tag:blogger.com,1999:blog-72835985310368010982024-02-19T02:53:17.631-08:00ThreatExpert BlogResearch and discoveries from the experts at ThreatExpertUnknownnoreply@blogger.comBlogger65125tag:blogger.com,1999:blog-7283598531036801098.post-64561055554890874842010-10-14T16:22:00.000-07:002010-10-14T17:03:31.115-07:00Domain Name Generator for MurofetThis post describes a technique that allows building a domain name generator for Murofet.<br /><br />The pseudo-random domain generators are not new – these were previously used by Sober, Kraken, or Conficker worms. The important thing about reproducing a particular domain generator is an ability to predict what domains the worm will query in the future. Once known, these domain registrations can potentially be blocked, "sinkholed" or at least monitored.<br /><br />Now, domain generator reproduction is a tricky task. It can basically be done in 2 ways. <br /><br />First, the original algorithm can be studied in its disassembled form, and then its logic reproduced in a higher programming language. The second method assumes that the original algorithm studying can take longer than expected, so it offers a shortcut solution – a "hack" – to take the original code "as is" and then either replicate it in a standalone tool written in Assembly from scratch (e.g. by using MASM) or use it in inline Assembler of a higher level language such as C++ or Delphi. <br /><br />Another approach is to patch the malicious binary in order to force it looping the way you need and then hook and log some particular APIs it is calling (such as UrlDownloadToFile()) in order to obtain the output.<br /><br />We’ll take the route of ripping the original code apart. This is a no brainer exercise – it shouldn’t take long time as we don’t have to understand how exactly the domain generator works – we only need to understand where the code is located, what it does functionally, and most importantly, how to interface it properly with our higher level code. That is, we need to "glue" or attach it correctly to our code.<br /><br />Murofet is a file infector. It appends 1,771 bytes to a host executable.<br /><br />The APIs it calls are dynamically retrieved from shlwapi.dll, urlmon.dll, kernel32.dll, advapi32.dll DLLs by matching their ASCII name hashes – it is a very common technique.<br /><br />The domain generator routine requires 4 parameters:<br /><ul><br /><li>a base address of the adavapi32.dll module – the domain generator needs it to dynamically retrieve the APIs CryptAcquireContectW(), CryptCreateHash(), CryptHashData(), CryptGetHashParam(), CryptDestroyHash(), CryptReleaseContext(). It calls these APIs during the domain name generation.</li><br /><li>a seed value – it starts from a fixed number 119 (current year mod 256, multiplied by 17, that is 7 * 17)</li><br /><li>current date (GMT)</li><br /><li>a pointer to a buffer that will store the result – the generated domain name</li><br /></ul><br />Once the domain is generated, the sample attempts to download an executable from that domain. Next, it increments the seed value (119 -> 120), and repeats the same loop – that is, generates a new domain name, then attempts to download from there. The loop repeats 800 times.<br /><br />Thus, Murofet, generates 800 domains a day.<br /><br />The domain generation routine is called by Murofet the following way:<br /><br /><a target=_blank onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh26yai2iojCDJncE-JkptmMeCqdyn55Pq4W-JzYraNGu7S3cUd9kfxn8JrJq6uo865_2q0SthE_s5wYR1drflxOFsDn2nq56DSditEz6DLEQpxv-UmgSWkn4EjTxRI8wwME46bPDqgNyM/s1600/screen1.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 388px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh26yai2iojCDJncE-JkptmMeCqdyn55Pq4W-JzYraNGu7S3cUd9kfxn8JrJq6uo865_2q0SthE_s5wYR1drflxOFsDn2nq56DSditEz6DLEQpxv-UmgSWkn4EjTxRI8wwME46bPDqgNyM/s400/screen1.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5528047451569148290" /></a><br /><br />As seen in the listing, the routine takes 4 parameters on stack – base address of adavapi32.dll, the seed value, a pointer to the SYSTEMTIME structure filled with the current time and data (Murofet calls GetSystemTime() for that), and a pointer to a buffer that will receive the result.<br /><br />In order to reproduce this algorithm, this is what has can be done.<br /><ul><br /><li>Create a VC++ MFC project that generates a day, a month, and a year value, then creates a log file to dump there the generated domains.</li><br /><li>Create a stub in your executable that declares a buffer filled with 0x90 values. The stub can take a few Kb in size.</li><br /><li>Create an inline assembler code in your code that wraps the domain generation routine calling, that is, pushes 4 required parameters on stack – we’ll need this code to "glue in" the native Murofet domain name generator. The call to the routine itself should now consist of 5 NOPs – we’ll patch this call later as now we don’t know where in the code the routine will be located. This step is best outlined with the code below:</li><br /><br /><p><font face="Courier New" size="2" color=#008000><br />// get the base address of advapi32.dll - it will be needed by Murofet to obtain Crypto-API hashes<br /><font face="Courier New" size="2" color=#303030><br />HMODULE hAdvapi32;<br />hAdvapi32 = LoadLibrary("advapi32.dll");<br /></font><br />// prepare a SYSTEMTIME structure<br /><font face="Courier New" size="2" color=#303030><br />LPSYSTEMTIME lpst;<br />lpst = (LPSYSTEMTIME)malloc(sizeof(SYSTEMTIME));<br /></font><br />// prepare you year, month, and day values: wYear, wMonth, wDay<br />// fill your SYSTEMTIME structure with these values<br /><font face="Courier New" size="2" color=#303030><br />lpst->wYear = wYear;<br />lpst->wMonth = wMonth;<br />lpst->wDay = wDay;<br /></font><br />// prepare a log file name<br /><font face="Courier New" size="2" color=#303030><br />char szLogFile[MAX_PATH];<br />sprintf(szLogFile, "c:\\logs\\log_%d_%02d_%02d.txt", y, m, d);<br /></font><br />// prepare a buffer that will hold your domain name<br /><font face="Courier New" size="2" color=#303030><br />LPBYTE lpbyDomainName;<br />lpbyDomainName = (LPBYTE)malloc(1024);<br /></font><br />// this is our "glue" - prepare the initial seed value of 0x77<br /><font face="Courier New" size="2" color=#303030><br />_asm<br />{<br /> push 77h<br />}<br /></font><br />// start the loop - 800 domain will have to be generated for a given day (wYear, wMonth, wDay)<br /><font face="Courier New" size="2" color=#303030><br />for (int i = 0; i < 800; i++)<br />{<br /><br /> memset(lpbyDomainName, 1024, 0);<br /><br /> _asm<br /> {<br /> pop eax<br /> push eax<br /><br /> xor edx, edx<br /> mov ecx, 3fch<br /> div ecx ; divide the seed value by 1024 - the reminder is the same<br /><br /> NOP<br /><br /> ;push 4 parameters on stack<br /><br /> push hAdvapi32 ; 1st - base address of the advapi32.dll (retrieved earlier)<br /> push edx ; 2nd - a reminder of division of the seed value by 1020, which is the same as the seed value<br /> push lpst ; 3rd - a pointer to our SYSTEMTIME structure, where we've put a specific year, month and day<br /> push lpbyDomainName ; 4th - a pointer to a buffer that will receive the result<br /><br /> NOP ; these 5 NOPs will later by patched with a call to the routine<br /> NOP ; 1st NOP will be replaced with E8 (call)<br /> NOP ; other 4 NOPs with a distance between the following operand (see pop eax below)<br /> NOP ; and the routine itself<br /> NOP<br /><br /> pop eax ; increment the seed value that we store in eax<br /> inc eax<br /> push eax<br /> }<br /></font><br /> // after the stub above is executed, we'll have the generated domain name in our lpbyDomainName buffer<br /> // drop it into the log<br /><font face="Courier New" size="2" color=#303030><br /> DropLog(szLogFile, (LPCSTR)lpbyDomainName);<br />}<br /><br />_asm<br />{<br /> pop eax<br />}</font><br /></font><br /></p><br /><br /><br /><li>Compile your executable in debug mode.</li><br /><li>Patch the section with the stub in it to make it executable.</li><br /><br /><a target=_blank onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrcRQ9ax4-1lAuMoVcm1ed-l-OgIcWxkoYh1-5cxQQe87TrPIa-Ftc66nMBDPwfpoEFvRilRt99kz0Syyv5Fu8qaVQ34TfIQxXZFMfJc2qcUQirnkKctawazB-7bwQmG9RHMZrZS3DTjU/s1600/screen2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 351px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrcRQ9ax4-1lAuMoVcm1ed-l-OgIcWxkoYh1-5cxQQe87TrPIa-Ftc66nMBDPwfpoEFvRilRt99kz0Syyv5Fu8qaVQ34TfIQxXZFMfJc2qcUQirnkKctawazB-7bwQmG9RHMZrZS3DTjU/s400/screen2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5528049734223928738" /></a><br /><br /><li>Open your compile in a HEX editor, find your stub, replace 1,771 bytes in it with the original Murofet code. This way, we are sort of "infecting" our executable with the Murofet, but we don’t give its code any control just yet.</li><br /><li>Open your executable in the disassembler, find your "glue" code created in step 3, and find the domain generation routine. Find the difference between their addresses, that is, subtract the address where your 5 NOPs are located (incremented by 5 as your call will take 5 bytes) from the address of the domain generation routine, let’s say the distance between these calls is 0x010203. Then, patch your 5 NOPs with a call to the generator by replacing them with E8 03 02 01 00.</li><br /><li>Run your executable.</li><br /></ul>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-76760611365383453392010-08-19T19:13:00.000-07:002010-08-19T19:19:15.163-07:00Matryoshka in FlashSecond part of the article from the Crime Scene Investigation:Internet <a target=_blank href="http://www.h-online.com/security/features/CSI-Internet-HQ-1050609.html">series</a> has now been published by <a target=_blank href="http://www.heise.de/security/">c't magazine</a>.<br /><br />This time the Action Script's p-code deobfuscation technique is illustrated.<br /><br />You can read this article <a target=_blank href="http://www.heise.de/security/artikel/Tatort-Internet-Matrjoschka-in-Flash-1052848.html">in German</a> or <a target=_blank href="http://www.h-online.com/security/features/CSI-Internet-Matryoshka-in-Flash-1057907.html">in English</a>.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-26869379572121627762010-08-04T17:32:00.000-07:002010-08-04T17:36:07.196-07:00Angriff der KillervideosIt took some time, some patience and some extra samples analysed to see how the <a target=_blank href="http://blog.threatexpert.com/2008/05/flash-exploit-goes-wild.html">original</a> blog post on a Flash exploit has eventually evolved into an article for a German computer magazine <a target=_blank href="http://www.heise.de/ct/">c't</a> (magazin für computertechnik).<br /><br />Original article in German is available at <a target=_blank href="http://www.heise.de/security/artikel/Tatort-Internet-Angriff-der-Killervideos-1047129.html">this link</a>. Its translation into English is available <a target=_blank href="http://www.h-online.com/security/features/CSI-Internet-Attack-of-the-killer-videos-1049197.html">here</a>.<br /><br />Thanks to Frank Boldewin and Jürgen Schmidt for making it happen.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-17154055844886700552010-05-02T23:13:00.000-07:002010-05-03T00:14:14.586-07:00Config Decryptor for ZeuS 2.0ZeuS 2.0 kit release introduces a few tricks designed to complicate the analysis of its configuration files.<br /><br />Apart from randomized side-effects that the new <a target=_blank href="http://www.threatexpert.com/report.aspx?md5=3FE968C21349A898D99154A2AD3ACFAA">trojan</a> leaves on a system, including its ability to morph in order to avoid hash-based detections (well, hash-based detections never worked against ZeuS anyway, given the sheer volume and frequency of the generated samples and the variety of used packers), it seems that this time a great care was taken in protecting its configuration files.<br /><br />The <a target=_blank href="http://www.threatexpert.com/report.aspx?md5=8c675db2eb49640279667a2b74290556">trojan</a> now uses more layers in order to decrypt its configuration files.<br /><br /><strong>Shrek</strong>: <em>Onions have layers. Ogres have layers... You get it? We both have layers.</em><br /><strong>Donkey</strong>: <em>Oh, you both have layers..</em><br /><br /><a target=_blank onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWsZM3e-PzXfGVwDUsSt2AGByCJpJNqMt3p0dwkm0LS92YlWw-OvfgMVhzq6eTWbX99z_bHtaUywK5Y0GEJ8WGTHOQ8D8L_PPjP_p8Z6uRlrLKFVhvCQ2-hcTdbkOYVkiXtlbTTUu3doA/s1600/shrek.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 150px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWsZM3e-PzXfGVwDUsSt2AGByCJpJNqMt3p0dwkm0LS92YlWw-OvfgMVhzq6eTWbX99z_bHtaUywK5Y0GEJ8WGTHOQ8D8L_PPjP_p8Z6uRlrLKFVhvCQ2-hcTdbkOYVkiXtlbTTUu3doA/s200/shrek.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5466926055856999746" /></a><br /><br />The new decryption steps are illustrated below:<br /><br /><a target=_blank onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjehCPCNLjn4pSIEC6DoHtrbreNlMRbCDJegxGMCd9Bh6lmFdShlREAK7s95tw_XqV16Y45pkUoM0-uMladJ4WkPcUHQiQt5N1-jZovliKQXOAOgD9Lhudbz7jjomiAH_fytjoJdL-eMLc/s1600/schema.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 397px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjehCPCNLjn4pSIEC6DoHtrbreNlMRbCDJegxGMCd9Bh6lmFdShlREAK7s95tw_XqV16Y45pkUoM0-uMladJ4WkPcUHQiQt5N1-jZovliKQXOAOgD9Lhudbz7jjomiAH_fytjoJdL-eMLc/s400/schema.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5466926774213013330" /></a><br /><br />It starts from initializing a 256-byte key table. At first, its bytes are set to value N, where N is a position of the byte in the key table (from 0 to 255).<br /><br />Next, the code utilizes a large permutation table - a dynamically constructed table with a variable size around 40,177 bytes, in order to generate a new key table.<br /><br />The newly generated key table is then used to decipher (RC4) another dynamically constructed table, called in the scheme above a "small table".<br /><br />Once deciphered, the small table will contain both the configuration file URL and a new key table to decipher (RC4) the configuration file that the trojan requests from the remote server.<br /><br />The new key table is stored inside the small table at a variable offset.<br /><br />Due to polymorphic nature of the trojan, the locations of the large permutation table, encrypted small table and the offset of the key inside the decrypted small table are random.<br /><br />Nevertheless, these random values are recoverable from the heap memory of any process infected with ZeuS.<br /><br />In order to decrypt configuration files of ZeuS 2.0 on a host infected with ZeuS (e.g. under a virtual machine), a special tool can be built. <br /><br />The tool would firstly need to identify ZeuS heap pages with the signatures and then check for the presence of the following code within the same ZeuS page:<br /><p><font face="Courier New" size="2" color=#008000><br />// 55                    push    ebp<br />// 8B EC                 mov     ebp, esp<br />// 51                    push    ecx<br />// A1 ?? ?? ?? ??        mov     eax, ds:image_base<br />// 8B 0D ?? ?? ?? ??     mov     ecx, ds:dwSmallTableOffsetVA<br />// 56                    push    esi<br />// 8D 34 01              lea     esi, [ecx+eax]<br />// A1 ?? ?? ?? ??        mov     eax, ds:XX<br />// 8B 0D ?? ?? ?? ??     mov     ecx, ds:dwLargeTablePtrVA<br />// 89 4D FC              mov     [ebp+large_table_ptr], ecx<br />// 83 F8 02              cmp     eax, 2<br />// 76 41                 jbe     short XX<br />// 57                    push    edi<br /></font></p><br />The 1st wildcard (??) in the listing is the virtual address of the allocated page within the host process.<br /><br />The 2nd wildcard is the virtual address of the small table offset within the same injected page; for example, the small table offset could be 0x33000. The first word of that table is the size of the large permutation table, with the actual small table following that word. The size of the small table is constant – it is 700 bytes in size.<br /><br />The 4th wildcard in the listing is the virtual address of the large permutation table within the infected process. It is normally allocated as a separate heap page within the same host process.<br /><br />Another offset still needs to be recovered from the identified malicious heap page – it is the offset of the key within the decrypted small table that is used to decipher (RC4) the configuration file itself. The value of this offset varies from 0 to 255.<br /><br />To locate that offset, the infected memory page can be scanned for the presence of the following code:<br /><p><font face="Courier New" size="2" color=#008000><br />// 8B 03                 mov     eax, [ebx]<br />// 56                    push    esi<br />// 57                    push    edi<br />// C6 45 FF 00           mov     [ebp+flag], 0<br />// 85 C0                 test    eax, eax<br />// 74 6E                 jz      short quit<br />// 8B 7B 04              mov     edi, [ebx+4]<br />// 81 C1 ?? 00 00 00     add     ecx, bKeyOffset<br />// 51                    push    ecx<br />// E8 ?? ?? ?? ??        call    dec_rc4_xor<br />// 89 43 04              mov     [ebx+4], eax<br />// 85 C0                 test    eax, eax<br /></font></p><br />The key offset is the first wildcard in the listing above.<br /><br />Once the tables and the key offset are fully recovered from the memory of an infected process, the tool can now decrypt the configuration file by using decryption algorithms derived from ZeuS via reverse engineering.<br /><br />To assist those researchers who need to decrypt and analyze the contents of the ZeuS 2.0 configuration files, the ZeusDecryptor tool is available for download <a target=_blank href="http://www.threatexpert.com/blog/zbot/zeusdecoder.zip">here</a>.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-76035432453214222142010-04-28T17:23:00.000-07:002010-04-28T17:49:58.746-07:00WoW Factor or Back Into MatrixOnline gaming password stealers form a large malware category.<br /><br />Moreover, it is growing: there is strong demand in the virtual experience, there is supply, there are online auction <a target=_blank href="http://www.mmobay.net/">sites</a> where such experience is sold to those who are ready to pay for it. That is, there are mechanisms for converting the virtual experience into the real money. And then there are bad guys are trying to hook into that chain for their personal gain by trying to compromise online gaming accounts in order to steal the virtual experience and then resell it.<br /><br />However, why there is demand for the virtual experience in the first place?<br /><br />What state of mind is required in order to pay several hundred dollars for something as virtual as this:<br /><br /><a target=_blank onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiKk2Uvl7Ct4a1rIi_9RSlQAVdNM-HoibfAE40Y_MeXPS7IVKN22AxPRsFDb6PgyPdSFdTB3bx4Pyep7Sq_gzUyjqtMFBtagvhMxZFqF4YaTGWhB3r3NGyXFC30B8IYqRfpkGNV7hFoQ4/s1600/elf.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 196px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiKk2Uvl7Ct4a1rIi_9RSlQAVdNM-HoibfAE40Y_MeXPS7IVKN22AxPRsFDb6PgyPdSFdTB3bx4Pyep7Sq_gzUyjqtMFBtagvhMxZFqF4YaTGWhB3r3NGyXFC30B8IYqRfpkGNV7hFoQ4/s200/elf.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5465349283653224786" /></a><br /><br />Why the practicality becomes less important and the virtual assets become more and more appealing up to the point when they are associated with a certain social status? Is it the same force that drives the sales of the sleek, glossy and shiny (but questionable practically) i-gadgets, the same sort of virtuality? Is this some kind of "this is me and I am not part of the crowd" message sent to the rest of the world, an attempt to demonstrate an open mind attitude that dismisses anything dogmatic?<br /><br />By buying the virtual status in gaming, whether it is virtual gold or a level or experience, what are they trying to say? Is this a way to demonstrate to their friends how keen there are and how far they are prepared to go to gain their own social status in the modern world? But why buying the virtual social status instead of building one physically?<br /><br />Hmm, this must be our evolution then.<br /><br /><a target=_blank onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7SdFeVwfQTGM9yEMDJHn2Jo85mW25czfCW4NUlPE8o0urh4peH_rAX8Tv79vAADdK26A2y3z1fuu4qvQglXioPdK722-cm2z2fr_zNoqLBvtoghDyE5OoscvoEEMh2t1dpp8zf7QW3Qs/s1600/gen.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 121px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7SdFeVwfQTGM9yEMDJHn2Jo85mW25czfCW4NUlPE8o0urh4peH_rAX8Tv79vAADdK26A2y3z1fuu4qvQglXioPdK722-cm2z2fr_zNoqLBvtoghDyE5OoscvoEEMh2t1dpp8zf7QW3Qs/s400/gen.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5465349990336831762" /></a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-77193641038218714292010-01-16T14:05:00.000-08:002010-01-16T18:05:30.141-08:00Trojan.Hydraq - Part IIPrevious <a href="http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html" target="_blank">post</a> described the installation process of the trojan and its backdoor commands.<br /><br />Now it's time to inspect its connection details, in particular - where does it retrieve the host name of the remote command-and-control (C&C) server.<br /><br />The source code of the trojan contains a hard-coded host name 192.168.5.164 that is tried out every 5 seconds, but these values must have been used during testing only - they are replaced with the different ones during the runtime - we must establish which ones.<br /><br />It is also worth noting that the trojan's code is very fragmented - it is deliberately split into small chunks with the size of a few instructions each, connected with the calls and jumps into a large maze: the code of Trojan.Hydraq contains 1,748 jumps and 922 calls - tracing it requires quite a bit of a patience. Graph image of the disassembled source indeed reminds a serpent-like beast - hence, probably, the name.<br /><br />Hydraq's call-only graph:<br /><br /><a target="_blank" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl00jkXw-4CX4rrirxNk9Th7axZAXBv8AzUG6IKrLzMA_rLLNVvU86M6fS6ZWulkG3Dy_0e5A4FwYnAAxsImQGdQ3BSRqgv-1KmOabvC9O_Q4MQs3HLQYQbNb40fY6S-e2hu356cJRDcE/s1600-h/maze.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 314px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl00jkXw-4CX4rrirxNk9Th7axZAXBv8AzUG6IKrLzMA_rLLNVvU86M6fS6ZWulkG3Dy_0e5A4FwYnAAxsImQGdQ3BSRqgv-1KmOabvC9O_Q4MQs3HLQYQbNb40fY6S-e2hu356cJRDcE/s320/maze.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5427464601351345570" /></a><br /><br />The trojan carries its C&C connection details (server, name, port, retry delay, etc.) inside the internal resource (name is 100, type is 243). The resource is 344 bytes in size, and it is encrypted.<br /><br />Decryption of the resource is performed in 4 stages:<br /><ul><br /><li>The first 8 bytes of the resource are skipped, the remaining 336 bytes are XOR-ed with 0x99</li><br /><li>Next, every byte from the 336 input buffer is translated according to the following logics:</li><ul><br /><li>if the byte is a character from 'A' to 'Z', it is subtracted 'A' value (0x41)</li><br /><li>if the byte is a character from 'a' to 'z', it is subtracted 'G' value (0x47)</li><br /><li>if the byte is a character from '0' to '9', it is added 4</li><br /><li>if the byte is a character '+', its replaced with '>'</li><br /><li>if the byte is a character '/', its replaced with '?'</li><br /><li>if the byte is a character '=', its replaced with '\0'</li><br /><li>otherwise, the byte is left as is</li></ul><br /><li>The input buffer is then converted into the resulting buffer which is 25% smaller. This is achieved by splitting every byte quartet (bytes 0-3) from the input buffer into 3 pairs (0-1, 1-2, 2-3), performing operations over these three pairs, and writing 3 byte results into the output buffer. This way, the 336 bytes will be converted into 252 bytes (4 -> 3 conversion); in some way, it's similar to unpacking all-ASCII base64 back into binary. The operations performed over the 3 pairs are illustrated below:</li><br /><a target="_blank" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYx_toq8AJktNTFXhQrnEqEmTHRbwKqBXy2hlf0s6jYCt7NrjFXxAO6aJEyZ55xdNr-fDrRRhxts0fgJ79aRjdbDE6lLWSMovQ4iDC4lh96RYtrrwoDB7ShaapVKFa4Zgl8kKXTIu-htA/s1600-h/img2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand; width: 344px; height: 277px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYx_toq8AJktNTFXhQrnEqEmTHRbwKqBXy2hlf0s6jYCt7NrjFXxAO6aJEyZ55xdNr-fDrRRhxts0fgJ79aRjdbDE6lLWSMovQ4iDC4lh96RYtrrwoDB7ShaapVKFa4Zgl8kKXTIu-htA/s400/img2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5427465321624602178" /></a><br /><li>Finally, the resulting 252 bytes are XOR-ed with 0xAB</li><br /></ul><br />The fully decrypted resource is shown below:<br /><a target="_blank" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrB6QzwD1bGo9pRIFNTSiZoro6aG1KaXoEFzVRSo_iMaD5i4_xB2ZqO5mOr_IpZJg8b-4MAUlLZYmrwl2Wmrwl005ALsahnrVJzZTsecOsho2hQIuVAAR_kPbax_Hfn0nfixyObHH_r_E/s1600-h/img1.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 235px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrB6QzwD1bGo9pRIFNTSiZoro6aG1KaXoEFzVRSo_iMaD5i4_xB2ZqO5mOr_IpZJg8b-4MAUlLZYmrwl2Wmrwl005ALsahnrVJzZTsecOsho2hQIuVAAR_kPbax_Hfn0nfixyObHH_r_E/s400/img1.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5427465510686764674" /></a><br /><br />Knowing this logics, the decryption can now be reconstructed in a stand-alone tool; a function that retrieves and decrypts the resource from the trojan DLL is provided below (should be run from a virus lab as loading the DLL will invoke its entry point):<br /><br /><pre style="font-size:small; border: 1px solid rgb(180, 180, 180); overflow: auto; background-color: rgb(255, 255, 255); color: rgb(0, 0, 0); width: 600px; height: 200px;" onclick="">#define IDD_RES_NAME 100<br/>#define IDD_RES_TYPE 243<br/><br/>void DecodeHydraqResource()<br/>{<br/> HMODULE hDll;<br/> HRSRC hRes;<br/> HGLOBAL hResLoad;<br/> BYTE lpBuffer[0x150];<br/> BYTE lpResult[0x150];<br/> int iResultOffset;<br/> int i;<br/> char szHost[MAX_PATH];<br/> int dwDelay;<br/> int dwPort;<br/> char szAltDnsServer[MAX_PATH];<br/> char szMessage[MAX_PATH * 4];<br/> BOOL bOk;<br/><br/> szHost[0] = '/0';<br/> dwDelay = 0;<br/> dwPort = 0;<br/> szAltDnsServer[0] = '/0';<br/> bOk = FALSE;<br/> szMessage[0] = '/0';<br/><br/> hDll = LoadLibrary(_T("sample.dll"));<br/> if (hDll)<br/> {<br/> hRes = FindResource(hDll, MAKEINTRESOURCE(IDD_RES_NAME), MAKEINTRESOURCE(IDD_RES_TYPE));<br/> if (hRes)<br/> {<br/> hResLoad = LoadResource(hDll, hRes);<br/> if (hResLoad)<br/> {<br/> memset(lpResult, 0, 0x150);<br/> iResultOffset = 0;<br/><br/> if (SizeofResource(hDll, hRes) == 0x158)<br/> {<br/> memset(lpBuffer, 0, 0x150);<br/> memcpy(lpBuffer, (LPBYTE)hResLoad + 8, 0x150);<br/><br/> for (i = 0; i < 0x150; i++)<br/> {<br/> lpBuffer[i] ^= 0x99;<br/><br/> if ((lpBuffer[i] >= 'A') && (lpBuffer[i] <= 'Z'))<br/> {<br/> lpBuffer[i] -= 'A';<br/> }<br/> else if ((lpBuffer[i] >= 'a') && (lpBuffer[i] <= 'z'))<br/> {<br/> lpBuffer[i] -= 'G';<br/> }<br/> else if ((lpBuffer[i] >= '0') && (lpBuffer[i] <= '9'))<br/> {<br/> lpBuffer[i] += 4;<br/> }<br/> else if (lpBuffer[i] == '+')<br/> {<br/> lpBuffer[i] = '>';<br/> }<br/> else if (lpBuffer[i] == '/')<br/> {<br/> lpBuffer[i] = '?';<br/> }<br/> else if (lpBuffer[i] == '=')<br/> {<br/> lpBuffer[i] = 0;<br/> }<br/> }<br/><br/> for (i = 0; i < 0x150; i++)<br/> {<br/> lpResult[iResultOffset++] = (lpBuffer[i] * 4) ^ (lpBuffer[i + 1] / 16);<br/> lpResult[iResultOffset++] = (lpBuffer[i + 1] * 16) ^ (lpBuffer[i + 2] / 4);<br/> lpResult[iResultOffset++] = (lpBuffer[i + 2] * 64) ^ (lpBuffer[i + 3]);<br/> i += 3;<br/> }<br/><br/> for (i = 0; i < 0x150; i++)<br/> {<br/> lpResult[i] ^= 0xAB;<br/> }<br/><br/> i = strlen((LPSTR)lpResult);<br/><br/> if ((i > 0) && (i < MAX_PATH))<br/> {<br/> strcpy(szHost, (LPSTR)lpResult);<br/> sprintf(szAltDnsServer, <br/> _T("%d.%d.%d.%d"), <br/> lpResult[iResultOffset - 4], <br/> lpResult[iResultOffset - 3], <br/> lpResult[iResultOffset - 2], <br/> lpResult[iResultOffset - 1]);<br/> dwPort = *(LPDWORD)(lpResult + iResultOffset - 12);<br/> dwDelay = *(LPDWORD)(lpResult + iResultOffset - 8);<br/> sprintf(szMessage, <br/> _T("Remote Host: %s\nAlternative DNS Server: %s\nConnection Port: %d\nDelay between connection attempts: %d sec."),<br/> szHost,<br/> szAltDnsServer,<br/> dwPort, <br/> dwDelay);<br/> bOk = TRUE;<br/> }<br/><br/> }<br/> }<br/> }<br/> FreeLibrary(hDll);<br/> }<br/><br/> if (!bOk)<br/> {<br/> MessageBox(NULL, _T("Failed to retrieve any details!"), _T("Error"), MB_OK);<br/> }<br/> else<br/> {<br/> MessageBox(NULL, szMessage, _T("Success"), MB_OK);<br/> }<br/><br/>}</pre><br /><br />Once the trojan knows its C&C server, it attempts to connect to it via the specified port - e.g. server sl1.homelinux.org, port 443.<br /><br />It starts doing so by trying to resolve its host name first. If this attempt fails, the trojan makes a DNS query by crafting a TCP packet on port 53 of an alternative (legitimate) DNS server, also specified in its resource, in order to resolve the same host name. For example, the analysed sample has alternative DNS server 168.95.1.1 - this is dns.hinet.net server <a href="http://www.robtex.com/ip/168.95.1.1.html" target="_blank">located</a> in Taiwan.<br /><br />If Hydraq can't connect to the remote server, it falls asleep for the time specified in its resource (2 minutes), then repeats the beaconing again.<br /><br />If the connection to remote host on port 443 succeeds, the malware prepares a packet to send - it is 20 bytes in size:<br /><br /><font face="Courier New" size="2">00 00 00 00 00 00 FF FF 01 00 00 00 00 00 00 00 00 00 77 00</font><br /><br />The packet is encoded by inverting its bytes:<br /><br /><font face="Courier New" size="2">FF FF FF FF FF FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF</font><br /><br />As soon as the packet is submitted to the live C&C server, it receives the response packet that is also 20 bytes in size. It is encrypted with the XOR 0xCC.<br /><br />Hydraq decodes the received packet and retrieves the command ID from it - a number from 0 to 18, which is then converted into the backdoor command group - a number from 0 to 10. Conversion rules Command ID -> Backdoor Command Group are shown below:<ul><br /><li>0 -> 0 (adjust privileges, terminate processes)</li><br /><li>1 -> 1 (control services group)</li><br /><li>2 -> 2 (remote file execution)</li><br /><li>3 -> 3 (registry manipulation group)</li><br /><li>4 -> 4 (file system manipulation group)</li><br /><li>5 -> 10 (receive more data)</li><br /><li>6 -> 5 (system manipulations - power off/reboot/uninstall/clear events)</li><br /><li>7 -> 6 (file search)</li><br /><li>8 -> 7 (call other components)</li><br /><li>9 -> 10</li><br /><li>10 -> 8</li><br /><li>11 -> 10</li><br /><li>12 -> 10</li><br /><li>13 -> 10</li><br /><li>14 -> 10</li><br /><li>15 -> 10</li><br /><li>16 -> 10</li><br /><li>17 -> 10</li><br /><li>18 -> 9 (networks.ics file manipulations)</li></ul><br />Next, a specific command from the chosen group is executed. For more details on backdoor groups and commands within them, please check the <a href="http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html" target="_blank">previous</a> post.<br /><br />It may be assumed that upon successful connection to the remote C&C server (sl1.homelinux.org), the trojan was designed to be able to update itself. A new copy may have a different C&C server specified in its resource (e.g. yahooo.8866.org, 360.homeunix.com or as in the last seen sample - blog1.servebeer.com) in order to survive the shutdown of the old servers.<br /><br />The presence of a resource that stores all the connection parameters could potentially indicate an intented cloud-based automation for updating the same template with a newly generated resource without the need to recompile the sample, with the obfuscation step added on top of it to evade existing detections. With the relatively high update frequency of such server-side polymorphism, the C&C server shutdown may always fall behind; given the fact the firewalls let the traffic on port 443 through (HTTPS traffic), a heuristic detection of Trojan.Hydraq (added as <a href="http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-011411-3125-99" target="_blank">Trojan.Hydraq!gen1</a>) is a viable option that reliably breaks this vicious circle.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-29939673384038610402010-01-13T17:49:00.000-08:002010-01-22T20:39:46.564-08:00Trojan.Hydraq ExposedThe post describes functionality (static analysis) of the trojan that was <a href="http://www.wired.com/threatlevel/2010/01/google-hack-attack/" target="_blank">reported</a> in the recent targeted attacks against some large companies.<br /><br /><a href="http://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99&tabid=2" target="_blank">Trojan.Hydraq</a> trojan is a DLL that runs as a service within the context of the system process <font face="Courier New" size="2">svchost.exe</font>.<br /><br />In order to be executed within the process <font face="Courier New" size="2">svchost.exe</font> at the system startup, the trojan employs no injection techniques - this is achieved with the steps described below.<br /><br />Firstly, the trojan registers itself as a system service <font face="Courier New" size="2">RaS[4 random characters]</font> by creating registry entries under the newly created key:<br /><br /><font face="Courier New" size="2">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]</font><br /><br />The <font face="Courier New" size="2">"ImagePath"</font> value of its service registry key is set to start <font face="Courier New" size="2">svchost.exe</font>, as shown below:<br /><br /><font face="Courier New" size="2">"ImagePath"</font> = <font face="Courier New" size="2">%SystemRoot%\system32\svchost.exe -k netsvcs</font><br /><font face="Courier New" size="2">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]</font><br /><br />This will force the system process <font face="Courier New" size="2">svchost.exe</font> to look up its multi-string value <font face="Courier New" size="2">"netsvcs"</font>, load all services specified in it into its address space, and then call their <font face="Courier New" size="2">ServiceMain()</font> exports.<br /><br />To make <font face="Courier New" size="2">svchost.exe</font> aware of its existence and be loaded too, the trojan adds its service name into the list of strings (service names) stored in the value <font face="Courier New" size="2">"netsvcs"</font> of the registry key:<br /><font face="Courier New" size="2">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost</font><br /><br />To make sure its service name is added to the list of services only once, the trojan queries the contents of the value <font face="Courier New" size="2">"netsvcs"</font> to make sure that the multiple strings stored in that value do not contain any string that starts from <font face="Courier New" size="2">"RaS"</font> (case-sensitive).<br /><br />Other parameters of the newly installed service are specified in the values:<br /><br /><font face="Courier New" size="2">ObjectName</font> = <font face="Courier New" size="2">LocalSystem</font><br /><font face="Courier New" size="2">Type</font> = <font face="Courier New" size="2">dword:0x20</font> (a win32 service that can share a process with other win32 services)<br /><font face="Courier New" size="2">Start = 2</font> (to be loaded automatically for all startups)<br /><br />of the registry key:<br /><br /><font face="Courier New" size="2">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]</font><br /><br />Finally, to let <font face="Courier New" size="2">svchost.exe</font> process know where to load the DLL from, the image path of the trojan's service DLL is saved by setting the value:<br /><br /><font face="Courier New" size="2">ServiceDll</font> = <font face="Courier New" size="2">[path to trojan DLL]</font><br /><br />of the registry key:<br /><br /><font face="Courier New" size="2">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]\Parameters</font><br /><br />The file name of the trojan DLL is retrieved by calling <font face="Courier New" size="2">GetModuleFileNameA()</font> API, as the trojan knows its name may vary.<br /><br />For instance, the trojan can create a copy of itself under a random filename in the <font face="Courier New" size="2">%TEMP%</font> directory; if it locates a file <font face="Courier New" size="2">%TEMP%\c_1758.nls</font>, it may rename that file under a different file name.<br /><br />NOTE: <font face="Courier New" size="2">%TEMP%</font> is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP), or C:\User\[UserName]\AppData\Local\Temp (Windows Vista, Windows 7).<br /><br />The Hydraq trojan installs a backdoor trojan that listens for incoming commands. The commands allow the trojan to perform multiple actions - the trojan organizes them into groups - these commands are enlisted below with the [group number].[internal command number] prefixes:<br /><br /><ul><br /><br /><li><font face="Courier New" size="2">[0.0]</font> adjust token privileges</li><br /><li><font face="Courier New" size="2">[0.1]</font> terminate processes</li><br /><br /><li><font face="Courier New" size="2">[1.0]</font> enumerate name and status for all system services</li><br /><li><font face="Courier New" size="2">[1.1]</font> control arbitrary services</li><br /><li><font face="Courier New" size="2">[1.2]</font> query status for arbitrary services</li><br /><br /><li><font face="Courier New" size="2">[2.0]</font> receive remote file and save it as <font face="Courier New" size="2">%TEMP%\mdm.exe</font>, then launch it by using command control program <font face="Courier New" size="2">%SYSTEM%\cmd.exe</font></li><br /><br /><li><font face="Courier New" size="2">[3.0]</font> enumerate registry keys under the specified key</li><br /><li><font face="Courier New" size="2">[3.1]</font> enumerate registry values for the specified key</li><br /><li><font face="Courier New" size="2">[3.3]</font> query registry values</li><br /><li><font face="Courier New" size="2">[3.4]</font> set registry values conditionally</li><br /><li><font face="Courier New" size="2">[3.5]</font> set registry values unconditionally</li><br /><li><font face="Courier New" size="2">[3.6]</font> delete registry keys</li><br /><li><font face="Courier New" size="2">[3.7]</font> create registry keys conditionally</li><br /><li><font face="Courier New" size="2">[3.8]</font> create registry keys unconditionally</li><br /><br /><li><font face="Courier New" size="2">[4.0]</font> retrieve the list of logical drives on a system</li><br /><li><font face="Courier New" size="2">[4.1]</font> read files from the local file system</li><br /><li><font face="Courier New" size="2">[4.2]</font> execute arbitrary files</li><br /><li><font face="Courier New" size="2">[4.3]</font> copy files in the local file system</li><br /><li><font face="Courier New" size="2">[4.4]</font> delete arbitrary directories</li><br /><li><font face="Courier New" size="2">[4.5]</font> rename files</li><br /><li><font face="Courier New" size="2">[4.6]</font> change file attributes</li><br /><br /><li><font face="Courier New" size="2">[5.1]</font> power off computer</li><br /><li><font face="Courier New" size="2">[5.2]</font> reboot Windows</li><br /><li><font face="Courier New" size="2">[5.3]</font> uninstall itself by deleting the registry key <font face="Courier New" size="2">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]</font></li><br /><li><font face="Courier New" size="2">[5.5]</font> clear all system event logs (application, security, and system pools)</li><br /><br /><li><font face="Courier New" size="2">[6.0]</font> enumerate files in the specified path</li><br /><br /><li><font face="Courier New" size="2">[7.11]</font> check if <font face="Courier New" size="2">%SYSTEM%\acelpvc.dll</font> is present - if it is present, load it and call its <font face="Courier New" size="2">EntryMain()</font> export; check the presence of the DLL <font face="Courier New" size="2">%SYSTEM%\VedioDriver.dll</font></li><br /><br /><li><font face="Courier New" size="2">[9.1]</font> open the file <font face="Courier New" size="2">%SYSTEM%\drivers\etc\networks.ics</font> and read 616 bytes from it</li><br /><li><font face="Courier New" size="2">[9.2]</font> delete the file <font face="Courier New" size="2">%SYSTEM%\drivers\etc\networks.ics</font></li><br /></ul><br />In addition to the commands enlisted above, the trojan retrieves CPU speed by querying the <font face="Courier New" size="2">"~MHz"</font> value from the registry key:<br /><font face="Courier New" size="2">HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0</font><br /><br />The stolen details are then delivered to the remote site.<br /><br />Hydraq trojan is capable to keep inter-process communications with other components via a named pipe - a separate thread is spawned for that purpose.<br /><br />Internal data or configuration is stored by the trojan in the values <font face="Courier New" size="2">"IsoTp"</font> and <font face="Courier New" size="2">"AppleTlk"</font> in the dedicated registry key:<br /><font face="Courier New" size="2">HKEY_LOCAL_MACHINE\Software\Sun\1.1.2</font><br /><br />Continued in <a href="http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html" target="_blank">part II</a>.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-82559040920201863002009-12-17T15:45:00.000-08:002009-12-17T16:04:31.804-08:00We are the champions, my friendsResults of a lengthy real-world malware protection study are published <a href="http://blogs.pcmag.com/securitywatch/2009/12/av-testorg_releases_real-world.php">here</a>.<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_06e7Dfp7iVkOLCFt8YhRfA91XHw2HMBdjO2p3LUhjHYYQbTJpws5q_Qm2xrSrt9g4T-i26rMRjgHkRGxt2IOezWaGyxBiLMs8_UDnIuFbRibjFf3opA5Y8hypD-JXq9vssd1N2LLT00/s1600-h/chart.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 266px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_06e7Dfp7iVkOLCFt8YhRfA91XHw2HMBdjO2p3LUhjHYYQbTJpws5q_Qm2xrSrt9g4T-i26rMRjgHkRGxt2IOezWaGyxBiLMs8_UDnIuFbRibjFf3opA5Y8hypD-JXq9vssd1N2LLT00/s400/chart.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5416357768047336018" /></a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-84145606430333345842009-11-25T21:08:00.000-08:002009-11-25T21:33:16.316-08:00Run, Chrome OS! Run!It seems that the news on Chrome OS release have left no one <a target=_blank href="http://www.itbusinessedge.com/cm/blogs/enderle/chrome-os-why-it-will-fail/?cs=37688">neutral</a>; some observers are beating the drums of its imminent failure and premature death, by relying on rather oversimplified concepts of cloud computing and insinuating about the reasons why careless moms and dads just can't grasp the concept of strong passwords (<em>"how many times did we tell them to memorize Qp%n#82r$7D, but they keep writing it down on a piece of paper or even worse - keep choosing 12345?"</em>).<br /><br />From the point of view of these observers, the new security model of Chrome OS is not much different from this:<br /><br /><a target=_blank onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUxOynOZYTK4bK9GIwM6kyDPEJqMeZWin2ss6nXXTLKqMdr4xaCDeURdx0XpLzMv6D33yq43FUwcqOrkpRjHMaeOpSvXT6RDN850NU8PjbwIvIX2Ky_gkNVsFOdLHSDSNVkt1mc1e3gnE/s1600/chrome.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 97px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUxOynOZYTK4bK9GIwM6kyDPEJqMeZWin2ss6nXXTLKqMdr4xaCDeURdx0XpLzMv6D33yq43FUwcqOrkpRjHMaeOpSvXT6RDN850NU8PjbwIvIX2Ky_gkNVsFOdLHSDSNVkt1mc1e3gnE/s400/chrome.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5408275866511812290" /></a><br /><br />Let's step back for a moment and try to give it a fresh and fair look. Let's also keep in mind that many good projects make their way into our lives by having 3 stages of its public perception: strong criticism (almost always, and that's where many fail), gradual, painful at start, then easier adoption, followed with a final stage that can be characterized as <em>"Well, what's so special about it?"</em>. We don't want to fall the victims of the first stage, no matter how natural for humans it is, right?<br /><br />Well, Google claims that under Chrome OS hood "all apps are web apps". <em>Boo!</em> But hold on a second, isn't it already true for Hotmail, Skype, online banking, and lots of other online web services that we are relying on so much every day?<br /><br />Now come into a computer store (mentally) and look (again, mentally) at the average mom and dad who want to buy a new computer. Is it really a surprise to learn that most they're going to use it for will be "web apps" anyway, such as web, email, IM/chat/forums, Internet phone, documents editing/printing (bills/taxes/records), personal finance services (online banking, trading stocks), online gaming, etc. ?<br /><br />Sure enough, with a web-only machine they won't be able to scan documents, but given the market exists, there will be dedicated scanners for the home users that will scan the documents and send the images over to their online accounts. They won't be able to listen or watch CD/DVD, but there are specialized devices that do it better anyway. They won't be able to play games with the powerful graphics, but there are plenty of gaming consoles for that purpose too.<br /><br />Somehow it comes to a point – would you prefer to have a TV, a DVD/BD player, and a sound system as dedicated stand-alone devices, maybe from the different brands, or have all of them combined in one (cheaper) device? Would you prefer to have a printer, a scanner, and a telephone as separate devices, or a combined (cheaper) unit?<br /><br />If you choose the second option, then you must really adore your phone's camera! If you choose first, even if it's a pricier option, doesn't it sound reasonable to have a dedicated device to handle web-only services? <br /><br />For start, let's stick to just one such service – Internet Banking. Imagine having a dedicated 100% secure tiny netbook that allows you to bank online. It boots in 10 seconds and it can't run malware by design. Sure enough, hackers will try hacking a device like that to run Windows on it, but that won't be YOUR DEVICE. If your device gets stolen, it's useless – it stores nothing and you can't be impersonated with it. If you spill hot coffee on it and it shuts down instead of running faster, you'll buy another one (not coffee, netbook). Will it give you an extra hour of a good night sleep by knowing that no hacker can compromise your online banking account?<br /><br />Now try to imagine how many threat families (keyloggers, banking Trojans, rootkits) instantly become irrelevant for you. Even if your other computer gets compromised with them, the only valuable thing the hackers might eventually steal from you will be a serial number of your antivirus product.<br /><br />If you love your netbook, you might extend its application to online shopping or online trading. Then to anything that's online and is asking you for a password from that little soiled notes book from the middle section of your wallet. Extending its application further becomes a dangerous business as a flaw in one web service may affect your other services (e.g. a phishing email may affects your online banking account if you do both on one machine), just like it's not wise to put all your eggs in one basket.<br /><br />The <a target=_blank href="http://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview">security overview</a> of Chrome OS is an interesting read.<br /><br />By openly discussing the security challenges and suggested approaches to circumvent them the Chrome guys talk to us this way:<br /><br /><em>"Look, in our bank there is a vault with so much gold in it. The system is secure, but we're not sure about that air con duct – we think it's a weak point and the intruders may potentially crawl through it"</em>.<br /><br />Given the source code is open, the potential intruders will get access to the internals' scheme immediately. But the moment they start studying it, the highly qualified white-hat professionals will start doing that as well. The idea is that any bugs, flaws or weaknesses will be revealed and fixed instantly, without leaving the intruders any chance to plan an attack.<br /><br />Compare it with an alternative approach: <em>"Look, in our bank there is a vault with so much gold in it. The system is secure."</em> After the robbery: <em>"The system is secure."</em> After another one: <em>"Ok, we fixed it, the system is secure"</em>, and so on.<br /><br />With the security being the main cornerstone of Chrome, it's a step away from the "traditional" development philosophy that we all are used to: <em>"make it usable and release it first, think about security later, when the bugs/flaws are discovered"</em>. Usability being priority #1 creates a cash flow that allows investing into security and fine-tune usability at a later stage. The problem with this approach is that when under-invested security fails, usability falls with it. Not just declines, but crashes spectacularly.<br /><br />The only company that can afford to have security in the first place, in the blueprints, even before the developed software becomes available for users, will likely have a "cash cow" in a different product or solution. Otherwise, it will be trapped in a vicious circle when the product is not released because its model is not secure enough, thus there are no sales and therefore, no funding to make it secure enough to be released. Google's "cash cow" is in its ads program, giving it all the required conditions to build a truly secure OS.<br /><br />Not an OS that replaces all other OS (this will never happen), but at least an OS that can safely and narrowly be used for those critical web-only applications that create so much headache for the customers in terms of stolen identity and money.<br /><br />Will Google blow this chance or not, time will tell.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-40089083448205108632009-11-21T14:58:00.000-08:002009-11-22T19:22:00.920-08:00Dissecting Limbo Dropper [old]A routine laptop clean-up revealed a few month old video of unpacking the Limbo trojan dropper. Before it gets deleted, posting it here just in case some folks might find it useful [<a href="http://www.threatexpert.com/blog/limbo/limbo.mov" target="_blank">link to video</a>].<br /><br />PS The sample was received from <a href="http://mnin.blogspot.com/" target="_blank">Michael Hale Ligh</a>. Thanks, Michael.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-88796850120489592532009-11-01T19:52:00.000-08:002009-11-01T20:20:31.216-08:00The New Moon TrojanWhile the sentence of the Pinch Trojan authors is about to <a href="http://www.theregister.co.uk/2009/02/05/pinch_trojan_toolkit/" target="_blank">expire</a> within the following few months, the code of their Trojan is still being morphed by others into other nasty forms.<br /><br />Apart from its known ability to gather system information and steal confidential information such as user names and passwords, the Pinch is now capable of delivering the stolen details to the remote website by utilizing a powerful news management <a href="http://cutephp.com/" target="_blank">system</a> called "Cute News".<br /><br />What's not cute in this case however is that the name of the website established by the remote attackers to collect stolen credentials is disguised under the name of the forecoming movie blockbuster <a href="http://en.wikipedia.org/wiki/New_Moon_(2009_film)" target="_blank"><em>New Moon</em></a>.<br /><br />The infection starts from an image displayed with the purpose of distracting user attention while the Trojan gets activated. While the user stares at the picture, the Trojan starts harvesting user details, passwords, email addresses and other contents from the configuration files of the installed email clients Eudora, Thunderbird, Outlook, The Bat!, FTP clients FileZilla, WS_FTP, CuteFTP, and several other applications.<br /><br />The Trojan then collects system information that includes installed application names and their versions, serial numbers, user and computer names, the names of the running applications, user’s email account settings, and some other system details.<br /><br />The collected information is then encoded into Base64 format and posted into the remote Cute News service hosted by the attackers at <em>http://www.newmoon-movie.net</em>.<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg69LkDkym6KgJM3XBuM-7S3ehj5BRRt1iodc9Dk_ie2uWIWxx01uEgf_DIwZbgz_-8YAvWwgtw2RJT3BSIWcttpSjKH-ZSyb7JaeZ0cm5OPHfsf7cc232VzDuBHNAg8MFfRDyckPRHlNA/s1600-h/nm3.gif"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 290px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg69LkDkym6KgJM3XBuM-7S3ehj5BRRt1iodc9Dk_ie2uWIWxx01uEgf_DIwZbgz_-8YAvWwgtw2RJT3BSIWcttpSjKH-ZSyb7JaeZ0cm5OPHfsf7cc232VzDuBHNAg8MFfRDyckPRHlNA/s320/nm3.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5399353504081614674" /></a><br /><br />The post takes place via HTTP protocol allowing attackers to use the power of the Cute News system to accept, collect and use the stolen information without setting up any databases as all information is stored in flat files.<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvbRydRP6l3us9kMetFhbJFYiHLu-nIb6HjKHhDSNrir3S6TjPUDNB0PxLtFAE2IxqYVdRqDNH_i3UOgJqs0KAutjRyJ-j34ucCH8Vm6Rtl5E1AMkFk1t8MhIkLtKEx9pUETa4Ayp4-pM/s1600-h/nm1.gif"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 98px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvbRydRP6l3us9kMetFhbJFYiHLu-nIb6HjKHhDSNrir3S6TjPUDNB0PxLtFAE2IxqYVdRqDNH_i3UOgJqs0KAutjRyJ-j34ucCH8Vm6Rtl5E1AMkFk1t8MhIkLtKEx9pUETa4Ayp4-pM/s320/nm1.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5399352033862767842" /></a><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdaiMYOC0k6pqO9SkeKBqykhrM1hflTveUcT7pKlf5wsQ-3wvK5TO0vU2DNdlM_btbXoJXqnmEdCFOrMg_mhrEIKr4d114bPal4C1C7kpPNBF1JhvqXOolc5zwIkEOJB1Qdy33Kl5p5BM/s1600-h/nm2.gif"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 154px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdaiMYOC0k6pqO9SkeKBqykhrM1hflTveUcT7pKlf5wsQ-3wvK5TO0vU2DNdlM_btbXoJXqnmEdCFOrMg_mhrEIKr4d114bPal4C1C7kpPNBF1JhvqXOolc5zwIkEOJB1Qdy33Kl5p5BM/s320/nm2.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5399351983965470114" /></a><br /><br />Automated analysis is available <a href="http://www.threatexpert.com/report.aspx?md5=a93a96103b0f20ceca34bacce954d12f" target="_blank">here</a>.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-60318851409966717832009-09-16T19:06:00.000-07:002009-09-17T15:25:48.626-07:00Time to Revisit Zeus AlmightyZeus/Zbot is an annoying threat. Its persistence is explained with a fact that it's generated by a large army of attackers who use Zeus builder.<br /><br />Those attackers who are high in the food chain pay thousands of dollars for the latest Zeus builder to make sure they distribute the most up-to-date undetectable bot builds. But many are still happy to use obsolete versions of the builder - these are available for free on various file sharing web sites.<br /><br />One way or another, the wave if new Zeus/Zbot samples being distributed every day is alarming. It's kind of an "attack of the clones" when multiple modifications of the bot are being produced in-the-wild, packed and encrypted on top with all sorts of packers, including modified, hacked, or private packer builds. Before being released, every newly generated and protected bot is uploaded into popular multi-AV scanner services to make sure it is not detected by any antivirus vendor. Hence, quite a bit of a problem in terms of its distribution scale.<br /><br />The nasty thing about Zeus/Zbot is that it evolves. The latest generation bot uses rootkit techniques to hide its presence on a customer machine. The bot uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. The collected details are then silently delivered to remote websites, and added into remote databases. The databases are then sold to other criminal elements down the chain who specialize in withdrawing the funds. The money laundering groups anonymously hire physical people to withdraw money from their personal accounts - in the criminal world these people are called "drops", and their accounts are called "drop accounts".<br /><br />Without going too much into detail about the whole economy that operates behind Zeus/Zbot, let's rather concentrate on some of its technical aspects.<br /><br />An important fact to mention is that the bot itself is like a framework with no "brains". It is merely a program that hooks itself into the system and hides there effectively. The logics that drives behaviour of the bot is contained in its configuration file.<br /><br />The configuration file of Zeus/Zbot is like a definitions database for an antivirus product. Without it, it's pretty much useless. The logics contained in the configuration contains the list of banking institutions that the bot targets, URLs of the additional components that the bots relies on to download commands and updates, the lists of questions and the list of the fields that the bot injects into Internet banking websites to steal personal details/credentials, etc.<br /><br />For instance, if the attacker only wanted to target local customers in Brazil, the bot's configuration file would enlist Brazilian banks and the list of questions/fields would be in Brazilian Portuguese language only. This way, the bot could transparently allow Internet banking transactions for non-Brazilian customers because the attacker would not be interested in those transactions, attacking domestic customers and their transactions only.<br /><br />The configuration of Zeus/Zbot is never stored in open text. It is encrypted. Previous generation of Zeus/Zbot used a hard-coded encryption mechanism for its configuration. It was possible to reverse engineer the encryption algorithm and build a decryptor for any configuration file that belonged to any bot of the same generation.<br /><br />The game has changed. The latest generation of Zeus/Zbot encrypts configuration file with a key that is unique for and is stored inside the bot executable for which this configuration file exists. This way, configuration file of one bot sample will not work for another bot sample, even if both samples are generated with the same builder. As the decryption key is stored inside the bot executable, the configuration cannot be decrypted without the executable. However, the executable that contains the key is also packed on top so that the key cannot easily be retrieved from it. Brute-forcing the key is not a viable option as the key is 256 bytes long.<br /><br />In other words, it's practically "a riddle wrapped in a mystery inside an enigma, but perhaps there is a key", as Winston Churchill once said about the homeland of Zeus author(s).<br /><br />In order to reveal the key for Zeus/Zbot configuration and study the decryption mechanism, a few things need to be done first.<br /><br />Firstly, Zeus/Zbot could be run on a virtual machine under OllyDbg debugger and dumped with the OllyDump plugin installed:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjm9ocoLh0a1foPkh8LzICHJP2udph1_oniSh9lrhc4tv3kujaAs22yCFX42oTcBLiPPOVVeYPr21lw8ALmcOHHhN2HD8FdLNrCDzgFAIWdOxSLrgr6WceMRVZb1UIlk3Y2D-J0XzIf3rY/s1600-h/olly.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjm9ocoLh0a1foPkh8LzICHJP2udph1_oniSh9lrhc4tv3kujaAs22yCFX42oTcBLiPPOVVeYPr21lw8ALmcOHHhN2HD8FdLNrCDzgFAIWdOxSLrgr6WceMRVZb1UIlk3Y2D-J0XzIf3rY/s320/olly.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382253354245692898" /></a><br /><br />The created dump can be loaded into IDA disassembler - the variables that store dynamically retrieved addresses of APIs should be renamed into the API names to ease the code reading, as shown below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFrv08dfIlwrDhOocwRQmPvDlaaWP4j8Iar0tjIUChZEJoqbrSsDNAIRGtJPABCAelPPkmAGVnNV1HnbAKFT9Mb_PRv1Ft4w7XlWcdfClri4qz0bOIkfzZW6KD6z5Eb3sTBCGsszE07m8/s1600-h/ida.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 244px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFrv08dfIlwrDhOocwRQmPvDlaaWP4j8Iar0tjIUChZEJoqbrSsDNAIRGtJPABCAelPPkmAGVnNV1HnbAKFT9Mb_PRv1Ft4w7XlWcdfClri4qz0bOIkfzZW6KD6z5Eb3sTBCGsszE07m8/s320/ida.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382253618410867890" /></a><br /><br />The analysed dump does not reveal the code that downloads and decrypts the configuration file. It is because the dump was created for the first stage of the execution workflow - when it drops other files, installs hooks and injects its own code into the system process services.exe.<br /><br />In spite of the decryption key being present in the dump (as it becomes known later), revealing it now along with the decryption mechanism by analysing the dump statically is not easy as the code did not branch that execution path yet.<br /><br />Ok, so what do we do now?<br /><br />Let's run RootkitUnhooker to check the system integrity. According to its hook revealer, two installed IAT hooks can be seen:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjt6NkW3uEmkE7DlbaJaqMbb3bMSMW7XqL6fr7eSEepZKiy29pVfMvE4ebpMHZfBq-Qh5OV0mn26dOqys8o5Xrf9z9mWrqM_DYdMtulttWekha-RD060vWDU4D-7e01AspfsB6t5ANZj4/s1600-h/rku.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 126px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjt6NkW3uEmkE7DlbaJaqMbb3bMSMW7XqL6fr7eSEepZKiy29pVfMvE4ebpMHZfBq-Qh5OV0mn26dOqys8o5Xrf9z9mWrqM_DYdMtulttWekha-RD060vWDU4D-7e01AspfsB6t5ANZj4/s320/rku.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382253777858408242" /></a><br /><br /><br />According to ThreatExpert <a target="_blank" href="http://www.threatexpert.com/report.aspx?md5=D425C131B86818493FDF748755568A08">report</a>, the bot creates the following files:<br /><ul><br /><li>%System%\lowsec\local.ds</li><br /><li>%System%\lowsec\user.ds</li><br /><li>%System%\sdra64.exe</li><br /></ul><br /><br />Because of the hooks, these files are not visible in Explorer, but trying to create a directory %System%\lowsec invokes the following message box:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkddT-m_pRynImMpSVqqaSV-rZhKMENLJgnx568zOqfrTPYvFKzMzl2FGuEucmxiS4EAjrXVzvBaQStyLjc4lA_R6lw11dnK8Mo4ETmi_gZEG-E_7fJWJYUTxFtMqOI2IEGC9PfNWOFZ4/s1600-h/lowsec.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 204px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkddT-m_pRynImMpSVqqaSV-rZhKMENLJgnx568zOqfrTPYvFKzMzl2FGuEucmxiS4EAjrXVzvBaQStyLjc4lA_R6lw11dnK8Mo4ETmi_gZEG-E_7fJWJYUTxFtMqOI2IEGC9PfNWOFZ4/s320/lowsec.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382254271174157634" /></a><br /><br />The hook in the system process services.exe gives a good reason to dump it and analyse what's in its memory. Dumping main module is not enough as a typical injection mechanism allocates memory on the heap of the process and writes the code there. Thus, the process needs to be dumped entirely, all of its heap pages.<br /><br />From all the dumped pages of the system process services.exe, two allocations belong to the bot:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAugZK02VxJ1Ja3Fmz5VVwDOWih-uF3kUQsDk2_ZFX78QiGwAKJ5xiY-jvaXvsQvq08ToFX2ioav0tCJPPTTxZzAaZD0wcq7uyyOa31Vo_eLEmeH_3mDNqWZ8pAo_HCDx878W3tD-HxAQ/s1600-h/pages.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 306px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAugZK02VxJ1Ja3Fmz5VVwDOWih-uF3kUQsDk2_ZFX78QiGwAKJ5xiY-jvaXvsQvq08ToFX2ioav0tCJPPTTxZzAaZD0wcq7uyyOa31Vo_eLEmeH_3mDNqWZ8pAo_HCDx878W3tD-HxAQ/s320/pages.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382255672344999778" /></a><br /><br />These two allocations may span over the address range <font face="Courier New" size="2">0x00040000</font> - <font face="Courier New" size="2">0x00057000</font> or <font face="Courier New" size="2">0x00980000</font> - <font face="Courier New" size="2">0x00997000</font> after reboot, and can be joined together to be loaded into the disassembler again.<br /><br />Once reloaded into disassembler, the variables that store dynamically retrieved addresses of APIs should be renamed again into the API names. As the names of the APIs are not visible in this dump anymore, the APIs can either be retrieved by looking up the virtual addresses contained in the function pointers, or by matching the disassembled code with the previously disassembled dump (obtained from OllyDbg/OllyDump) and assigning the same names as in the former dump to the same pointer variables, as shown in the screen grab below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtIXLN7UgwANyg2v9PGhSoipWMPiju0RQaV1iPLcndSAzLVMEXiVNjggPiZTa9u0mCAfaLvS0B2WUQajCgnwVGNwMDq5zInzTX28nhbl7t1qiEvvBOMaCEYWae1G44dvrFfLhaTzqHtsA/s1600-h/ida2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 208px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtIXLN7UgwANyg2v9PGhSoipWMPiju0RQaV1iPLcndSAzLVMEXiVNjggPiZTa9u0mCAfaLvS0B2WUQajCgnwVGNwMDq5zInzTX28nhbl7t1qiEvvBOMaCEYWae1G44dvrFfLhaTzqHtsA/s320/ida2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382255805878821458" /></a><br /><br />With the properly named API function pointers, it's much easier to read the code.<br /><br />The bot contains a special section in its code that contains several important fields:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNlo9imG3pfZa8ciCsGMiramGz2P4us0ts0MWvEpg6b7RqhYE2ZvHC3B6myl7JBRH4tfEly3zeUwstcDRvmbrK4IcV_qzqSaTdxKWWZ-vfa6r35d3Rej0AcxQWYJ4plLrfiEDQC7EDphs/s1600-h/enc_conf.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 230px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNlo9imG3pfZa8ciCsGMiramGz2P4us0ts0MWvEpg6b7RqhYE2ZvHC3B6myl7JBRH4tfEly3zeUwstcDRvmbrK4IcV_qzqSaTdxKWWZ-vfa6r35d3Rej0AcxQWYJ4plLrfiEDQC7EDphs/s320/enc_conf.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382255980914296642" /></a><br /><br />The URL fields in that section are encoded by using an <a target="_blank" href="http://blog.threatexpert.com/2008/12/zeus-config-decryptor.html">older</a> encryption mechanism that was used by older Zeus/Zbot generations. Here is a C equivalent of the decryptor - it's straightforward:<br /><p><font face="Courier New" size="2"><br />   BYTE b;<br /><br />   for (int i = 0; i < iBufferSize; i++) <br />   {<br />      b = lpSourceBuffer[i];<br />      if ((i % 2) == 0) <br />      {<br />         b += 2 * i + 10;<br />      }<br />      else <br />      {<br />         b += 0xF9 - 2 * i;<br />      }<br />      lpDestinationBuffer[i] += b;<br />   }<br /></font></p><br />One of the URLs points to an encrypted configuration file. The bot downloads that file and saves it into a hidden file %System%\lowsec\local.ds.<br /><br />Next, the bot reads the 256-byte long encryption key stored in its section and uses it to decrypt the downloaded configuration file:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWFO9hmYq2YUVS3sLmJl-nmz5V7I_5TvQzigTLPfDdILjTern038RxfltQpQFU87VBoJVslFpghrOA2FPRlsnIzIRLaVEN70qr5wD67rY9ZG-4iZaMli94p1MnbDg_9ieeaKATFGRsMUk/s1600-h/ida3.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 189px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWFO9hmYq2YUVS3sLmJl-nmz5V7I_5TvQzigTLPfDdILjTern038RxfltQpQFU87VBoJVslFpghrOA2FPRlsnIzIRLaVEN70qr5wD67rY9ZG-4iZaMli94p1MnbDg_9ieeaKATFGRsMUk/s320/ida3.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382256160916824818" /></a><br /><br />The decryption routine is not very easy to follow during static analysis. One way of building a configuration file decryptor is to blindly rip the assembler code out of the bot source, only taking care of interfacing it properly - that is passing it the same parameters. However, in order to understand the code and build its C equivalent, the code is better to be traced.<br /><br />But here comes the question - how to trace the code that is running inside the services.exe process?<br /><br />An easy way of doing that so it attach a debugger of your choice to the system process services.exe, break its execution, point EIP (the instruction pointer) into the first instruction of the decryption routine, patch memory contents to instruct the routine to unpack a file that is different from %System%\lowsec\local.ds (before you're doing that, make sure the configuration file is downloaded from the earlier discovered URL and is saved under a different filename), suspend all other threads of services.exe process, and debug step-by-step its decryption routine.<br /><br />The image below shows how the filename %System%\lowsec\local.ds is patched with c:\c<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwUYn2YkIH6HM-XlUguMbzWFyP9lDV4RhiAFOuLmFTfYOokMq-gFmx3T5XnYWHI5IMewatvGm3p3G7iulZqX15XqwV0jUL38SrtNTeUJcE5LbcYvBW_XdhcAjOkiUbNz_dATsVGScj__c/s1600-h/vc.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 176px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwUYn2YkIH6HM-XlUguMbzWFyP9lDV4RhiAFOuLmFTfYOokMq-gFmx3T5XnYWHI5IMewatvGm3p3G7iulZqX15XqwV0jUL38SrtNTeUJcE5LbcYvBW_XdhcAjOkiUbNz_dATsVGScj__c/s320/vc.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382256286950646354" /></a><br /><br />Stepping through the decryption routine reveals how the configuration file is fully decrypted:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAKqxyw6JcsQGWw_XrgH1rRxwXSZ0eRemlorbSRuiY6EQnrLYp45jMGc9rKnU5FG-PA0YV3uZWvjwLy-5zmFknHI_2XdILFze8Qq2ydGWCWgDvMRm6cwidU_afThcJkTJyK6DxyceUj4k/s1600-h/vc2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 240px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAKqxyw6JcsQGWw_XrgH1rRxwXSZ0eRemlorbSRuiY6EQnrLYp45jMGc9rKnU5FG-PA0YV3uZWvjwLy-5zmFknHI_2XdILFze8Qq2ydGWCWgDvMRm6cwidU_afThcJkTJyK6DxyceUj4k/s320/vc2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382256409230322930" /></a><br /><br />Decryption routine itself is represented below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrj5hO612FlP6nac6qKRcJTLG7S0yebq6PybnpxTvf6FrRYWdb_kXHsFbR2mZJam3C6i33wPnMYKkDZdLRQ52N0slAGIwAFIH8dROwfOZXXfVooAgusw041Oquzu13EkUhs_Z1nwvh6nA/s1600-h/decr.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 170px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrj5hO612FlP6nac6qKRcJTLG7S0yebq6PybnpxTvf6FrRYWdb_kXHsFbR2mZJam3C6i33wPnMYKkDZdLRQ52N0slAGIwAFIH8dROwfOZXXfVooAgusw041Oquzu13EkUhs_Z1nwvh6nA/s320/decr.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382256533759754082" /></a><br /><br />During decryption, the values of its 256-byte key are constantly shuffled. The C equivalent of this routine is:<br /><p><font face="Courier New" size="2"><br />   byCounter = 0;<br />   byMask = 0;<br />   iSectionOffset = 0x2a;<br /><br />   for (int i = 0; i < iConfigSize; i++)<br />   {<br />      byCounter++;<br />      byMask += byResource[iSectionStart + iSectionOffset + byCounter];<br />      byTemp = byResource[iSectionStart + iSectionOffset + byMask];<br />      byResource[iSectionStart + iSectionOffset + byMask] = byResource[iSectionStart + iSectionOffset + byCounter];<br />      byResource[iSectionStart + iSectionOffset + byCounter] = byTemp;<br />      byTemp += byResource[iSectionStart + iSectionOffset + byMask];<br />      byConfig[i] ^= byResource[iSectionStart + iSectionOffset + byTemp];<br />   }<br /></font></p><br />Once the configuration file is decrypted, its internal structure reveals that it consists of data blocks. Every data block has a header that describes the length of the block, its type, and whether it's compressed or not.<br /><br />As shown in the image below, some fields' meaning is not clear. But it seems that the 5th byte of the data block indicates if the data it contains is encrypted or not. Two DWORD values that follow are showing the size of compressed and uncompressed data. Next, the block contains the data itself.<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibFMceNF57Xs8jB7YDGSm2WHH39Lu_qJ4s8WOytnZgveGUm_-nikGh7EtNfxUTvAZUOWCpptsJQFSPRvZWtDM1aL-Vm807GBcbTq1ejByq3inlhfT7X2P62-4djg6X8QzbCmbv4nVLuqI/s1600-h/block.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 183px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibFMceNF57Xs8jB7YDGSm2WHH39Lu_qJ4s8WOytnZgveGUm_-nikGh7EtNfxUTvAZUOWCpptsJQFSPRvZWtDM1aL-Vm807GBcbTq1ejByq3inlhfT7X2P62-4djg6X8QzbCmbv4nVLuqI/s320/block.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5382270376320428162" /></a><br /><br />For example, the first block has the size values equal 4 bytes, and the data block itself is 0B 07 02 01. Next two blocks are not compressed - the data size for both blocks is 0x28 bytes. The last block contains a flag that shows it's compressed. The size of compressed data is 0x85 bytes; the size of uncompressed data is 0xA1 bytes, with the 0x85 bytes of data followed.<br /><br />Analysis of the decompression routine reveals that it's unrv2b algorithm. The decompression source code is available <a target="_blank" href="http://qa.coreboot.org/docs/doxygen/src_2lib_2nrv2b_8c_source.html">here</a>.<br /><br />By knowing the decryption/decompression mechanism and the data format, it is possible now to build a tool that will inspect full memory contents of the process services.exe, locate a page which contains Zeus/Zbot code in it, then locate a section in it with the 256-byte key, retrieve that key and use it to decrypt the provided configuration file. As the address of the section within the bot page is not known in advance, it can still easily be detected by probing the size of the structure, probing the bytes within the 256-byte encryption key, and trying to decode the URLs, knowing their length (from the structure) and the key-less encoding method (from the older Zeus generations).<br /><br />Unfortunately, such tool could only be able to decrypt configuration file on a machine infected with Zeus/Zbot. Thus, it must be run on the same virtual machine that is infected with the bot.<br /><br />The tool is available for download <a target="_blank" href="http://www.threatexpert.com/blog/zbot/ZeusDecoder.zip">here</a>.<br /><br />One positive side-effect of the tool is that even if the configuration file is not available, the tool will still reveal if the machine is infected with Zbot.<br /><br />The limitation of the tool is that it won't be able to decrypt a configuration file for one bot if the virtual machine is infected with another bot, even if both bots are produced with the same Zeus builder. It’s because every bot uses a unique encryption key that will only decrypt configuration file created for the very same bot.<br /><br />Running the Zeus configuration decryptor over several Zeus/Zbot samples submitted in the last few days reveals quite interesting characteristics. The full list of its capabilities is too big to be presented here, so only a few questions/additional fields that Zbot injects are highlighted below:<br /><ul><br /><li>Due to security measures, please provide the answers to all the security questions listed below:</li><br /><li>As an additional safeguard, we ask that you provide the last eight digits of your ATM or Check Card number</li><br /><li>Please enter your Credit Card Number linked to your account, security code (cvv) and expiration date</li><br /><li>For your Identity verification and Fraud prevention please send us answers that you need to answer when you log in to your account</li><br /><li>Our behavioral monitoring software has detected a variation in your use pattern. For your protection, we ask that you verify your identity by answering your personal questions below. Once verified, you will be directed to the page.</li><br /><li>Authorization Required. In order to provide you with extra security, we occasionally need to ask for additional information when you access your accounts online. Please enter the information below to Sign on:</li><br /><li>Please enter your Personal Access Code (PAC):</li><br /><li>Your first school</li><br /><li>Your mother's maiden name</li><br /><li>Your place of birth</li><br /><li>Please enter all digits of your PIN</li><br /><li>What is your favourite meal or restaurant?</li><br /><li>The name of a memorable place to you?</li><br /><li>Your favourite film of all time?</li><br /><li>Your favourite book of all time?</li><br /><li>Your favourite teacher or subject?</li><br /><li>Your favourite TV star or show?</li><br /><li>Please enter a valid Mother's Maiden Name</li><br /><li>Please enter a valid Driver's License Number</li><br /><li>Please enter a valid Date of Birth</li><br /><li>Please enter a valid Social Security Number</li><br /><li>Please enter a valid Home Telephone Number</li><br /><li>Your favorite TV show?</li><br /><li>Your favorite flower?</li><br /><li>Your favorite leisure time activity?</li><br /><li>Your favorite type of music?</li><br /><li>Your favorite professional football team?</li><br /><li>Your favorite professional baseball team?</li><br /><li>The color of your first car?</li><br /><li>Your favorite holiday?</li><br /><li>Your favorite place to vacation?</li><br /><li>In which month were your parents married?</li><br /><li>What is the first letter of the name of your high school?</li><br /><li>What is the first letter of the name of your pet?</li><br /><li>In which month was your first child born?</li><br /><li>What was the last two digits of the year of your high school graduation? </li><br /><li>Please enter valid ATM/Debit Card # (CIN)</li><br /><li>Please enter valid PIN</li><br /><li>Please enter valid Last 4 Digits of Social Security or Tax ID #</li><br /></ul><br /><br />The list goes on, but you get an idea of what an identity theft weapon it is.<br /><br /><strong>Update:</strong> Thanks to Peter Kosinar and Thorsten Holz for identifying the encryption algorithm above as RC4.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-22625016454970054342009-07-21T03:51:00.001-07:002009-07-21T03:52:56.076-07:00Hot Topics Lead To Malware<a href="http://www.google.com/trends" target="_blank">Google Trends</a> seems to be a nice reference tool for the attackers to know which hot topics currently generate the maximum of public interest - a compass that leads them to the victims.<br /><br />Here is another example of how a randomly picked up hot topic (today it was "Chris Brown Apology Video") predictably leads to <a href="http://www.threatexpert.com/report.aspx?md5=1172c87693db49c62618516cc1f46d60" target="_blank">rogue antispyware</a> installations.<br /><br /><embed src="http://threatexpert.com/blog/hottopic/video1.swf" bgcolor="#FFFFFF" menu="false" quality="high" type="application/x-shockwave-flash" width="642" height="524" pluginspage="http://www.macromedia.com/go/getflashplayer/"></embed><br /><br />The cyber crooks behind this malware seem to be catching fish on a naked hook; until the fish gets smarter, they'll probably stick to these cheap tricks for awhile.<br/><br/>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-27595786896799316832009-06-14T18:06:00.000-07:002009-06-14T18:17:38.266-07:00Windows 7 WrappersFollowing <a target="_blank" href="http://news.softpedia.com/news/Pirated-Trojan-Infested-Windows-7-RC-Builds-Botnet-111445.shtml">reports</a> about pirated Trojan-Infested Windows 7 Builds, it is quite interesting to see what wrappers are used at the "crack stores" to lure as many people as possible. Some of these wrappers look pretty hilarious:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuxJtOgJwzhZ93YV0lRzJk6Ahm8a2HpTkEo_82XvW_L9L1IKQDNe5Lq3CoyAdimpAw276gx2GJ33fRz13sl5EMRUZRh3W4YhdmWDThhpov-v1lbgDRFe5yvweQkNAFxN2itjgoJJBCnmU/s1600-h/w7_5.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 309px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuxJtOgJwzhZ93YV0lRzJk6Ahm8a2HpTkEo_82XvW_L9L1IKQDNe5Lq3CoyAdimpAw276gx2GJ33fRz13sl5EMRUZRh3W4YhdmWDThhpov-v1lbgDRFe5yvweQkNAFxN2itjgoJJBCnmU/s400/w7_5.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5347355032113305186" /></a><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-fqGYXiHm9CYjOSW6q1lPBWLI7pNW1hiUtbLZa5t2-a4ayWwAzW2nOlX-HZZs7dIWcjqR_EH4QB_Q5BOGgtM1vh53Mmn_WNmy2WIJ0Bqlmv7XZ0DrYq5s09ay9q1_08Fb4_-iH9QGPbQ/s1600-h/w7_3.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 232px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-fqGYXiHm9CYjOSW6q1lPBWLI7pNW1hiUtbLZa5t2-a4ayWwAzW2nOlX-HZZs7dIWcjqR_EH4QB_Q5BOGgtM1vh53Mmn_WNmy2WIJ0Bqlmv7XZ0DrYq5s09ay9q1_08Fb4_-iH9QGPbQ/s400/w7_3.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5347354896796860402" /></a><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKdG309dE50SP0spMvx3Ir0HZIEuT-tdyCZyD5W7yjvpbZ1egiAbt4lgxCd-8ESlHMP5BUUkmdNiwLW3bh6j-XkcRvQ2a20y55iEqEYq8fyNcJMFB_2hS_DDhmUk-WNQUgWEzNvBuYHDU/s1600-h/w7_1.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 244px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKdG309dE50SP0spMvx3Ir0HZIEuT-tdyCZyD5W7yjvpbZ1egiAbt4lgxCd-8ESlHMP5BUUkmdNiwLW3bh6j-XkcRvQ2a20y55iEqEYq8fyNcJMFB_2hS_DDhmUk-WNQUgWEzNvBuYHDU/s400/w7_1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5347354715979520306" /></a><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDFIS9rIK6rZSbmx8JFKAb80baWOX7JWCHRy0NdoFH406JumdwuE5GGEKHRjQ05oAd2BWizysD2F5DVsWgCAtRfITJ8LwZvfJTF2QcXAS7l27c_MQEiQ36kx_b2KTLgFCqBcB3L345L_Q/s1600-h/w7_2.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 242px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDFIS9rIK6rZSbmx8JFKAb80baWOX7JWCHRy0NdoFH406JumdwuE5GGEKHRjQ05oAd2BWizysD2F5DVsWgCAtRfITJ8LwZvfJTF2QcXAS7l27c_MQEiQ36kx_b2KTLgFCqBcB3L345L_Q/s400/w7_2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5347354839658304690" /></a><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI0HoRLN3IJp6m5WBrE9wkyxMRM1J0yLp7GVeXaoxUYDy4mNAlATwbbtBEl79bC7zoqM_zJq83NyBsEWrnntl4OWY_0tX4HLDjAcvPYo4kwImdWV1KD3dxi4-f6wjAO1cS1Up1TszkSg4/s1600-h/w7_4.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 232px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgI0HoRLN3IJp6m5WBrE9wkyxMRM1J0yLp7GVeXaoxUYDy4mNAlATwbbtBEl79bC7zoqM_zJq83NyBsEWrnntl4OWY_0tX4HLDjAcvPYo4kwImdWV1KD3dxi4-f6wjAO1cS1Up1TszkSg4/s400/w7_4.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5347354970011306898" /></a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-24533111863556906362009-05-26T20:00:00.000-07:002009-05-26T22:40:36.443-07:00Cashing-up on TwitterAn interesting exploitation of the popular micro-blogging service <a href="https://www.twitter.com" target="_blank">Twitter</a> has been <a href="http://www.techcrunch.com/2009/05/26/warning-twittercut-worm-plays-on-peoples-desire-for-more-followers/" target="_blank">reported</a> a few hours ago.<br /><br />A bogus website - TwitterCut.com - has been set up to collect users' login details for Twitter. Once the website receives the login details from Twitter users, it apparently uses these details to authenticate them with Twitter and post messages (tweets) under the credentials of these users.<br /><br />The message it posts contains the link to TwitterCut.com and reads: <em>"OMG I just got over 1000 followers today from http://twittercut.com"</em>. Once this message is posted into Twitter under the credentials of the compromised user, all the followers of that user will automatically receive that tweet.<br /><br />If the followers click the link contained in the tweet they receive, they'll be redirected to TwitterCut.com where they'll be suggested to enter their own login credentials, which in turn will generate more tweets. With every new user tricked, the tweet is submitted to more and more followers so that it expands exponentially in a similar way to a "chain letter" scam or a typical worm infection.<br /><br />On top of that, every Twitter user who enters her login details at TwitterCut.com will also be unwillingly redirected into the websites serving adware, thus generating the revenue for the author of this worm with every unique visit. The advertising context can potentially be replaced with the sites serving malware, so it's clearly a security issue.<br /><br />The scheme of this scam is illustrated below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjldiVgg4B5y0nD9FCTfSLEk53lCnBy1Lp0WKbuj9AXPDhdAicoddevhInXUhyUweoFFuqc2RKJ43DKeuiOg4VrhDLyz3vF_-Irlh656-rZ4Zy9p_zqhDFc-sp7anGvyMcmKLw2pdWvUsw/s1600-h/twitschema.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 178px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjldiVgg4B5y0nD9FCTfSLEk53lCnBy1Lp0WKbuj9AXPDhdAicoddevhInXUhyUweoFFuqc2RKJ43DKeuiOg4VrhDLyz3vF_-Irlh656-rZ4Zy9p_zqhDFc-sp7anGvyMcmKLw2pdWvUsw/s400/twitschema.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5340374381239778018" /></a><br /><br />The replication seem to have started from a Twitter user JordanEmbry. The same person appear to have registered TwitterCut.com. Twitter has deactivated JordanEmbry account, but Google <a href="http://74.125.153.132/search?q=cache:O4gkI2MkJoQJ:twitter.com/JordanEmbry+jordan+embry&cd=2&hl=en&ct=clnk" target="_blank">cache</a> still reveals the profile and some recent tweets.<br /><br />The biography field reads: <em>"--!*FOLLOW ME*!-- as soon as I reach 20,000 followers Im opening a site you will love!"</em>. The profile shows that JordanEmbry had 250 Twitter users who have agreed to become the followers - all of them must have received the first-generation tweet to start up its replication.<br /><br />Once these followers have received the first tweet and followed the bogus website to enter their details, their own followers should have received the same tweet, then the followers of the followers, and so on.<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMqKuUpm8k_gxlVPll9XQYJH3G57UjMYPJm9s8JSH-pck7B_ui3iVN6JDDZrUHzQyEBeFjeXVm9NO0vqX2hlgviWpM5L7s9eqcDhE3a_-q3SAAOHO_Kpk-Pu5CX_hb7VgYZIfcux8ForA/s1600-h/je.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 160px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMqKuUpm8k_gxlVPll9XQYJH3G57UjMYPJm9s8JSH-pck7B_ui3iVN6JDDZrUHzQyEBeFjeXVm9NO0vqX2hlgviWpM5L7s9eqcDhE3a_-q3SAAOHO_Kpk-Pu5CX_hb7VgYZIfcux8ForA/s200/je.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5340341085840904450" /></a><br /><br />TwitterCut.com hosts a small script that traces the visits to the website. At this time of writing the online <a target="_blank" href="http://extremetracking.com/open?login=twitterc" target="_blank">statistics</a> shows that during the 4 days it exists TwitterCut.com has already attracted over 13,000 visits in the last 2 days.<br /><br />If you did receive the scam tweet in your personal Twitter profile, it means that someone from the Twitter users who you follow has been tricked into entering the login details at TwitterCut.com. All these users can be seen by <a target="_blank" href="http://search.twitter.com/search?q=OMG%2BI%2Bjust%2Bgot%2Bover%2B1000%2Bfollowers%2Btoday%2Bfrom%2Bhttp%3A%2F%2Ftwittercut.com" target="_blank">finding</a> the scam tweet that was posted under their credentials.<br /><br />The affected users are advised to change their Twitter account password immediately. Otherwise, the collected credentials can potentially be used many times again to send more impersonated tweets with the links to websites with more dangerous contents.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-68893571291403949152009-05-07T01:17:00.000-07:002009-05-09T13:29:03.155-07:00Pwned UxVPeter Singer, a leading US defense analyst, who headed Barack Obama's defense policy team during last year's presidential campaign, <a href="http://www.smh.com.au/world/wired-for-war--robot-soldiers-more-fact-than-fiction-20090506-aveq.html" target="_blank">believes</a> that the world is on the brink of a "robotics revolution" in military combat that will have profound social, psychological, political and ethical effects.<br /><br />The US had invaded Iraq in 2003 with just over a handful of unmanned aerial drones, and no unmanned ground vehicles, he said. Today it used more than 7,000 drones in the air, and more than 12,000 unmanned ground vehicles capable of combat.<br /><br />Their use in warfare was a massive development in human history, he <a href="http://www.lowyinterpreter.org/post/2009/05/The-10-minute-Lowy-Lunch-Robots-at-war.aspx" target="_blank">told</a> the Lowy Institute in Sydney, via videolink from Washington.<br /><br />The use of robots in the war zone is not spontaneous – it is in fact <a href="http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ398.106.pdf" target="_blank">mandated</a> by the US Public Law 106-398 which sets a goal of one-third of all ground combat vehicles to be unmanned by 2015.<br /><br />Last year, the first transformer-like armed robot MAARS (Modular Advanced Armed Robotic System) was set to be <a href="http://www.popularmechanics.com/technology/military_law/4230309.html" target="_blank">deployed</a> to fire in combat:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY_VUTyxrqQISYjnfheXdiLb5hqN7B3bYBY9C1cg3_i3bwncthp0NJFuUDtXSJoucvONAn15nlNBAJJkraqUKyhUTDCOUyATrgUWdpRqIPcpW32oQXDBDSUegdH75yHue4x2hdJGkWkGQ/s1600-h/MAARS-web.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 240px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY_VUTyxrqQISYjnfheXdiLb5hqN7B3bYBY9C1cg3_i3bwncthp0NJFuUDtXSJoucvONAn15nlNBAJJkraqUKyhUTDCOUyATrgUWdpRqIPcpW32oQXDBDSUegdH75yHue4x2hdJGkWkGQ/s320/MAARS-web.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5332998016211984194" /></a><br /><br />"<em>It can be changed from one mission setup to another in short order,</em>" says Charles Dean, the Foster-Miller company's senior program manager for advanced robots. Operators can alter the machine's treads, drive system, weaponry and even its dimensions.<br /><br />"<em>Government has been working with us over the last 18 months to develop and provide an innovative and evolutionary approach to combat situations that address the battlefield of the future,</em>" <a href="http://www.upi.com/Security_Industry/2008/06/05/Military-receives-new-MAARS-robot/UPI-12831212718000/" target="_blank">said</a> Dr. William Ribich, President of the Technology Solutions Group, QinetiQ North America.<br /><br /><strong>Security Aspects</strong><br /><br />Let's have a look at the software architecture that drives MAARS robot.<br /><br />Built by <a href="http://www.appliedperception.com/products-surc.htm" target="_blank">Applied Perception</a>, part of the QinetiQ North America Technology Solutions Group, the software called Soldier Universal Robot Controller (SURC) enables operators to simultaneously task, monitor, and teleoperate multiple unmanned robots from a single control station.<br /><br />Its User Interface can apparently be integrated into a handheld control unit, or as user application running on a notebook, e.g. under Ubuntu Linux, as seen on the image below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirZOAGQ85J746ltejSJx4FzPFicC35-x82pAAtT2kr7898SbOTrcuCVt92hoTBlR2znufUH36E_fsaTOjaKe4M1Na101hgbvdr_WbuKyzqa2mo3AbhlhyOC__QdGp_3tC3QejJtymyDDc/s1600-h/surc.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 178px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirZOAGQ85J746ltejSJx4FzPFicC35-x82pAAtT2kr7898SbOTrcuCVt92hoTBlR2znufUH36E_fsaTOjaKe4M1Na101hgbvdr_WbuKyzqa2mo3AbhlhyOC__QdGp_3tC3QejJtymyDDc/s320/surc.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5333003302484315538" /></a><br /><br />SURC system consists of several elements that are depicted in the following scheme:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyXMqKm2geuAVQN8qgCZcHIajtR_WDorgVcH627JUikvtaAd67ZVvDQS5cflynjnBfa3uf0si2waAS0WJjn2a62Ft1NQqhmewM7pXdKEAwBQG0chRwzcSTrUx0ADrZDzEBwEDDDDiON-M/s1600-h/schema.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 220px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyXMqKm2geuAVQN8qgCZcHIajtR_WDorgVcH627JUikvtaAd67ZVvDQS5cflynjnBfa3uf0si2waAS0WJjn2a62Ft1NQqhmewM7pXdKEAwBQG0chRwzcSTrUx0ADrZDzEBwEDDDDiON-M/s400/schema.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5333016768524595234" /></a><br /><br />Its core modules are responsible for keeping track of the robots, path and mission planning, and storing data about the existing objects. <br /><br />An interesting aspect of this architecture is that SURC plugs into JAUS (spelled as "jaws"), Joint Architecture for Unmanned Ground Systems. SURC's transport component is responsible for interfacing SURC with JAUS.<br /><br />JAUS is an open message-passing architecture that unifies multiple computing nodes and provides the means of their inter-communication. It defines the hierarchy structure of the elements (subsystems, nodes, components), defines the standard for the message that is passed from one component to another, and defines other requirements such as mission isolation, platform, hardware, and operator use independence (just like the Web).<br /><br />JAUS dictates the use of UDP (User Datagram Protocol) as a communications protocol between the nodes. The messages are packed into JAUS message structure and are handled with the node managers according to the commands specified in these messages. The traffic is forwarded via the port 3794, the "<a href="http://www.jauswg.org/baseline/jausportnumber.html" target="_blank">JAUS Robots</a>" port.<br /><br />As any other software architecture, it will very likely be a matter of time until JAUS is probed for an unauthorized access. The rule of thumb here is the bigger the target and its importance, the more lucrative it is and thus, the larger incentive and motivation will be there to exploit it. It won't be a question of "how", it will be a question of "when".<br /><br />Let's try to imagine for a moment in science fiction terms what attack vectors against JAUS are possible, and what an unauthorized access to it could result in.<br /><br />In theory, an interception of traffic between the transport component of SURC and the JAUS platform that connects it with the in-field robots' node managers, can be exploited.<br /><br />Firstly, a UDP flood attack may render the whole fleet of robots useless.<br /><br />Secondly, an injection of malcrafted packets into the link between SURC and JAUS may potentially change the mission goals, starting from the civil casualties increase, and finishing with hijacking the whole fleet of UxV and then re-recruiting it against the original command centre. This could potentially be exploitable due to the platform, hardware, and operator use independence declared by JAUS open architecture standard.<br /><br />Thirdly, JAUS architecture could also potentially be attacked with the malformed exploits transmitted via port 3794, either with the purpose of gaining full administrative control over the node managers or simply causing denial-of-service by crashing their software.<br /><br />Of course, these attacks are very unrealistic right now. So the reader should consider these insinuations a pure fantasy. But if the reader thinks for a moment of how many platforms were supposed to be secure by design, but could still easily be exploited; if the velocity of the progress and the scale of attractiveness for the attackers are all accounted, then it might be easier to imagine how in a few years time all robotic machines would have to be patched every Tuesday:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXQOvKMATKFAArB0sxplrRBXMJbSI1uBy5aWRWgQk8D9aYHDQh_f4dY2k0KoYS6JJ_4-8NXyJgXcIrFlwK5jFypu7EADdTLIDA0hfgpvpR2Sn_dSMSi5xwEkZteHdcTHAEtxq9UC134r0/s1600-h/update.gif"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 156px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXQOvKMATKFAArB0sxplrRBXMJbSI1uBy5aWRWgQk8D9aYHDQh_f4dY2k0KoYS6JJ_4-8NXyJgXcIrFlwK5jFypu7EADdTLIDA0hfgpvpR2Sn_dSMSi5xwEkZteHdcTHAEtxq9UC134r0/s320/update.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5333018586014812722" /></a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-40718640813760241252009-03-18T00:21:00.000-07:002009-03-18T01:18:00.952-07:00The Effect of Credit Crunch on Backdoors<br/>In the scope of the current economic situation, it's not uncommon to hear the news how another bank is downsizing its departments and outsourcing its software development.<br /><br />The big question is if this practice increases any risk of having the Time Bombs, hard-coded login names and passwords, or simple backdoors concealed in the software by its own developers.<br /><br />An interesting piece of software <a href="http://www.sophos.com/security/blog/2009/03/3577.html" target="_blank">spotted</a> by Vanja Svajcer from Sophos proves it does.<br /><br />While it is not entirely clear (no evidence) how this software penetrated on an ATM, an educational guess is that it was implanted by someone who knew the architecture and had direct physical access to the Diebold ATM hardware and software. A privileged insider, who either wanted extra security in the times of hardship by having unlimited access to cash, or maybe planned to rob the banks in one large-scale distributed attack.<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVK5Ijsb60WgHdzNUrzJgo4LYO0iDB1OvdAM04dM7dHMIVjzCCWkSE_XULP0PP-owbuAN57duzKQKmrOcUnA4pPVltdoeedhnhPvHkywZRwo907HUv2ezL6tVa8E_Tip4AvlrskjUTzP4/s1600-h/diebold.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 302px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVK5Ijsb60WgHdzNUrzJgo4LYO0iDB1OvdAM04dM7dHMIVjzCCWkSE_XULP0PP-owbuAN57duzKQKmrOcUnA4pPVltdoeedhnhPvHkywZRwo907HUv2ezL6tVa8E_Tip4AvlrskjUTzP4/s320/diebold.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5314428251788793122" /></a><br /><br />Anyway, the backdoor heavily conceals its presence under ATM. Why? Most likely, in order to stay undetected during the audit checks.<br /><br />The backdoor consists of the dropper and the dropped component.<br /><br />If the ATM's filesystem is NTFS, the dropper will create 2 alternative data streams:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">%windir%\greenstone.bmp:redstone.bmp</span><br /><span style="font-family:Courier New;font-size:2;color:#404040">%windir%\greenstone.bmp:bluestone.bmp</span><br /><br />Otherwise, it will create 2 files:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">%windir%\redstone.bmp</span><br /><span style="font-family:Courier New;font-size:2;color:#404040">%windir%\bluestone.bmp</span><br /><br />These ADS/files are created from these copies of the files, if they are found in the system:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">%windir%\trl2</span><br /><span style="font-family:Courier New;font-size:2;color:#404040">%windir%\kl</span><br /><br />The dropper then adjusts its own privilege to the level of SeDebugPrivilege and takes 50 attempts to terminate the process <span style="font-family:Courier New;font-size:2;color:#404040">lsass.exe</span>.<br /><br />The backdoor installs itself the following way: <br /><ul><br /><li>retrieves the fully qualified path to the binary file of the system service "LogWriter"</li><br /><li>stops system service "LogWriter"</li><br /><li>appends to that name ":", followed by <span style="font-family:Courier New;font-size:2;color:#404040">pwrstr.dll</span></li><br /><li>drops its own resource PACKAGEINFO into the alternative data stream <span style="font-family:Courier New;font-size:2;color:#404040">[LogWriter_binary_filename]:pwrstr.dll</span></li><br /><li>starts system service "LogWriter" – this will launch the dropped DLL from the newly specified ADS name</li><br /></ul><br />Finally, the dropper will inject and run a remote thread in the process <span style="font-family:Courier New;font-size:2;color:#404040">explorer.exe</span>, a thread that enumerates and deletes all Windows Prefetch files.<br /><br />Once activates, the dropped DLL will injects 2 threads: one will be injected into the process <span style="font-family:Courier New;font-size:2;color:#404040">mu.exe</span>, another one - into the process <span style="font-family:Courier New;font-size:2;color:#404040">SpiService.exe</span>, a main service ("Diebold XFS Service") of the proprietary software that runs on Diebold ATMs. These threads will be responsible for inter-process communication with the Diebold driver via the named pipe <span style="font-family:Courier New;font-size:2;color:#404040">"\\.\pipe\lsndbd"</span>.<br /><br />Another thread will start repeatedly calling an API <span style="font-family:Courier New;font-size:2;color:#404040">SQReceiveFromServer()</span>, exported by sharedq.dll, once per second. The contents of the buffer filled with this function will then be parsed for the presence of the tags <span style="font-family:Courier New;font-size:2;color:#404040">"TCS,"</span> and <span style="font-family:Courier New;font-size:2;color:#404040">"HST,"</span>.<br /><br />If any values specified in those tags are split with the delimiter ";", the thread will extract and log them into the ADS <span style="font-family:Courier New;font-size:2;color:#404040">%windir%\greenstone.bmp:redstone.bmp</span> on NTFS system, or file <span style="font-family:Courier New;font-size:2;color:#404040">%windir%\redstone.bmp</span> on non-NTFS system.<br /><br />If the tag <span style="font-family:Courier New;font-size:2;color:#404040">"TCS,"</span> means "transactions" and <span style="font-family:Courier New;font-size:2;color:#404040">"HST,"</span> means "history", the backdoor may be collecting the details of user transactions in the aforementioned file.<br /><br />In case the transaction parsing process detects particular contents, presumably unique to the attacker of the ATM, the backdoor will enter GUI mode that will grant an attacker full access to the backdoor. In this case, it will display on ATM screen a dialog box with the caption <em>"Agent"</em> and a prompt <em>"Enter command:"</em>, and instruct the Diebold driver to activate the keypad and read the input via a series of commands issued with <span style="font-family:Courier New;font-size:2;color:#404040">DbdDevExecute()</span> API, exported by DbdDevAPI.dll. For example, the driver will receive commands: <span style="font-family:Courier New;font-size:2;color:#404040">EPP4_ENCODE_DECODE</span>, <span style="font-family:Courier New;font-size:2;color:#404040">EPP4_ENABLE_KEYBOARD_READ</span>.<br /><br />An attacker then provides one out of 10 possible commands by entering a number on an ATM keypad. Every command causes the backdoor to take specific action.<br /><br />For example, command "2" will instruct the backdoor to read the version of the installed Diebold software from the registry keys:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">HKLM\SOFTWARE\Diebold\Agilis 91x Core</span><br /><span style="font-family:Courier New;font-size:2;color:#404040">HKLM\SOFTWARE\Diebold\Agilis 91x</span><br /><br />Then, this command will read the contents of the temporary files/ADS <span style="font-family:Courier New;font-size:2;color:#404040">redstone.bmp</span> and <span style="font-family:Courier New;font-size:2;color:#404040">bluestone.bmp</span>, and parse the transaction details from these logs. Finally, it will show a message box with the collected statistics for the attacker in the following form:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">Agilis [version number]<br />Agent [version number]<br />Transactions [number]<br />Cards [number]<br />KEYs [number]</span><br /><br />Command "6" will instruct the backdoor to recover the "Key A" and "Key B" from the file/ADS <span style="font-family:Courier New;font-size:2;color:#404040">redstone.bmp</span>. It will then print them on a new receipt – the receipt will then be ejected.<br /> <br />Command "8" allows an attacker to display all internal counters in a newly created dialog box (this may potentially reveal the amount of cash currently stored in ATM).<br /><br />Command "7" will generate a random number and then calculate a password that is unique for that random number.<br />Then, it will display an <em>"Autorization"</em> dialog box (orthography preserved):<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">Request Code: [random number]</span><br /><span style="font-family:Courier New;font-size:2;color:#404040">Enter Responce:</span><br /><br />It allows 3 attempts to be undertaken to enter correct password.<br /><br />If the provided password is correct, it will display another dialog box with a caption <em>"Enter Command"</em> (orthography preserved):<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">1..4 - dispense cassete</span><br /><span style="font-family:Courier New;font-size:2;color:#404040">9 - Uninstall</span><br /><span style="font-family:Courier New;font-size:2;color:#404040">0 - Exit</span><br /><br />In case of the choice 1-4, it will release commands <span style="font-family:Courier New;font-size:2;color:#404040">AFD_DISPENCE</span>, <span style="font-family:Courier New;font-size:2;color:#404040">AFD_PRESENT</span>, and <span style="font-family:Courier New;font-size:2;color:#404040">AFD_RESTORE</span> to the Diebold driver to instruct the Advanced Function Dispenser (AFD) module to dispense an <a href="http://www.diebolddirect.com/4a-susd20-0001.html" target="_blank">ATM cassette</a> with cash.<br /><br />With this level of sophistication, considering the trojan horse in its classic form is inside the ATM, even the following paranoid technique will unlikely make any difference:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLNkOhRWHnLv3RYibkR6-sVj2GF9lKVHL3pbZEIRp4Z-LhMDG9ADDcKU9KSI_Nwkkxr_VAk9iSA_sZpyJAZKSR0USpApXBgO51qKMFg5b33mbyA3_J6DGC5SJ-Ka9lbKPr-LsotCnV_Lo/s1600-h/atm.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 304px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLNkOhRWHnLv3RYibkR6-sVj2GF9lKVHL3pbZEIRp4Z-LhMDG9ADDcKU9KSI_Nwkkxr_VAk9iSA_sZpyJAZKSR0USpApXBgO51qKMFg5b33mbyA3_J6DGC5SJ-Ka9lbKPr-LsotCnV_Lo/s320/atm.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5314434540009546818" /></a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-73606154659615469342009-03-11T12:20:00.000-07:002009-03-11T12:47:57.880-07:00Someone Needs HelpSubmission to ThreatExpert.com from SK, Sri Lanka:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">Hey you!!!<br />You can't stop me. I'm the author of "angel.exe".I am going to upload my 100 Viruses to the internet from my web site.Will Soon.<br />You and any anti viruses can't stop my growing!!!!!<br /></span><br /><br />From Wikipedia: <em>"An <a href="http://en.wikipedia.org/wiki/Inferiority_complex" target="_blank">inferiority complex</a> is a feeling that one is inferior to others in some way. Such feelings can arise from an imagined or actual inferiority in the afflicted person. It is often subconscious, and is thought to drive afflicted individuals to overcompensate, resulting either in spectacular achievement or extreme schizotypal behavior, or both."</em>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-39613801294480805652009-03-01T19:33:00.000-08:002009-03-01T19:46:48.968-08:00New Variant Of AckanttaFollowing the previous <a href="http://blog.threatexpert.com/2008/12/beware-christmas-promotions-from-coca.html" target="_blank">variant</a> of Ackantta mass-mailing worm, a <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2009-022520-1425-99&tabid=2" target="_blank">new modification</a> (B) is making the rounds now.<br /><br />This, time, it distributes Vundo trojan in its payload.<br /><br />Automated analysis is available <a href="http://www.threatexpert.com/report.aspx?md5=925a4a25cfa562a0330c8733cc697021" target="_blank">here</a>.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-13959833273134635562009-02-19T18:04:00.000-08:002009-02-19T19:14:56.355-08:00Politically Motivated TrojanIn a recently reported security incident, one political organization was involved into a targeted attack. The Word document they received had either of the following names: <em>"Urgent Appeal to Secretary Hillary Clinton.doc"</em> or <em>"Days with ITSN Tibet in My Eyes.doc"</em>.<br /><br />Putting aside any political motivations behind these attacks, and looking at the embedded trojan from the technical point of view, a pretty interesting piece of code is revealed.<br /><br />Being an executable embedded into Microsoft Word document, the trojan itself is a CDialog-based VC++ MFC application. When it starts, it checks if there is a driver installed in the system called <em>tmpreflt.sys</em>. This driver appears to belong to OfficeScan software product from Trend Micro. The trojan tweaks its logics depending on the presence of <em>tmpreflt.sys</em> and then installs a new driver <em>resdr32.sys</em> that it reads and decrypts from its own resource section. This driver has device name <em>FILEGUARDDOS</em> and it is presumably designed for self-protection purpose.<br /><br />The payload code of the trojan is encrypted in its resource section. After it decrypts the code, it starts its own executable, allocates memory in the address space of its "cloned" process, writes there the newly decrypted payload code, and spawns an execution thread in it.<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvYQZPeLKypXuXxxm8X2lXLxzGsApClcx8eODjeYmy66BNZcKf5tk90OcvfanQkc6m_xI_aCQr3btKknD8skFxMrOPi5B9zc6LZ_09zslfV04GgKRgJrq2mt5p7Kz02b6p_pKduksC59E/s1600-h/t1.gif"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 313px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvYQZPeLKypXuXxxm8X2lXLxzGsApClcx8eODjeYmy66BNZcKf5tk90OcvfanQkc6m_xI_aCQr3btKknD8skFxMrOPi5B9zc6LZ_09zslfV04GgKRgJrq2mt5p7Kz02b6p_pKduksC59E/s320/t1.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5304702538741678802" /></a><br /><br /><br />Once the second instance of the trojan is started and the injected payload code is activated, it will contact its command-and-control server <span style="font-family:Courier New;font-size:2;color:#404040">mmwbzhij.meibu.com</span> on ports 8585 and 8686.<br /><br />The communication traffic is encrypted. The commands issued by the C&C server will instruct the trojan to download and run additional components. For example, the newly downloaded components can be created under the following filenames:<br /><ul><br /><li>C:\loader.exe</li><br /><li>C:\ml.exe</li><br /><li>%System%\EventSystem.dll</li><br /></ul><br />The trojan constantly submits POST requests to the remote host with the following format:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">http://mmwbzhij.meibu.com:8686/[random characters].[random file extension]</span><br /><br />where <span style="font-family:Courier New;font-size:2;color:#404040">[random characters]</span> string may look similar to:<br /><span style="font-family:Courier New;font-size:2;color:#404040"><ul><br /><li>qRXycRXuwJ11749</li><br /><li>PqJNBkcPDm18630</li><br /><li>ZPDPyZkZcV23661</li><br /></ul></span><br />and <span style="font-family:Courier New;font-size:2;color:#404040">[random file extension]</span> can be any of the following: <span style="font-family:Courier New;font-size:2;color:#404040">rm</span>, <span style="font-family:Courier New;font-size:2;color:#404040">mov</span>, <span style="font-family:Courier New;font-size:2;color:#404040">mp3</span>, <span style="font-family:Courier New;font-size:2;color:#404040">pdf</span>.<br /><br />One such POST request is shown below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYMr1QlokWY8EdApTieWl-IvI1H9l7NmAnuLw9CdEqCd1XHd5kEVmeK-ZnwRBLRHSlGlbJfv3OopZFZNVVO5xjZmctI95yVGL-bQRgPhGXUUJnqHT3jvmbl2Lv79XoRmpgaBndASjnRqI/s1600-h/t2.gif"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 268px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYMr1QlokWY8EdApTieWl-IvI1H9l7NmAnuLw9CdEqCd1XHd5kEVmeK-ZnwRBLRHSlGlbJfv3OopZFZNVVO5xjZmctI95yVGL-bQRgPhGXUUJnqHT3jvmbl2Lv79XoRmpgaBndASjnRqI/s320/t2.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5304704903797975218" /></a><br /><br />The purpose of these requests is not clear - the random characters contained in the POST request can potentially be used by the server to determine the encryption key that is different for every communication round (a hopping key).<br /><br />To run every time Windows starts, the trojan drops its copy under a variable name, such as <span style="font-family:Courier New;font-size:2;color:#404040">%System%\winpp.exe</span> or <span style="font-family:Courier New;font-size:2;color:#404040">%System%\instoll.exe</span> and then registers its full path filename in the value:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">"StubPath"</span><br /><br />of the registry key<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{345A814E-7F4F-1BCD-0104-050302030401}</span><br /><br />Fully automated reports can be found <a href="http://www.threatexpert.com/report.aspx?md5=02f2029647e85fff81620b2c333bc9cf" target="_blank">here</a> and <a href="http://www.threatexpert.com/report.aspx?md5=7ce96a0ed4d71c26d2c377dd331e4466" target="_blank">here</a>.<br /><br /><br /><a href="" target="_blank"></a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-69527230108808851362009-02-04T16:44:00.000-08:002009-02-04T17:21:34.090-08:00Trojan GetCodec/Brisv Comes Back AgainA few months old trojan <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2008-071823-1655-99" target="_blank">Brisv</a> that infects multimedia files has struck again with no apparent reason, as reported by our customers.<br /><br />The trojan enumerates local and mapped network drives looking for the files with the extensions ASF, WMV, WMA, MP2, MP3. It will then infect the located files by injecting malicious script that instructs the media player to pop up default browser window and navigate it to the malicious web site <em>isvbr.net</em>, which in turn, redirects to a different URL: <em>www.play-error.com</em>:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqY3AwTsv1RSUEaAR9v0pyLxv2Ev2Ot8npOVUoGl7aESJH1kHRxF9bG_i-8BW2K0Rni8wbpY9P_4ZMfrXwbpCm9rRADhLLj_vZ2oFO4ApKswa9JZJfpSllcSTWEXGpruLgpjkI7MhLc6k/s1600-h/screen3.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 153px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqY3AwTsv1RSUEaAR9v0pyLxv2Ev2Ot8npOVUoGl7aESJH1kHRxF9bG_i-8BW2K0Rni8wbpY9P_4ZMfrXwbpCm9rRADhLLj_vZ2oFO4ApKswa9JZJfpSllcSTWEXGpruLgpjkI7MhLc6k/s400/screen3.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5299110585730298322" /></a><br /><br />When the media player plays back an infected file (on a test system, after about 10 seconds of the playback), the browser window pops up and the player stops playing the file, as shown below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvcCo3i5QdeSHHO-3qSFZPMS9q_xY_sZnymQDCTPTzsXwxhT0EgJwAoFWttfN3QQmo-3Vp2cra-W2B7Wxaeqrtxa5P7LJMrzzZdEHVPYHvIEm0ZVxayz3C7ZUgI4nT-4LrwIzc8Q4TD6c/s1600-h/screen0.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 249px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvcCo3i5QdeSHHO-3qSFZPMS9q_xY_sZnymQDCTPTzsXwxhT0EgJwAoFWttfN3QQmo-3Vp2cra-W2B7Wxaeqrtxa5P7LJMrzzZdEHVPYHvIEm0ZVxayz3C7ZUgI4nT-4LrwIzc8Q4TD6c/s400/screen0.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5299111769176175554" /></a><br /><br />The web site the user is redirected to can be variable and may host any kind of malware. At this time of writing, <em>isvbr.net</em> redirects to <em>www.play-error.com</em>:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmX4-Mw3A3RKTul_c3p_KMPqQvAKkH7mS7vgEwoaMxTfT_Kobz7toxCM9GL0NvCt17m7JcCNFZxhjR_M2jVyaVm8fuYfVnXTp0rhxEcpUjbVmGrJZH3I3MGFkgi2iwHW6N4dHwqjTIgZo/s1600-h/screen1.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 375px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmX4-Mw3A3RKTul_c3p_KMPqQvAKkH7mS7vgEwoaMxTfT_Kobz7toxCM9GL0NvCt17m7JcCNFZxhjR_M2jVyaVm8fuYfVnXTp0rhxEcpUjbVmGrJZH3I3MGFkgi2iwHW6N4dHwqjTIgZo/s400/screen1.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5299112017912768594" /></a><br /><br />The traffic generated during the playback of the infected multimedia file is shown below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMEyjM5TUxBygS5tXBuvAmkX_Z6kvUrbYMvmTur3gSlDoAJH8ndrnSOPC76y2nGPi5p4E1cy3ef8fJsbm0_v0BCg9niIIj62ltcihIq8JDfS495Mcnv3yMZJ4OuqncZmvWWr-Rn9M7iug/s1600-h/screen4.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 215px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMEyjM5TUxBygS5tXBuvAmkX_Z6kvUrbYMvmTur3gSlDoAJH8ndrnSOPC76y2nGPi5p4E1cy3ef8fJsbm0_v0BCg9niIIj62ltcihIq8JDfS495Mcnv3yMZJ4OuqncZmvWWr-Rn9M7iug/s400/screen4.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5299113463094958338" /></a><br /><br />To see the list of system changes, please check ThreatExpert report <a href="http://www.threatexpert.com/report.aspx?md5=4e2f538fa4dfe028c221ee7f020a05d4" target="_blank">here</a>.<br /><br />Should you need to quickly scan your system and/or desinfect the infected multimedia files, please run the fixtool from <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2008-072215-0522-99" target="_blank">this</a> location.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-13417128426310625012009-01-28T17:50:00.000-08:002009-01-28T18:03:24.440-08:00Conficker/Downadup: Memory Injection ModelThe worm Conficker/Downadup does not need a special introduction as it was pretty well described in various write-ups in great detail.<br /><br />Nevertheless, considering it employs a set of unique techniques, a deeper analysis is needed.<br /><br />One of such techniques is its memory injection model that will be discussed in this post. Note: as the analysis continues, more posts might be expected.<br /><br />Conficker runs as a DLL file and unpacks itself on the heap of the host executable process, such as rundll32.exe. In order to bypass firewalls (and possibly HIPS too), its author has certainly thought of a proper memory injection model.<br /><br />The worm calls its memory injection function with the following prototype:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">InjectIntoProcess (DWORD TargetProcessID, LPSTR ConfickerDllFilename)</span><br /><br />The function is called for the processes explorer.exe, svchost.exe, and services.exe.<br /><br />For start, the worm will open the target process, allocate a small memory region in its virtual address space, and write in it the full path filename of its own DLL.<br /><br />Next, it will obtain the address of LoadLibraryA() API imported from kernel32.dll.<br /><br />The worm will then make an interesting trick: it will call CreateRemoteThread() API by passing it the handle of the targeted process. The thread start address it specifies is the virtual address of LoadLibraryA() API (imported from kernel32.dll). The specified thread parameter is the address of the allocated buffer within the process where the full path filename of the Conficker DLL has just been written.<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgELjxhsXWYC125GIO4wNwaNr2wfWVAKmR4kEoi9erXICX1sisjzxiT-N_o6kO5uUGmyR66PFhcm_Rc6ctC37PN_xHZgkcivWV4ow3ZQEFXJNkKs_xhHDaJprdeCz-pw0ZcObnb8UUNhOA/s1600-h/conf1.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 345px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgELjxhsXWYC125GIO4wNwaNr2wfWVAKmR4kEoi9erXICX1sisjzxiT-N_o6kO5uUGmyR66PFhcm_Rc6ctC37PN_xHZgkcivWV4ow3ZQEFXJNkKs_xhHDaJprdeCz-pw0ZcObnb8UUNhOA/s400/conf1.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5296528773511750498" /></a><br /><br />This will force the target process to spawn a thread that will load the worm DLL file – pretty neat, considering there is no executable code physically injected.<br /><br />But that’s not all.<br /><br />Following this trick, Conficker will enumerate all threads running inside the targeted process, and for every thread it will add to its queue an Asynchronous Procedure Call (APC).<br /><br />For this purpose it uses an undocumented API NtQueueApcThread() which has the following prototype:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">NtQueueApcThread(HANDLE hThreadHandle, PIO_APC_ROUTINE lpApcRoutine, PVOID pApcRoutineContext, ...),</span><br /><br />where hThreadHandle is a handle of the enumerated thread that receives an APC call into its queue, lpApcRoutine is the address of the entry point to the user APC routine, and pApcRoutineContext is the user defined parameter for APC routine.<br /><br />Guess what address it uses for the user APC routine? That’s right, it’s the address of the API LoadLibraryExA() imported from kernel32.dll, and the parameter for this call is the name of the Conficker DLL, previously saved inside the process’s address space.<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGC4O4it01eqgdG13mDw4NznCTk0izbQ8y1zIpdsQbPuxPnyk4L7kXykzszBbvDSdb0FlE9kk5EqcjFH_r8pp4Y_qXSbXtaBxvCQlAN45_-0sM1H11GxmOQ6ZZpMtE7hF19p-LA8TPq0s/s1600-h/conf2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 319px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGC4O4it01eqgdG13mDw4NznCTk0izbQ8y1zIpdsQbPuxPnyk4L7kXykzszBbvDSdb0FlE9kk5EqcjFH_r8pp4Y_qXSbXtaBxvCQlAN45_-0sM1H11GxmOQ6ZZpMtE7hF19p-LA8TPq0s/s400/conf2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5296528708500335826" /></a><br /><br />With the APC queued for the target process threads, as soon those threads are signaled, the routine that loads Conficker DLL will be invoked. Hence, the remote injection.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-33471313517489607752009-01-21T17:43:00.000-08:002009-01-22T13:45:14.030-08:00Removing Persistent Malware<br/>This blog post is not for the technical guru!<br /><br />While it's not for mums and dads either, its main purpose is to explain to an average user how to manually remove persistent malware that cannot be easily deleted otherwise.<br /><br />A reader who starts shivering from hearing the words <em>"Linux"</em> or <em>"Ubuntu"</em> could find this post useful too – not only to be able to remove persistent malware, but maybe to get closer to Linux and start using it for Internet banking, as a safer alternative to Windows and Internet Explorer (arguably, of course).<br /><br />Malware removal is a separate big discussion subject. There are many known methods that involve antirootkits, dedicated fixtools, kernel-mode drivers employed by antivirus products that allow to delete, wipe-out, or simply damage locked malware files.<br /><br />Nevertheless, we keep receiving an overwhelming number of requests coming from various customers asking for help in deleting locked malicious files. This post started as an email template that we utilized in our response, but given the fact so many people ask the same question again, it sounds reasonable to post this information here for a better public exposure.<br /><br />Let's say, a user accidently clicks an attachment and then realizes something wrong has just happened. The attachment file gets submitted to ThreatExpert. The returned report suggests that an additional malicious file might have been created – the user locates that file and attempts to delete it, but Windows denies access to such file as it's loaded in memory.<br /><br />Quite often, all it takes is to kill a process to unlock a file, or reboot in safe mode and delete a file that is known to be malicious, or register such file for a delayed removal. But the reality is that in many cases it's not that simple. Malware can be loaded into the address space of a legitimate system process so that termination of such process will lead to system crash. In a different scenario, a file can be protected by a kernel mode driver, and that driver is protected by another watchdog thread running inside a legitimate process. The possibilities for malware authors to protect their files are endless. AV industry makes its best to break such protection, but in the end it's still a cat-and-mouse game.<br /><br />A very simple method to delete malicious files is to boot from a different partition that is known to be clear of malware, and then delete malicious files that reside on an affected partition. This way, the files that reside on an affected partition are not obstructed from being seen or manipulated (e.g. any possible rootkits will be inactive at this stage).<br /><br />There is nothing new in this method, and there are multiple ways to achieve this. But if you ever experienced locked malware file problem before, it might help to have a Linux start-up CD (LiveCD) in the pocket of your backpack, ready to fix a problem any time you need it.<br /><br /><b>Scenario</b><br /><br />Let's say, a malicious file called <em>malicious_file.exe</em> resides in the <em>%system%</em> directory. This file cannot be deleted for some (unknown) reason.<br /><br /><b>Disclaimer</b><br /><br />Please note that the following description does not cover scenarios when a legitimate file is reported to be malicious due to a false positive, or because a firewall/HIPS system reports a file as suspicious, or because the user thinks it's malicious; it only explains how to delete a truly malicious file, that is a file with a code that performs malicious actions.<br /><br />If you're unsure about the purpose of the file that you intend to delete, please do not attempt this method. Removal of a system file or a file of a legitimate 3rd party software may lead to corruption of your operating system, any other software or your personal files.<br /><br />The author of this post takes no responsibility for any data corruption that may happen should this method be chosen and tried out. If you decide to follow it anyway, please do so on your own risk!<br /><br />Before you attempt this method, please back up your files and documents!<br /><br /><b>Step 1: Get Ubuntu.</b><br /><br />For start, you'll need to visit Ubuntu website to <a href="http://www.ubuntu.com/GetUbuntu/download" target="_blank">download</a> the latest version of this Linux distributive.<br /><br />Once you download the ISO image, please follow <a href="https://help.ubuntu.com/community/BurningIsoHowto" target="_blank">these</a> instructions on how to burn a boot-up CD or DVD.<br /><br />Turn off you computer properly from Windows. Disconnect any USB devices you may have plugged in.<br /><br />Boot your computer from the LiveCD. If you can't boot, please read detailed explanation on how to fix this problem <a href="https://help.ubuntu.com/community/BootFromCD" target="_blank">here</a>.<br /><br />When you start the boot-up process, make your language choice:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJxO4GIy_pR6WfnxJX6UsJCYSV3hrDAczQzh27RB4KlaANuYF5ZtyvSUk6mrsdy05rx1ukOmejJ7YRS2MElOV1ZaOBLb73FYZcge0VVUJQOQWuAOKDFT9GNULjM1FFM9kX6T3P0Kw43iI/s1600-h/screen1.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 150px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJxO4GIy_pR6WfnxJX6UsJCYSV3hrDAczQzh27RB4KlaANuYF5ZtyvSUk6mrsdy05rx1ukOmejJ7YRS2MElOV1ZaOBLb73FYZcge0VVUJQOQWuAOKDFT9GNULjM1FFM9kX6T3P0Kw43iI/s200/screen1.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5293982724836534066" /></a><br /><br />then, choose menu option <em>"Try Ubuntu without any change to your computer"</em>, as shown below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgloeBT2McKCJFbd74cZyaU2qqxehqN2u4soLWXJRd5wu-BJECRcGvcGBYkiZdRLlo8ee4GbLqi_mXg5zuJOv5GTUzvEdmNxc5kv4UosD057Fxpz_Z6laQdG8QzcD0B6t_VExGQyOCCDhg/s1600-h/screen2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 150px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgloeBT2McKCJFbd74cZyaU2qqxehqN2u4soLWXJRd5wu-BJECRcGvcGBYkiZdRLlo8ee4GbLqi_mXg5zuJOv5GTUzvEdmNxc5kv4UosD057Fxpz_Z6laQdG8QzcD0B6t_VExGQyOCCDhg/s200/screen2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5293983073436281330" /></a><br /><br />Ubuntu will start booting up from your LiveCD. When it's done, you'll see the following screen:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin2IETx9C6-cpSAm3QiPAzwFZ6_1zmGBTLDlY-lW3xKRwLi57Pj5k3ODNwirId0gaVfQ4iej1ochv0Ox0kQqW3rryQSjeL8SG6sQGP7m7qD4w0Bi03-MU57Y_7BNOTWKmXPwJP0VUnbns/s1600-h/screen3.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 150px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin2IETx9C6-cpSAm3QiPAzwFZ6_1zmGBTLDlY-lW3xKRwLi57Pj5k3ODNwirId0gaVfQ4iej1ochv0Ox0kQqW3rryQSjeL8SG6sQGP7m7qD4w0Bi03-MU57Y_7BNOTWKmXPwJP0VUnbns/s200/screen3.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5293983243484181474" /></a><br /><br /><b>Step 2: Locating and Mounting Affected Windows Partition</b><br /><br />Next thing you'll have to do is to find your Windows partition that contains the malicious file(s). In our scenario, it's a file <em>%system%/malicious_file.exe</em>.<br /><br />Click Menu item <em>"Places"</em>, then <em>"Computer"</em> as shown below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDwKD_vfhcg3B5Gy8SeZGCDzYOvC1C_s09MyALG-v_rIZpU2S-92NUMwWYWo6bt8XDJ3do9ayEch7ODJJAsJ8z7GolEXfnnvBisJjhmOMvUoxkoNw5U6j-PSK0n50SVxC_df_VjfpCF8M/s1600-h/screen10.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 150px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDwKD_vfhcg3B5Gy8SeZGCDzYOvC1C_s09MyALG-v_rIZpU2S-92NUMwWYWo6bt8XDJ3do9ayEch7ODJJAsJ8z7GolEXfnnvBisJjhmOMvUoxkoNw5U6j-PSK0n50SVxC_df_VjfpCF8M/s200/screen10.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5293983489798619394" /></a><br /><br />The File Browser will fire up and show a panel similar to the one below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ87aKUZ7wG2pxiXBid-bG5D_jGX7ZRh6SeZ_nmRjeIBq8ZLguHLnkvOX1TWye2zBWORqEjQ8dxguRBoARzON9p1f-VRhyphenhyphenHl1gChKnbnaRY2VokxeGXJvrKsPkm0Wh6yS5z5P9_XzaJqk/s1600-h/screen9.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 200px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ87aKUZ7wG2pxiXBid-bG5D_jGX7ZRh6SeZ_nmRjeIBq8ZLguHLnkvOX1TWye2zBWORqEjQ8dxguRBoARzON9p1f-VRhyphenhyphenHl1gChKnbnaRY2VokxeGXJvrKsPkm0Wh6yS5z5P9_XzaJqk/s200/screen9.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5293983709516381330" /></a><br /><br />Your Windows partition will most likely be depicted with an icon of a hard disk drive titled as <em>"[X] Gb Media"</em>, where X is the size of your partition in Gb. Most likely, the icon will be a bit different from the <em>"Filesystem"</em> one – it will not have a little green indicator in it because it is not mounted at this point yet.<br /><br />In case of several partitions, there will be several <em>"[X] Gb Media"</em> icons; you will need to identify which one has Windows installed on it – it's not necessarily the first displayed one.<br /><br />Right-click your mouse over the hard disk icon and select the <em>"Mount Volume"</em> option – its icon should get a green indicator on. <br /><br /><b>Step 3: Locate and Rename/Delete Malicious File(s)</b><br /><br />In the File Browser, double-click an icon of the mounted partition to inspect the directories and file names on that partition. You should be able to recognize your Windows partition by its contents: navigate to <em>%system%</em> directory and find the file <em>malicious_file.exe</em>. From here, the file can be renamed or deleted, as shown below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioF3Iuwz0l1vVF24I2jojF10bqBrIgrc3ocEZ1c7oiULH_QEmuBVVU6cU_N4sco5tbF2aoovZgqNAYZjI9jeJSjw52aBvFwhQIfDqGQoSfME6dZzgknL8HxXyitqGnG0lZ5lkhUndEkCk/s1600-h/screen8.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 146px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioF3Iuwz0l1vVF24I2jojF10bqBrIgrc3ocEZ1c7oiULH_QEmuBVVU6cU_N4sco5tbF2aoovZgqNAYZjI9jeJSjw52aBvFwhQIfDqGQoSfME6dZzgknL8HxXyitqGnG0lZ5lkhUndEkCk/s200/screen8.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5293989199140640706" /></a><br /><br />If the malicious file was renamed or deleted successfully, shut down Ubuntu (shown below), remove LiveCD, and power on your computer to start up Windows again – the system should be clean from the malicious file at this stage.<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF9bz-KvEHqlq5FtBIwo_XDOu6XkhfCgN9aouu9-U1fhcJ2GPpSL6ULXWO1_7Tf4w0Q-tN0eE5HsiAAwrWs_HksyNLrpIjvj95SHaLVzqMRXan9ownTWrkSjcPizAJDOkcS9m_FRm3Brk/s1600-h/screen6.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 86px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF9bz-KvEHqlq5FtBIwo_XDOu6XkhfCgN9aouu9-U1fhcJ2GPpSL6ULXWO1_7Tf4w0Q-tN0eE5HsiAAwrWs_HksyNLrpIjvj95SHaLVzqMRXan9ownTWrkSjcPizAJDOkcS9m_FRm3Brk/s200/screen6.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5293984572012784146" /></a><br /><br /><b>Troubleshooting: What to Do if Volume Mounting Fails</b><br /><br />If Ubuntu fails to mount your partition, it will show the following error message:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-nx_PsMIfgKolIRZvOonXZJhT_AaHkEuWyz-ZDy3KCBqR54sZsK8GF9u7Dlyo-zU49Txq49TPKRIWzYqIvwveT09pzvAMykM5Bqh94LVDDZkPT5qQMIHWTtSI34UWiCDf6E8SVNV_qos/s1600-h/screen4.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 133px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-nx_PsMIfgKolIRZvOonXZJhT_AaHkEuWyz-ZDy3KCBqR54sZsK8GF9u7Dlyo-zU49Txq49TPKRIWzYqIvwveT09pzvAMykM5Bqh94LVDDZkPT5qQMIHWTtSI34UWiCDf6E8SVNV_qos/s200/screen4.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5293984355932272210" /></a><br /><br />If you get this error message, then most likely you did not power off Windows properly. A clean way is to shut down Ubuntu, remove LiveCD, start up Windows again, insert LiveCD, power off your computer from Windows in a clean way (e.g. by clicking <em>"Turn Off Computer"</em>), then boot up from the Live CD and repeat Step 2 above.<br /><br />In some cases, shutting down Windows properly is not possible due to system corruption – e.g. Windows boots up then crashes before you have a chance to shut it down properly, but you still know what files you want to delete.<br /><br />If powering computer off properly (from Windows) still does not help mounting your Windows partition(s) successfully, you will need to force Ubuntu to do that:<br /><ul><br /><li>Close all error messages.</li><br /><br /><li>Start up the Terminal program – you will need to run a couple of commands in it:</li><br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmG9KyOt7sUIJt6H-MUkr0mNRpwrGJQXUQkGUd293FS8nPcMgYQwYCQ6nD-ToaTrmLi-I4zv69hYioDc5CWXUY6sFrqW3trgj60F2RyRQN6lVqYod1NcTMJH_iok7N89RZbjUxHRk7Kbw/s1600-h/screen11.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 156px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmG9KyOt7sUIJt6H-MUkr0mNRpwrGJQXUQkGUd293FS8nPcMgYQwYCQ6nD-ToaTrmLi-I4zv69hYioDc5CWXUY6sFrqW3trgj60F2RyRQN6lVqYod1NcTMJH_iok7N89RZbjUxHRk7Kbw/s200/screen11.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5293984915280475682" /></a><br /><br /><li>Run the following command to enlist your partitions:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">sudo fdisk –l</span><br /></li><br /><li>From the output of this command, take a note on a partition that is marked as bootable (*) and write down its device name. For example, the output below shows that <em>"/dev/sda1"</em> is the device name of the bootable partition – most likely it's the Windows partition that needs to be mounted:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040"><br /> Device Boot Start End Blocks Id System<br />/dev/sda1 * 1 519 2092576+ 7 HPFS/NTFS<br />/dev/sdb1 1 5099 40957686 2d Unknown<br />/dev/sdb2 5100 9725 37158345 7 HPFS/NTFS<br /></span><br /><br /></li><br /><li>Now you'll need to mount your bootable partition and map it to a directory, e.g. <em>"mydisk"</em>. But first, create that directory by running another command in Terminal window to create <em>"/media/mydisk"</em> directory (this step is optional):<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">sudo mkdir /media/mydisk</span><br /></li><br /><li>Finally, instruct Ubuntu to mount your bootable Windows partition:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">sudo mount -t ntfs-3g /dev/sda1 /media/mydisk -o force</span><br /></li><br /></ul><br />If the partition was mounted successfully, the output will say:<br /><br /><span style="font-family:Courier New;font-size:2;color:#404040">$LogFile indicates unclean shutdown (0, 1)<br />WARNING: Forced mount, reset $LogFile.<br /></span><br />You may now run File Browser again and check if any of your partitions has changed its icon to the one with a green indicator in it, as shown below:<br /><br /><a target="_blank" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlOaQKWH1lFgbTlTwQaVxBzHMjel0_hqOEsQxBHGPRA86X3UjgjjADPnKSn8-3LV0V9IkAQo7IDsc6JY6tX-tSbwVZSsmFhzZnbeYIDPWFJthfrrDSMHGA3fYLmkQE31x_g6XYsuAzSzQ/s1600-h/screen13.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 196px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlOaQKWH1lFgbTlTwQaVxBzHMjel0_hqOEsQxBHGPRA86X3UjgjjADPnKSn8-3LV0V9IkAQo7IDsc6JY6tX-tSbwVZSsmFhzZnbeYIDPWFJthfrrDSMHGA3fYLmkQE31x_g6XYsuAzSzQ/s200/screen13.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5293989815644483522" /></a><br /><br />Repeat Step 3 for the mounted partition to delete the malicious file(s).Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-24372834421072531152009-01-05T15:56:00.000-08:002009-01-05T16:53:54.206-08:00"The Road to Hell Is Paved With Good Intentions", Part II<br/>It's been a while since the <a href="http://blog.threatexpert.com/2008/08/beware-good-spyware-or-road-to-hell-is.html" target="_blank">previous post</a> discussed commercial "intelligence gathering tool".<br /><br />It would have seemed ridiculous, if this time it wasn't UK government <a href="http://www.timesonline.co.uk/tol/news/politics/article5439604.ece" target="_blank">who thinks</a> it's acceptable to hack into home computers, spread malware via email, log users' keystrokes, or sniff users' traffic, <em>if it "believes" that it is "proportionate" and necessary to prevent or detect serious crime</em>.<br /><br />Whoever came up with this idea is apparently the follower of Niccolò Machiavelli (1469–1527), a strong believer that "the ends justify the means". Especially when it comes to the fight with <em>paedophiles</em> and <em>terrorists</em>, as if the last two words were doing exceptional job in shutting down one's intellect. <br /><br />Considering these news follow other ridiculous reports that the UK military <a href="http://www.theregister.co.uk/2008/12/16/windows_for_submarines_rollout/" target="_blank">will now run</a> nuclear-missile submarines under Windows XP (no, it's not April 1st), one could fairly ask <em>"What exactly is going on in that part of the world?"</em>.<br /><br/>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7283598531036801098.post-82048772602160712652008-12-17T20:59:00.000-08:002010-03-07T15:41:27.573-08:00How to Defeat Koobface<br/>As published in the <a href="http://blog.threatexpert.com/2008/12/koobface-leaves-victims-black-spot.html" target="_blank">previous</a> blog post, analysis of the current version of Koobface uncovered a very interesting part about it – its "ability" to resolve CAPTCHA protection at the Facebook web site. To put it simply, if Koobface was unable to resolve Facebook’s CAPTCHA protection, it would’ve been unable replicating because in order to submit a new message, one needs to resolve CAPTCHA image first.<br /><br />Every time Koobface runs into CAPTCHA protection at Facebook, it transfers that image to its command-and-control server. From there, the image is relayed to an army of CAPTCHA resolvers, who work day and night ready to pick up a new image from their profile, solve it, submit an answer, and get paid something like 0.5 cent for the answer.<br /><br />You wonder if it's financially sustainable?<br /><br />Think about it this way: <a href="http://www-wds.worldbank.org/external/default/WDSContentServer/IW3P/IB/2008/09/02/000158349_20080902095754/Rendered/PDF/wps4620.pdf" target="_blank">according</a> to the World Bank, at least 80% of humanity lives on less than $10 a day. In the same time, web resources like <a href="http://www.kolotibablo.com/" target="_blank">this</a> one, give its users an opportunity to make that kind of money ($9) in three hours by resolving CAPTCHA images relayed to them. Don’t you think the potential army of CAPTCHA resolvers has all the reasons to grow?<br /><br />Detailed analysis of traffic between Koobface and its command-and-control server allowed tapping into its communication channel and injecting various CAPTCHA images in it to assess response time and accuracy. The results are astonishing – the remote site resolved them all.<br /><br />But here is a twist: uploading a large number of random CAPTCHA images into its communication channel will load its processing capacity, potentially up to a denial-of-service point. Well, if not that far, then at least it could potentially harm its business model, considering that the cost of resolving all those injected images would eventually be paid by the Koobface gang.<br /><br />The tapping mechanism is best illustrated with the following scheme:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV913mkXKJOPhnM0dWjUPt8giYbf9SwXy3aUuf8y9lLpyMSLemqjjiPhzkHXJfouU_EudrOL6vQbdzwDCVQeJMNvHyva_dqNtLSioFkJuyIYn7BkTp1uaB62seXdd-HijVXQzL1DxEg-U/s1600-h/koobface_scheme.png" target="_blank"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 204px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjV913mkXKJOPhnM0dWjUPt8giYbf9SwXy3aUuf8y9lLpyMSLemqjjiPhzkHXJfouU_EudrOL6vQbdzwDCVQeJMNvHyva_dqNtLSioFkJuyIYn7BkTp1uaB62seXdd-HijVXQzL1DxEg-U/s400/koobface_scheme.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5280991940671036994" /></a><br /><br />There was a tool specifically built to upload CAPTCHA images to the Kobface C&C server and receive the responses. It is available for download <a href="http://www.threatexpert.com/blog/koobface/CaptchaChecker.zip" target="_blank">here</a> (the ZIP file contains a few test images to upload).<br /><br />The tool opens up an interesting "dialog" with the back-end operators, a dialog with some interesting discoveries.<br /><br />At first, the response clearly looks like it was produced by automation:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieaW4vaBrb15prvCpq18nZrZ-nqPdkJi1aQnGXT-fdjuFDpOVHnENGZw-WNYAD_9cQdptu6ZFniGXYjvgag2JKdnHnDdDkCDIqTkoUrIvzXbKbW0DjreADRpfg9hORymPLJoe3I2bo1q4/s1600-h/captcha1.gif" target="_blank"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 65px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieaW4vaBrb15prvCpq18nZrZ-nqPdkJi1aQnGXT-fdjuFDpOVHnENGZw-WNYAD_9cQdptu6ZFniGXYjvgag2JKdnHnDdDkCDIqTkoUrIvzXbKbW0DjreADRpfg9hORymPLJoe3I2bo1q4/s200/captcha1.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5280992984270873010" /></a><br /><br />As seen in this example, the automation tried to OCR the image (which contains a very specific Russian word) – it’s very unlikely that a human would have provided such answer.<br /><br />Trying to submit it images with the provocative phrases had no luck either – the remote server resolves them vigorously – as if it was a bot, or maybe a smart operator instructed to reply as if he or she was a bot:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeCyFvBUoolgFAjCtp44R3zoH0Evh5z1UcEKeL3z7JJjYozDdkXdSnIdaUA1YCGr0dSYHfZHyxDqDrGGf3kRjPtLoUSKXVez-troddEq0kGsOfKcASw1HNkgOtyEmJEuSMZWhuvQIkgI0/s1600-h/captcha2.gif" target="_blank"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 200px; height: 60px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeCyFvBUoolgFAjCtp44R3zoH0Evh5z1UcEKeL3z7JJjYozDdkXdSnIdaUA1YCGr0dSYHfZHyxDqDrGGf3kRjPtLoUSKXVez-troddEq0kGsOfKcASw1HNkgOtyEmJEuSMZWhuvQIkgI0/s200/captcha2.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5280993359716459570" /></a><br /><br />But given that no automation can presumably handle really complex images – images that are difficult even for humans to resolve, let’s try to submit with the tool the more complex ones. Here are the results:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhREna11zt35Db0JBs-_ni52IUODG9_NupdcHiU2M3B5X5EfxSH4zWGNrwg3bu13OvrjvglJb92j1YIryjsMO7X0Sqhg8rfXullMjFBcAfXf60TsA5HdldK8jo-d6zY15grIGcBNNY2BFg/s1600-h/captcha3.png" target="_blank"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 345px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhREna11zt35Db0JBs-_ni52IUODG9_NupdcHiU2M3B5X5EfxSH4zWGNrwg3bu13OvrjvglJb92j1YIryjsMO7X0Sqhg8rfXullMjFBcAfXf60TsA5HdldK8jo-d6zY15grIGcBNNY2BFg/s400/captcha3.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5280994062963081138" /></a><br /><br />As seen on the picture, all Facebook’s CAPTCHAs were resolved pretty well.<br /><br />But here are a couple of bloopers – these images were resubmitted because the original answers were totally wrong:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuTtowR1kk5VpH0poLI_LgfTQss19xxnKwVU-JRwH-1xVlbVjR86WnYo3jFH1C4xg5TJA8G4wY0mJhaht_buSioLvhpiYZorcrWILD0rwWM75QghXeGxCXGWp2z4EZqZuUBE-rSkc5UT0/s1600-h/captcha4.gif" target="_blank"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 320px; height: 75px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuTtowR1kk5VpH0poLI_LgfTQss19xxnKwVU-JRwH-1xVlbVjR86WnYo3jFH1C4xg5TJA8G4wY0mJhaht_buSioLvhpiYZorcrWILD0rwWM75QghXeGxCXGWp2z4EZqZuUBE-rSkc5UT0/s320/captcha4.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5280994400309214498" /></a><br /><br />Let’s see how it withstands Google’s CAPTCHAs. Here is another blooper revealed:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQdOqyORlpVTUQv0pbASttwWKk6MsK89e3dbFgsI02laS1Sh9HqYgvDOVUalMOY4bgjaZIRr99jnpQP3-JAJuQwGw-Jl_N1Cw7dj8fmhEfsrogqrSjAVUwk8nYxyYW6E0HW5NQwPvbFQY/s1600-h/captcha5.gif" target="_blank"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 125px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQdOqyORlpVTUQv0pbASttwWKk6MsK89e3dbFgsI02laS1Sh9HqYgvDOVUalMOY4bgjaZIRr99jnpQP3-JAJuQwGw-Jl_N1Cw7dj8fmhEfsrogqrSjAVUwk8nYxyYW6E0HW5NQwPvbFQY/s400/captcha5.gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5280994635526597730" /></a><br /><br />The wrong answers like "edtgted rghf", "edrfb dfbn", "dfgd dfg", and "asdf df" mean it was not an automation. Otherwise, it would have tried to resolve the images at least partially, or maybe provided nonsense for the noise detected in the picture or any other answer suggesting it was a bot. In the end, the wrong answers would have been at least consistent across several attempts.<br /><br />These wrong answers simply mean someone was hitting the keyboard (check these keys location), giving those pictures up as too complex puzzles that require too much time/attention, in order to proceed to the easier ones.<br /><br />These results could mean that the back-end CAPTCHA server has a queue of CAPTCHA images to resolve, and in front of that queue there must be an automation that firstly tries to resolve CAPTCHAs automatically, by using optic image recognition techniques. If the automation fails, it then passes the image down into the queue to be further distributed and picked up by an operator to be processed manually. Such relaying obviously has no method to oppose, as it destroys the very meaning of CAPTCHA – to distinguish a bot from a human. By having them eventually processed by humans, the only reason to keep CAPTCHA protection is to make the resolving process as expensive as 0.5 cent per image.<br /><br />The question is: is it expensive enough to be justified at all? Probably, it’s expensive enough for the kids who build malware out of curiosity or self-determination (compare it with a trivial latch on your window). But it’s nothing for those guys who build malware for any kind of profit (case with Koobface) as more than likely they can afford 0.5 cent per image.<br /><br />Taking the C&C down? Maybe, but it will rather pop up in a different place the very next day.<br /><br />A different way of destroying it is via poisoning its traffic with the fake CAPTCHAs that look exactly as the ones that are passed by a valid Koobface worm. In this case, Koobface authors will be paying for every fake CAPTCHA resolved, the ones generated in the lab, not the real-wild-world ones.<br /><br />Destroying it financially could be a better option in the end.Unknownnoreply@blogger.com