Another in my line of tutorial reposts.... I really need to finish up some stuff on this... it was just a small thing I played with... there are problems with it... but it will introduce the basics..
The original (with the code) can be found here
I will also attempt to add the code here in the next day or two.... (I've also got a couple smaller code releases planned)...
Due to errors with code formatting and my inability to get wordpress to display html without rendering it I'm going to attach the tutorial as a text file.
Download the Tutorial
Microsoft has released an Out-of-Band Update for the VML issue in IE. I would suggest that everyone visit http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx to obtain this update and download it as soon as possible.
Complete scanning result of "lt.exe", received in VirusTotal at 09.26.2006, 04:22:26 (CET).
| Antivirus |
Version |
Update |
Result |
| AntiVir |
7.2.0.18 |
09.25.2006 |
Worm/Stration.C.5 |
| Authentium |
4.93.8 |
09.25.2006 |
no virus found |
| Avast |
4.7.844.0 |
09.25.2006 |
no virus found |
| AVG |
386 |
09.25.2006 |
I-Worm/Generic.ANE |
| BitDefender |
7.2 |
09.26.2006 |
Win32.Worm.Stration.I |
| CAT-QuickHeal |
8.00 |
09.25.2006 |
(Suspicious) - DNAScan |
| ClamAV |
devel-20060426 |
09.25.2006 |
no virus found |
| DrWeb |
4.33 |
09.26.2006 |
Win32.HLLM.Limar |
| eTrust-InoculateIT |
23.73.5 |
09.26.2006 |
no virus found |
| eTrust-Vet |
30.3.3100 |
09.25.2006 |
Win32/Stration.BA |
| Ewido |
4.0 |
09.25.2006 |
no virus found |
| Fortinet |
2.82.0.0 |
09.26.2006 |
no virus found |
| F-Prot |
3.16f |
09.25.2006 |
no virus found |
| F-Prot4 |
4.2.1.29 |
09.25.2006 |
no virus found |
| Ikarus |
0.2.65.0 |
09.25.2006 |
no virus found |
| Kaspersky |
4.0.2.24 |
09.26.2006 |
Email-Worm.Win32.Warezov.am |
| McAfee |
4859 |
09.25.2006 |
W32/Stration@MM |
| Microsoft |
1.1603 |
09.26.2006 |
no virus found |
| NOD32v2 |
1.1775 |
09.26.2006 |
Win32/Stration.EL |
| Norman |
5.90.23 |
09.25.2006 |
W32/Suspicious_M.gen |
| Panda |
9.0.0.4 |
09.25.2006 |
Suspicious file |
| Sophos |
4.10.0 |
09.26.2006 |
Mal/Packer |
| Symantec |
8.0 |
09.26.2006 |
no virus found |
| TheHacker |
6.0.1.080 |
09.26.2006 |
no virus found |
| UNA |
1.83 |
09.25.2006 |
no virus found |
| VBA32 |
3.11.1 |
09.25.2006 |
no virus found |
| VirusBuster |
4.3.7:9 |
09.25.2006 |
no virus found |
| Aditional Information |
| File size: 201321 bytes |
| MD5: 116c0f5bdc126ce5fe8de20526dad02f |
| SHA1: e9509a4f40d8d00cd16a0467d72ed67f2a3f242c |
| packers: MEW |
So I've done a little playing with this guy... primarily to watch his network behavior.. I'll run a second round with it either tonight or tomorrow and watch the file system and registry changes a little more closely...
After you run the infected file you are greated with a pop-up box that says update applied. A process (t2serv.exe, this will be confirmed on my next round of work), which is hidden from taskman and tasklist seems to carry out the remainder of the process.
From a network point of view, the following occurs.
- DNS Query - MX Record - yahoo.com
- DNS Query - A Record - mx1.mail.yahoo.com
- 4 TCP Packets (SYN) to mx1.mail.yahoo.com (each IP address associated with it)
- DNS Query - A Record - www4.vertionkdaseliplim.com
- TCP Request to www4.vertionkdaseliplim.com:80
- HTTP/1.1 GET Request - /chr/grv/lt.exe
- DNS Query - MX Record - gmail.com
- 4 TCP Packets (SYN) to gmail.com MX (each IP)
- DNS Query - MX Record - hotmail.com
- 4 TCP Packets (SYN) to hotmail.com MX (each IP)
- DNS Query - A Record - www3.vertionkdaseliplim.com
- TCP Request to www3.vertionkdaseliplim.com:80
- HTTP/1.1 POST - /cgi-bin/pr.cgi - POST Data == Ver=3.01&lid=5A6391F158F84B309FCA&type=s&p=0&r=1&m=2&
- DNS Query - A Record - www6.vertionkdaseliplim.com
- TCP Request to www6.vertionkdaseliplim.com:80
- HTTP/1.1 GET Request - /chr/grv/nt.exe (404 Not Found)
- DNS Query - A Record - www2.vertionkdaseliplim.com
- TCP Request to www2.vertionkdaseliplim.com:80
- HTTP/1.1 POST - /cgi-bin/pr.cgi
- POST Data == Ver=3.01&lid=5A6391F158F84B309FCA&type=a&n=0&
- DNS Query - A Record - www2.vertionkdaseliplim.com
- TCP Request to www2.vertionkdaseliplim.com:80
- HTTP/1.1 POST - /dsl2 - Post Data = List of harvest addresses (addresses must have been pulled from IE/Firefox cache based on what they were)
Since nt.exe already seems to be gone, I've obtained and stored a copy of lt.exe in case anyone would like a copy. I'll keep everyone in the loop as I dig further into this.
Peace,
HT
I was just about to head off to work when I did one last check of my email... and what do I see but an email with the subject 'Mail Server Report'... The address doesn't look familiar, but I've received a few of these lately from various mailing list submissions. This was the content of the email I opened:
----
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
----
I'm rather impressed.... these bastards are getting slicker and slicker.... or maybe this has been around for a while and I just don't pay much attention... Attached to the email was the file Update-KB8375-x86.zip.
I submitted the file to VirusTotal and here's what I got back:
Complete scanning result of "Update-KB8375-x86.exe", received in VirusTotal at 09.25.2006, 15:50:55 (CET).
| Antivirus |
Version |
Update |
Result |
| AntiVir |
7.2.0.18 |
09.25.2006 |
Worm/Stration.C |
| Authentium |
4.93.8 |
09.25.2006 |
no virus found |
| Avast |
4.7.844.0 |
09.25.2006 |
no virus found |
| AVG |
386 |
09.22.2006 |
no virus found |
| BitDefender |
7.2 |
09.25.2006 |
DeepScan:Generic.Stration.F614E1C9 |
| CAT-QuickHeal |
8.00 |
09.25.2006 |
(Suspicious) - DNAScan |
| ClamAV |
devel-20060426 |
09.25.2006 |
no virus found |
| eTrust-InoculateIT |
23.73.4 |
09.24.2006 |
Win32/Stration.Variant!Worm |
| eTrust-Vet |
30.3.3098 |
09.25.2006 |
no virus found |
| DrWeb |
4.33 |
09.22.2006 |
no virus found |
| Ewido |
4.0 |
09.25.2006 |
no virus found |
| Fortinet |
2.82.0.0 |
09.25.2006 |
suspicious |
| F-Prot |
3.16f |
09.25.2006 |
no virus found |
| F-Prot4 |
4.2.1.29 |
09.25.2006 |
no virus found |
| Ikarus |
0.2.65.0 |
09.25.2006 |
no virus found |
| Kaspersky |
4.0.2.24 |
09.25.2006 |
no virus found |
| McAfee |
4858 |
09.22.2006 |
New Malware.n |
| Microsoft |
1.1560 |
09.24.2006 |
no virus found |
| NOD32v2 |
1.1774 |
09.25.2006 |
a variant of Win32/Stration |
| Norman |
5.80.02 |
09.25.2006 |
no virus found |
| Panda |
9.0.0.4 |
09.25.2006 |
Suspicious file |
| Sophos |
4.09.0 |
09.25.2006 |
W32/Stratio-AN |
| Symantec |
8.0 |
09.25.2006 |
no virus found |
| TheHacker |
6.0.1.079 |
09.25.2006 |
no virus found |
| UNA |
1.83 |
09.22.2006 |
no virus found |
| VBA32 |
3.11.1 |
09.25.2006 |
no virus found |
| VirusBuster |
4.3.7:9 |
09.25.2006 |
Trojan.Opnis.Gen!Pac2 |
| Aditional Information |
| File size: 116144 bytes |
| MD5: 633f4b2991ebdfd9e1611f4ec841a687 |
| SHA1: bb77b78d54c8319caba19302f25ea72135797e18 |
It's great to know that Symantec (one of the more favoured corporate AVs) and AVG (a very popular Free scanner) knew nothing of this virus yet.... If anyone is interested in the file for research or just to play with, let me know
Peace,
HT
You know what I'm fed up with... people making "security" related discoveries that aren't really discoveries... they're just common sense....
There are two guilty parties here that I'm extremely unhappy with: David Kierznowski and pdp. David actually made the news for his Backdooring PDFs blog.... pdp has had several Backdooring .Mov, Backdooring Flash, and Backdooring MP3s..
Let's take a look at each of these..
- PDF - Portable Document Format - A Document that is entirely self-contained and cross platform... These documents have to, essentially, be "compiled" from other documents... sort of like an executable being compiled from source code. It would make sense that they support their own programming language, which in this case happens to be a javascript variant. This isn't a software flaw, it's functional software being utilized completely for malicious reasons.
- MOV - Movile Files - These files quite commonly open a link to the artists page or the movies page... They have the ability to open a link and that's exactly what they are doing.
- Flash - This was one I really enjoyed reading... How Flash could have a trojan or virus contained in it... and then he demonstrates a javascript alert... Again... the program opening a page exactly like it was written to do.
- MP3 - MPEG-1 Audio Layer 3 - This was my favourite one... this isn't actually MP3s... it's playlist files that can be named mp3.. So a whole lot of FUD over nothing. If an MP3 is 100 bytes and advertises itself as a full song... obviously it isn't.. Again though, it's a playlist file functioning as it is supposed to.
Everyone of these blog posts by both of them is nothing more than FUD generation. The fact that they invested so much time into these "vulnerabilities' tells me something about the.... something I think everyone can come to on their own without me mentioning it.
Then there's the issue of calling these backdoors... Do they know what a backdoor is... by definition this is not a backdoor
A backdoor in a computer system (or a cryptosystem, or even in an algorithm) is a method of bypassing normal authentication or obtaining remote access to a computer, while intended to remain hidden to casual inspection. The backdoor may take the form of an installed program (e.g., Back Orifice) or could be a modification to a legitimate program.
These people really make me wonder... why not a new one on how to backdoor an exe by writing the source code and compiling it. These all rely on the fact that your browser allows javascript to execute (except perhaps the PDF one because Acrobat includes it's own version of javascript)... These should be called "Covert ways to enter a javascript statement into a browser"... They aren't vulnerabilities and they are not backdoors... They are legitimate uses of the software. Another interesting note is that each time they refered to a file format... However the PDF "backdoor" requires Acrobat... it doesn't work on other PDF Readers... the MP3 "backdoor" requires Quicktime and the browser plugin (since it's the browser that actually executes the javascript) and like I mentioned it's not actually MP3s but renamed playlist files. The MOV one is another example that requires Quicktime and more specifically the quicktime plugin...
Perhaps the message should be -- Don't allow your browser to execute javascript without your permission.... or don't open files you don't trust... but to suggest an inherent flaw in either a file format or a type of software because it's doing what it's supposed to do...
Consider this my security advisory -- Programs do what they are coded to do... and you may not be aware of all their functionality.
Peace,
HT
From the Email
-------
Greetings all,
I've made a new version of pwdump6 avaliable (1.4.0) along with fgdump 1.3.2. These are available respectively at:
http://www.foofus.net/fizzgig/pwdump
and
http://www.foofus.net/fizzgig/fgdump
Full details can be found on their home pages, but both versions provide some feature upgrades as well as bug fixes. Folks with really old versions of either program should definitely look at upgrading, since there are numerous performance improvements and full multithreading capabilities in both packages.
What are pwdump6 and fgdump?
pwdump6 is a password hash dumper for Windows 2000 and later systems. It is capable of dumping LanMan and NTLM hashes as well as password hash histories. It is based on pwdump3e, and should be stable on XP SP2 and 2K3. If you have had LSASS crash on you using older tools, this should fix that.
fgdump is a more powerful version of pwdump6. pwdump tends to hang and such when antivirus is present, so fgdump takes care of that by shutting down and later restarting a number of AV programs. It also can dump cached credentials and protected storage items, and can be run in a multithreaded fashion very easily. I strongly recommend using fgdump over pwdump6, especially given that fgdump uses pwdump6 under the hood! You'll get everything pwdump6 gives you and a lot more.
Enjoy, feel free to contact me with any reported bugs and/or feature requests.
--fizzgig
Many people, especially students, have heard of, and even experienced, TurnItIn.com. I came across the site while in college, and while I never had to use it myself, I knew many professors that required their students submit all assignments via the site. I've had my concerns and doubts regarding this site... The idea of a third party collecting and holding my data doesn't seem right. We live in a world where privacy is becoming more and more important... but student privacy is going out the door. What if an employee is perusing the database one day and finds a document they like and think will go places... They change the submission information... submit a notice back to the students professor that the work was copied. The employee attaches their own name to the document and submits it to a magazine for publication... While they my not have happened yet... there's no reason why it couldn't happen.
I worked on a 3rd party data storage solution once for written materials. The idea was that in order to maintain the users privacy only an encrypted copy, that the 3rd party couldn't open, was stored. This is obviously not the case with TurnItIn.com as they are making comparisons against your work.
Should a student be forced to submit their work because a percentage of them may cheat... Isn't this like requiring everyone submit their fingerprints and DNA because some people commit crimes? I'm sure that various privacy foundations would have issues with that and as a follow up to this I'm contacting both the EFF and PRC to find out their thoughts on TurnItIn.com and it's violation of students privacy... Especially the schools forcing students to make use of it.
I'm not the only one with concerns on this subject, recently a group of high school students from McLean High School in Fairfax County, Virginia formed the Committee for Students' Rights and collected more than 1100 signatures protesting the use of TurnItIn.com at their school. This story was carried by the Washington Post. I love the part that says "Fairfax school and Turnitin officials said lawyers for the company and various universities have concluded that the paper-checking system does not violate student rights." Of course Turnitin's lawyers don't think it violates students rights... if they said it did, they'd be out of a job.
I'll keep you up to date with responses I get from the EFF and PRC and once again I'd love to hear everyone's thoughts on this issue.
Peace,
HT
A review of, apparently, a yet to be released port of DOSBox to PalmOS has been posted on TamsPalm. It looks fairly interesting and given the power of DOSBox, I'm guessing there are a fair number of things that could be done with this software... I'm rather excited to see it finally be released....or even an alpha download link made available. I might even scour the net to see if I can find it anywhere..
Peace,
HT
Ruby has long been the next language on my list that I'm going to learn... it's always been a matter of finding time... I've finally decided that I'm going to start... so in the future you'll most likely see some basic Ruby stuff from me on this site.... One of the primary sites I'm going to use in my journey is this Learning Ruby site.
It seems to be fairly good at covering all the bases, although it does make the assumption that you have previous programming experience. I'll be reviewing the site as I go through it and learn from it... Also please feel free to share your thoughts and feedback on the site.
Peace,
HT