Category Archives: Security

Thoughts and code about security

Reversing malware, a little story.

I’ve always been a fan of reverse engineering, not because of cracking, I don’t really care about cracking… Well, let’s be honest I crack software from time to time, especially when I need it but I don’t have the money to buy it but this is out of the scope of this blog. I like reverse engineering because it allows you a deep inspection of how things work and in some cases you can make the program suit your needs by adding extra features etc. From times to times, I like to reverse malwares, just to see how they work. I generally find malware developers talented, plus I like to see what’s going on under the hood.

Some days ago a guy who works in a local computer repair shop mailed me an image of a “computer with a strange behaviour” opening IE and entering a certain page but then blocking the user from everything, even after restarting it would boot normally and then again the same thing, which didn’t happen in safe boot. I asked a copy of the client’s HDD but I received a negative since it was the client’s and it may had whatever inside. I asked for more information about the client’s computer. 32-bit Windows XP, possibly illegal copy of the OS, no firewall running, not updated. 106 gb of illegally downloaded movies, and software, user said the last visited page was a porn site.  And then another user came up with the same malware, Windows 7 this time, watching porn too. I kept contact with these guys for the next five days. After these five days, they had 10 computers with the same problem, 2 were windows 7, one didn’t watch porn but downloaded illegal software from torrents. I quickly set up a honeypot, installed windows XP, installed a couple debuggers I use a lot, Wireshark, didn’t allow it to update, killed the firewall, didn’t install any antivirus and I started visiting porn sites, I visited A LOT, randomly clicked videos, advertisements… Ok, pause… Do you want to know how I made my penis 30 inches long? I cut it in half dipshit advertisers. After one day I finally was infected after being asked to download and execute an executable. After every restart the malware would start IE with that page asking for money to disinfect. Cool story bro but I am not willing to pay for disinfecting my honeypot. It wouldn’t start though in safe mode.

I went in safe mode and took a copy of the wireshark logs file AND a copy of the registry. I was pretty sure that the malware executed some cmd argument that made IE load that page and somehow made it open full screen, like games do. First thing I noticed in registry was that there was an entry that executed a batch on system boot. Grabbed a copy of the batch and cleaned the registry entry, which was two entries actually in

	
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Both of these entries have the problem of not starting under safe mode, which allowed me to go further. Started normally, everything worked like a charm BUT the virus was still there. The batch was simply a command line argument which executed a .exe file. Grabbed the .exe and loaded it into IDA Pro.

The first thing I noticed was that it didn’t have any antireversing protection. No isDebuggerPresent(), no packer, no obfuscation, not even a checksum. That made my life reaaally easy.  Time to see the internals. The executable had a lot of hardcoded strings, such as the registry values, and some other, possibly debugging strings since they were mostly “Failed to do that”.

The internals… The program was executed the first time by the user, it would call a function, I called it in IDA Pro “IsRegistryCreated” which checked if the registry key was set. If not, it would return 0.  It had a conditional JMP that would set the value of the registry for the batch file(another function call, no parameters). Then it would call another function checking if the batch file existed. Again a Boolean function, it would return 0 if it didn’t, in my case it returned 1. If it was 0, another conditional JMP was taken which called another function which had only one parameter, the path to the batch file, which was again hardcoded and looked like %SYSTEM%/blah/blah/blah . If everything was set the malware called system() and pass it the parameter to the IE and the page, making it fullscreen, “disabling” keys and mouse using two simple things. The mouse couldn’t overpass the borders of the screen (thus not allowing the user to press the X button and terminate the program),  functions inside <windows.h> I think. In order to kill the keys it used the _getch() like someone would do using a keylogger but it checked the input and if it found a match of Ctrl+Alt+Del then it would do nothing(actually block it entirely), if the user used anything other such as [a-z/A-Z,0-9/~-+] it was allowed so that the user could insert the paysafe card credentials and pay for the disinfection. If the user inserted the credentials, the malware would contact a remote host from a .php file and the file would return 1 if the amount and the credentials were right and 0 if not. Then the malware would just delete the batch and the registry entry and prompt the user for a restart.

Summing up, it turned out that about 5000 users had been infected, my sources tell me that the developer was busted. Btw, the host carrying the infection was located somewhere in Romania. Anyway, although it didn’t have any difficulties reversing this, it highlighted again that you don’t need 0day exploits to own someone, you need to find someone fool enough and make him trust you.

End of message 😛

File Inclusions with SQL.

Last time I posted something technical was about SQL injection . I described how to identify a vulnerable parameter and how to exploit it manually, it is possible to use something FREE like sqlmap or other free or commercial products.

This time we are going to talk about Local File Inclusion and Remote File Inclusion. So, what is file inclusion?
Continue reading

Reverse engineering and processors

This is a post of intellectual masturbation. Also it is a post I’ve written some time ago.  Before you start reading I think that reverse engineering is an artform :)

I met a guy, he said that he is developing anti-reversing techniques, obfuscating code, injecting assembly junk code just to hide the main entry point of the program,  he is even deploying code to detect when a debugger or a dissasembler is running and obfuscate some more his code.

The other day I met another guy. We had a conversation about antireversing techniques.  He was a Microsoft fan boy. Actually he was THE Microsoft fan boy. He got a Macbook Pro and he installed Windows.  Note here that I am not an Apple fan boy but if I had to choose between Mac and Windows, I’d stick with Mac. Continue reading

SQL Cheatsheets

I suppose you have already read this .

When I was writing the post “SQL injections” I mentioned that I didn’t know some MsSQL reserved words. This time I have some cheatsheets mostly from darkc0de but you can find everything on the web too. Remember “A dumb asks questions, a smart asks google first” :) Continue reading

Browser history cache

Let’s say you want to get data from a box but there’s no shell (remember “Where there is a shell, there is a way-Unix” :) ) or there is no alternative option to collect information about a user. Well, there is, now you have this.

This is a proof-of-concept code by Zalewski, a Google Security Researcher

Comments:
I tried it and worked both in Opera and Chrome, Firefox with NoScript add on failed (obvious). Firefox without NoScript worked well enough.

Hopefully, I’ll comment more about this exploit sometime later :)

Have fun reading the PoC code :)

SQL injections

Databases are pieces of software that allow massive storage of data in a structured-by-the-developer order. All this data can be easily accessed using SQL language. The data can be anything, from text, personal identification number, credit card numbers or even files in certain cases. The success of those databases is that anyone with the proper authorization can access the data both fast and easily. The access is achieved by SQL. SQL stands for Structured Query Language. Continue reading