and 2 cast range on Replicate
* Lowered Phantom Assassin's cast animation time
* Fixed a bug with Exorcism's cooldown after leveling Witchcraft
* Fixed some issues with -ah
* Refined how some kill related messages and sounds are shown
* Increased mana regeneration on Perseverance by 25%
* Lowered Buriza recipe by 250 gold
* Changed Voodoo Restoration to heal over a smoother interval (same total regen)
* Lowered Manta Style's cooldown a bit
* Fixed a bug with Voodoo Restoration and Impales
* Fixed a bug with invoker in -spreverse
* Fixed some inconsistencies with tower visions (TheLoneWolf14)
* Increased duration of Lycanthrope's wolves a bit and allowed them to attack air
* Temporarily disabled -unstuck command


DotA Allstars v6.51 AIplus 1.52.rar ( Plunder Mirror )

DotA Allstars v6.51 AIplus 1.52.rar ( Imbakan Mirror )

DotA Allstars v6.51 AIplus 1.52.rar ( RS Mirror )