monkey-tech.com

I’ll try writing at www.monkey-tech.com/loglines for now.  Thanks for reading my writings and hopefully they’ve helped some of you!

Installing Windows Vista RC2

I just installed Windows Vista RC2 and hit some bumps.   But I’m here now.  Just a couple of hints for Googlers who might be having problems.

I got a Dell XPS brand new, so I decided to install Windows Vista RC2.  Low and behold, I immediately get a blue screen before I can even copy a single file from the DVD.

Problem: Blue Screen with STOP 0x000000E1 (WORKER_THREAD_RETURNED_AT_BAD_IRQL)

This happens almost after I select the “Custom Install” button.

Solution: Disable SATA RAID.  In fact, disable all raid.  Just set your drives to normal ATA or SATA.

Problem: Unable to restore files backed up with Windows XP backup (*.bkf)

Solution: Grab your XP CD and copy the following files (all in I386):

NTBACKUP.EX_
NTMSAPI.DL_
VSSAPI.DL_

Open a Vista command prompt and navigate to wherever your copied the files.  At the command prompt, do:

expand NTBACKUP.EX_ NTBACKUP.EXE
expand NTMSAPI.DL_ NTMSAPI.DLL
expand VSSAPI.DL_ VSSAPI.DLL

Now, you can launch NTBACKUP.EXE from that location and it should be able to restore your XP built-in backup created files.

Overall, Vista is working great.  I really like this new OS.  So far, it seems to have security in mind with all the nice locked down settings that don’t make you feel like you are in jail.  Try it and you’ll know what I mean. Go to http://www.microsoft.com/windowsvista

Please drop a comment with your experience with Vista.  This may be the first operating system I actually buy off the shelf (when it becomes available anyway).

Yet Another Update for AutoIT cracking

UPDATE: New link for the file below: http://www.monkey-tech.com/files/AutoIt%203-Dec.zip

I’ve been hopelessly trying to figure out how to bypass the pass-phrase for AutoIT v. 3.2.0.1. One of our readers Daniel kindly posted a link to ANITWPA (http://antiwpa.org.ru/), where they already did this. I downloaded the “improved” decompiler and it worked great. Here’s link to one of their mirrors (I couldn’t get to the original site):

http://www.thisispain.com/antiwpa/Others/tmp/AutoIt%203-Decompiler%20CW2K-Edition%20+%20Improved%20Version.zip

Basically, they bypass the passphrase altogether. I managed to get to the point in OllyDbg (great tool, BTW, I’ll post some OllyDbg things I recently learned soon) where I found out that:

• The passphrase used for “encrypting” is stored in the file as an MD5 hash.
• The resulting .exe file is UPXed.
• To find the MD5, first use the upx.exe provided by autoit (\autoit-v3.2.0.1\Aut2Exe\upx.exe) to decompress the .exe:
  • Open a command prompt and use upx.exe with the “-d” switch:
  • EXAMPLE: upx -d mytestfile.exe
  • More about UPX can be found here: http://en.wikipedia.org/wiki/UPX
• This will decompress “mytestfile.exe” – it almost doubles in size.
• The MD5 hash of the passphrase is found at offset 0x0005d618 in the decompressed file (you can use hiew or any binary file viewer – even OllyDbg!).
• When you run the exe2aut to “decrypt” the file, it will take the passphrase you enter and convert it to MD5. There is also some XORing going on. This is where I’m weak right now.
• At some point, it will open the EXE and do…something. This is where I was stuck.

I’ll examine the AutoIt3-Decompiler from CW2K to see if I can learn anything from them. If anyone has info on how they did it, please post a comment. From what I can see, it seems like they just “patched” the original AutoIT decompiler, probably to skip the whole checking of passphrases or fill in the MD5 passphrase from the one in the file.

Why am I doing this? Why do I care? Two reasons:

1. To emphasise that people should NOT store passwords or sensitive information in their AutoIT scripts.
2. To quote from the readme file in the “improved” decompiler above:

“Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark.“

 

Malware Evolves

Malware hit another milestone in evolution – or even worse, it’s only been noticed now.

Previously, malware would arrive as a whole executable, being downloaded, emailed or dropped by passing worms.  Then, the “dropper” arrived, which is small code that contains just enough evil to download other parts of itself from other systems.  The worst ones hit random websites from a long list. Mitgleider comes to mind, where it connected to one of many IPs to get a list of other IPs to connect to.  The smallest dropper I’ve seen in the wild was 4KB (FSG-packed ect.exe – detected as Downloader-NE by McAfee).   Later, instead of downloading executables, they started downloading image files that were actually executables. 

The ISC now reports that a handler found malware that downloads what looks like garbage (ASCII strings) from other websites ONLY when fed with the proper malware headers.  Seems fair enough – whack a site (or host one) that feeds normal web pages, but when called with a special header, serves other purposes. We’ve all seen that before, I’m sure.  The last one I saw was a control channel that served code 302 web pages (permanently moved) to microsoft.com.  So, even if you hit it with text browsers, etc, you would see nothing wrong.  But when given a specific code, it would give instructions to do something else. 

The scary part with this one is that the ASCII strings downloaded is actually an encoded executable. Encoded how? However the attacker wants. In this case, it was bit shifted and XORd by 0x13. Attackers could easily create their own “encoding” scheme and the download would be, well, undetectable. This leaves the workstation AV as the last line of defense. 

This worries me, especially since there seems to be an elitist, this-is-how-AV-will-work mentality in the AV industry.  Check the Matasano blog for some AV companies and researchers crying foul about a recent Consumer Reports test of AV products here and here.  The current mentality seems to be that modifying an existing virus for testing purposes is unethical and is an “unscientific” method of testing anti-virus products.  Uh, ok.  And test driving a car on a test track at top speed is also unethical and proves nothing.

Me? I’m preparing for the day an encrypted, time-dilated, port-hopping, host-hopping, TOR-using control channel to appear via an intelligent morphing virus spread by a fully functional disappearing Trojan delivered by a short-lived, network only worm that exploits device drivers.

Or maybe that day is already here, and we just don’t know it.

[FINALLY!] Google to warn over unsafe sites

Although this does nothing to come close to mitigating this threat, this does help and at least brings attention to the matter.  Now if only people practiced more safe web browsing…

Link to article on monstersandcritics.com 

Internet search engine Google is to begin warning users about potential spyware or adware risks associated with websites it links to.
The world’s most popular search engine will present users with a warning message if they are about to enter a site that it known to contain spyware or other programmes that can seriously damage personal computers, allowing them to option of return back to the search results page instead of continuing on to the page in question.

The new feature, part of a growing raft of security measures introduced by Google, is set to go live this Friday, presenting what security experts call the first significant step in the fight against so-called ‘Badware’ – software designed to harm a user’s computer or scam them in some way.

It is estimated that, on average, around five per cent of all websites retrieved via search engines contain badware, making the measure increasingly necessary if web users are to continue trusting Google’s content.

© 2006 Adfero Ltd.

War Rocketing?

If there was every a story that deserved a LOL it’s this one:

 http://www.securityfocus.com/brief/273

War driving by rocket at 6,800 feet

Some funny excerpts:

“The hobbyists equipped three rockets with wireless access points capable of scanning for networks during the rockets parachute-assisted descent, a technique they dubbed “war rocketing””

Let’see: war-driving, war-walking, war-talking, war-rocketing???  What are they war-smoking?

“While the largest rocket, known as a Nike Smoke, could scan more than 50 square miles of land for wireless networks, the rocket could only be launched in rural areas, where such hardware is rare. “

…uhhhhh….DUH?

“Unsurprisingly, the rocket only detected two other networks.”

At this point, I’m snickering.

“The two smaller rockets–one of which was launched in a rural area–found 3 access points in the sparsely populated area and 7 networks in near the college town of Charlottesville, VA. “These access points were scattered across rural farms that we could not detect from the ground,” Hill said.”

Oh, I see.  So you have access points that you cannot detect from the ground?  What direction were the access point antennas pointed??!?

Seriously, though, scanning for wireless networks is so common that some people wanted to do something new with it.  And, you CAN detect just about any wireless device, unless it’s in a tempest-rated room inside of a solid concrete structure with no windows.  Yes, this was a very geeky thing to do, but this smells like a publicity stunt.

“The rockets were built for less than $1,000 in total, and each launch cost $35 for the smaller rockets and $200 for the larger one.”

Make that a cheap publicity stunt.  But an expensive (and foolish) attempt at demonstrating, uh, something, or whatever it is they wanted to demonstrate to the DEFCON crowd.

awk Talk

Why I love awk:

{ 
key=$1"_"$3"_"$4"_"$5; 
if(!(x[key"-begin"])) { 
        x[key"-begin"] = x[key"-c"] = x[key"-end"]=$6; 
} else { 
        x[key"-c"]=x[key"-c"]" "$6; 
        x[key"-end"]=$6; 
} 
} END { for(item in x) { 
                if(match(item,"begin")) { 
                        split(item,y,"-"); 
                        split(x[y[1]"-begin"],t1,":"); 
                        split(x[y[1]"-end"],t2,":"); 
                        tim1=t1[1]*3600 + t1[2]*60 + t1[3]; 
                        tim2=t2[1]*3600 + t2[2]*60 + t2[3]; 
                        if((tim2 - tim1) >= 1800) { 
                                split(y[1],z,"_"); 
                                print z[1]" "z[2]" "z[3]" "z[4] " = " x[y[1]"-c"] 
                        } 
        } 
} 
}

This awk lines above takes a large file (i.e. 68000 lines) with lines that consist of:SIP SP P DIP DP TIME

SIP = Source IP
SP = Source Port
P = Protocol
DIP = Destination IP
DP = Destination Port
TIME = Time of event (HH:MM:SS.MS)

And it:

1. Builds a pseudo multi-dimensional array (awk doesn’t do “true” multidimensional arrays) with TIME as the value and SIP_P_DIP_DP as the key.
2. Checks the array and calculates the start time and end time and excludes events that don’t last at least 30 minutes (1800 seconds).
3. Prints out matching lines with in this format:
         SIP P DIP DP = <Start Time> <Middle Time> … <Middle Time> <End Time>
           * – this also reduces the data set to 1620 lines, since invalid groups are eliminated and the relevant lines are collapsed into a single line.

AND it runs at ridiculous speed.  Maybe on a faster box it would be ludicrous speed, but on my test box (rather old), it does this in about 2.25 seconds.  Rather fast if you consider the job, I think.

Other tests:

Data Set Size / Time = Rate
67,741 / 2.25s = 30,107.10/sec
556,834 / 29.12s = 19,122.05/sec
1,117,668 / 91.95s = 12,111.67/sec

Update to AutoIT Passphrase Info

I got a couple of questions in the comment box about the AutoIT passphrases.  Here’s an update/clarficiation:

• The debugger must be attached prior to entering a dummy passphrase, then paused after the error message comes up (at least for ollydbg).
• This does not seem to work with AutoIt version 3.x.  (Thanks Greg).  It does work on AutoIt version 2.x.

Cracking AutoIT Encryption Passphrases

Auto IT (http://www.autoitscript.com) is a Windows utility that administrators can use to automate certain tasks, especially those that they have to do on multiple machines (i.e. PC Rollouts). It’s basically just a scripting language. When deploying PCs or performing administrative tasks, an administrator will usually hardcode their passwords into the script so they don’t have to enter it all the time.In order to prevent your passwords from being discovered by curious users, you can “compile” your Auto IT script and encrypt it using a secret passphrase. Auto IT provides a de-compiler for undoing the encryption, but you need to provide that passphrase.

About a year ago, I came across some malware that utilized an Auto IT script that was compiled and encrypted. In order to find out exactly what the malware did, I had to crack open the script. Using the Auto IT de-compiler and a debugger (i.e. OllyDbg), it’s fairly straightforward to find the passphrase:

1. Launch the de-compiler (Exe2Aut) and attach to it using the debugger.
2. Choose the Auto IT file to de-compile.
3. Enter anything for the passphrase.
4. When you get the error message about entering the wrong passphrase, go to the debugger and pause the process.
5. Check the stack and you should find the correct passphrase in the stack (in my tests, I”ve found it at location 0012F6BC in the stack). OllyDbg will show this in ASCII.

Once you have the passphrase, enter it into the Auto IT de-compiler and you get the Auto IT source script and you can find exactly what code is doing.

** NOTE: The author of AutoIT has said that their “encryption” is really more of an “encoding” because it’s not secure — so, DO NOT put in Domain Passwords or anything of value in your AutoIT script. A better hacker would surely write a separate program for extracting the passphrase from compiled AutoIT scripts. But in this case that would be overkill considering how easy it is to find the passphrase.

How to Practice Safe Web Browsing

Here’s the problem:  In the past, most computers connected to the Internet were directly connected.  In other words, another user on the Internet could connect to your machine directly.  This allowed malware to propagate rather quickly, connecting to vulnerable ports created by unnecessary programs running on your machine.  Today, most people utilize some sort of router or firewall.  Even Windows comes with a built-in firewall.  This means that “direct attacks” to your open ports become more difficult.  The attack target turned to “publicly accessible ports” such as web servers, FTP servers, mail servers, etc.  All the while, there was an attack vector that was slowly gaining momentum: client-side attacks – or attacks that require the user to actually do something.  Client-side vulnerabilities became the focus of hackers.  The most common vulnerability released nowadays involve client-side vulnerabilities.  ActiveX, JavaScript, e-mail endusers, etc have become the target.

What this means is that you can have millions of dollars of routers, firewalls, proxies, etc invested in protecting your network (or your home computer), but all you need to do is to open a web page to a compromised or malicious web site and whammo! your computer is hacked.  

Most people practice Safe E-Mail by not opening email from unknown persons or using Anti-Virus software to strip malware from emails.  But I’d venture to guess that 99% of people DO NOT practice safe web browsing.

Safe Web Browsing means that you disable all of the bells and whistles for unknown web sites.  This means the fancy drop-down menus, the scrolling text, the fancy flash sites, etc all go away.  But I want it! you say.  Well, you still can, with a little work.  You need to make use of the ‘Trusted Sites’ in Internet Explorer (I’m sure Firefox and other web browsers have something similar, but if you are not using IE then you can probably figure out how to find them!).  Internet Explorer has several zones available (Click on Tools/Internet Options then click on the “Security” tab).  Most websites are in the “Internet Zone.”  What you need to do is set the Internet Zone to a really high setting (i.e. HIGH) or customize the settings so that JAva, JavaScript and Active X don’t run AT ALL.  Then, set the “Trusted Sites” to “Medium.” 

When you have a website that you use often (i.e. paredes-ohana.org):

1. Click on Tools/Internet Options then the Security tab.
2. After that, click on “Trusted Sites” and then click on the “Sites” button. 
3. Uncheck the “Require server verification…” checkbox. 
4. Add the site by typing, without the quotes: “*.wordpress.com” in the “Add this Web Site…” field, then click on “Add”. 
5. Click OK until you close all the windows.
6. You may need to “Refresh (F5)” the web page if you were looking at it before doing this.

By doing this, you ensure that if you get redirected to a hacker site or happen to click on a bad link (like when Googling), you won’t get whacked by a client-side attack.  SInce most Microsoft products use IE settings, this should help with your other often attacked Microsoft applications too.  It’s more work, but once you start doing it, you’ll get used to it and it will seem natural.  Think of it as clutching your purse or watching your surroundings when you are walking in a bad neighborhood.  You don’t HAVE to do it, but it’s probably best to.