monkey-tech.com

I’ll try writing at www.monkey-tech.com/loglines for now.  Thanks for reading my writings and hopefully they’ve helped some of you!

Installing Windows Vista RC2

I just installed Windows Vista RC2 and hit some bumps.   But I’m here now.  Just a couple of hints for Googlers who might be having problems.

I got a Dell XPS brand new, so I decided to install Windows Vista RC2.  Low and behold, I immediately get a blue screen before I can even copy a single file from the DVD.

Problem: Blue Screen with STOP 0x000000E1 (WORKER_THREAD_RETURNED_AT_BAD_IRQL)

This happens almost after I select the “Custom Install” button.

Solution: Disable SATA RAID.  In fact, disable all raid.  Just set your drives to normal ATA or SATA.

Problem: Unable to restore files backed up with Windows XP backup (*.bkf)

Solution: Grab your XP CD and copy the following files (all in I386):

NTBACKUP.EX_
NTMSAPI.DL_
VSSAPI.DL_

Open a Vista command prompt and navigate to wherever your copied the files.  At the command prompt, do:

expand NTBACKUP.EX_ NTBACKUP.EXE
expand NTMSAPI.DL_ NTMSAPI.DLL
expand VSSAPI.DL_ VSSAPI.DLL

Now, you can launch NTBACKUP.EXE from that location and it should be able to restore your XP built-in backup created files.

Overall, Vista is working great.  I really like this new OS.  So far, it seems to have security in mind with all the nice locked down settings that don’t make you feel like you are in jail.  Try it and you’ll know what I mean. Go to http://www.microsoft.com/windowsvista

Please drop a comment with your experience with Vista.  This may be the first operating system I actually buy off the shelf (when it becomes available anyway).

Yet Another Update for AutoIT cracking

UPDATE: New link for the file below: http://www.monkey-tech.com/files/AutoIt%203-Dec.zip

I’ve been hopelessly trying to figure out how to bypass the pass-phrase for AutoIT v. 3.2.0.1. One of our readers Daniel kindly posted a link to ANITWPA (http://antiwpa.org.ru/), where they already did this. I downloaded the “improved” decompiler and it worked great. Here’s link to one of their mirrors (I couldn’t get to the original site):

http://www.thisispain.com/antiwpa/Others/tmp/AutoIt%203-Decompiler%20CW2K-Edition%20+%20Improved%20Version.zip

Basically, they bypass the passphrase altogether. I managed to get to the point in OllyDbg (great tool, BTW, I’ll post some OllyDbg things I recently learned soon) where I found out that:

• The passphrase used for “encrypting” is stored in the file as an MD5 hash.
• The resulting .exe file is UPXed.
• To find the MD5, first use the upx.exe provided by autoit (\autoit-v3.2.0.1\Aut2Exe\upx.exe) to decompress the .exe:
  • Open a command prompt and use upx.exe with the “-d” switch:
  • EXAMPLE: upx -d mytestfile.exe
  • More about UPX can be found here: http://en.wikipedia.org/wiki/UPX
• This will decompress “mytestfile.exe” – it almost doubles in size.
• The MD5 hash of the passphrase is found at offset 0x0005d618 in the decompressed file (you can use hiew or any binary file viewer – even OllyDbg!).
• When you run the exe2aut to “decrypt” the file, it will take the passphrase you enter and convert it to MD5. There is also some XORing going on. This is where I’m weak right now.
• At some point, it will open the EXE and do…something. This is where I was stuck.

I’ll examine the AutoIt3-Decompiler from CW2K to see if I can learn anything from them. If anyone has info on how they did it, please post a comment. From what I can see, it seems like they just “patched” the original AutoIT decompiler, probably to skip the whole checking of passphrases or fill in the MD5 passphrase from the one in the file.

Why am I doing this? Why do I care? Two reasons:

1. To emphasise that people should NOT store passwords or sensitive information in their AutoIT scripts.
2. To quote from the readme file in the “improved” decompiler above:

“Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark.“

 

Malware Evolves

Malware hit another milestone in evolution – or even worse, it’s only been noticed now.

Previously, malware would arrive as a whole executable, being downloaded, emailed or dropped by passing worms.  Then, the “dropper” arrived, which is small code that contains just enough evil to download other parts of itself from other systems.  The worst ones hit random websites from a long list. Mitgleider comes to mind, where it connected to one of many IPs to get a list of other IPs to connect to.  The smallest dropper I’ve seen in the wild was 4KB (FSG-packed ect.exe – detected as Downloader-NE by McAfee).   Later, instead of downloading executables, they started downloading image files that were actually executables. 

The ISC now reports that a handler found malware that downloads what looks like garbage (ASCII strings) from other websites ONLY when fed with the proper malware headers.  Seems fair enough – whack a site (or host one) that feeds normal web pages, but when called with a special header, serves other purposes. We’ve all seen that before, I’m sure.  The last one I saw was a control channel that served code 302 web pages (permanently moved) to microsoft.com.  So, even if you hit it with text browsers, etc, you would see nothing wrong.  But when given a specific code, it would give instructions to do something else. 

The scary part with this one is that the ASCII strings downloaded is actually an encoded executable. Encoded how? However the attacker wants. In this case, it was bit shifted and XORd by 0x13. Attackers could easily create their own “encoding” scheme and the download would be, well, undetectable. This leaves the workstation AV as the last line of defense. 

This worries me, especially since there seems to be an elitist, this-is-how-AV-will-work mentality in the AV industry.  Check the Matasano blog for some AV companies and researchers crying foul about a recent Consumer Reports test of AV products here and here.  The current mentality seems to be that modifying an existing virus for testing purposes is unethical and is an “unscientific” method of testing anti-virus products.  Uh, ok.  And test driving a car on a test track at top speed is also unethical and proves nothing.

Me? I’m preparing for the day an encrypted, time-dilated, port-hopping, host-hopping, TOR-using control channel to appear via an intelligent morphing virus spread by a fully functional disappearing Trojan delivered by a short-lived, network only worm that exploits device drivers.

Or maybe that day is already here, and we just don’t know it.

[FINALLY!] Google to warn over unsafe sites

Although this does nothing to come close to mitigating this threat, this does help and at least brings attention to the matter.  Now if only people practiced more safe web browsing…

Link to article on monstersandcritics.com 

Internet search engine Google is to begin warning users about potential spyware or adware risks associated with websites it links to.
The world’s most popular search engine will present users with a warning message if they are about to enter a site that it known to contain spyware or other programmes that can seriously damage personal computers, allowing them to option of return back to the search results page instead of continuing on to the page in question.

The new feature, part of a growing raft of security measures introduced by Google, is set to go live this Friday, presenting what security experts call the first significant step in the fight against so-called ‘Badware’ – software designed to harm a user’s computer or scam them in some way.

It is estimated that, on average, around five per cent of all websites retrieved via search engines contain badware, making the measure increasingly necessary if web users are to continue trusting Google’s content.

© 2006 Adfero Ltd.

awk Talk

Why I love awk:

{ 
key=$1"_"$3"_"$4"_"$5; 
if(!(x[key"-begin"])) { 
        x[key"-begin"] = x[key"-c"] = x[key"-end"]=$6; 
} else { 
        x[key"-c"]=x[key"-c"]" "$6; 
        x[key"-end"]=$6; 
} 
} END { for(item in x) { 
                if(match(item,"begin")) { 
                        split(item,y,"-"); 
                        split(x[y[1]"-begin"],t1,":"); 
                        split(x[y[1]"-end"],t2,":"); 
                        tim1=t1[1]*3600 + t1[2]*60 + t1[3]; 
                        tim2=t2[1]*3600 + t2[2]*60 + t2[3]; 
                        if((tim2 - tim1) >= 1800) { 
                                split(y[1],z,"_"); 
                                print z[1]" "z[2]" "z[3]" "z[4] " = " x[y[1]"-c"] 
                        } 
        } 
} 
}

This awk lines above takes a large file (i.e. 68000 lines) with lines that consist of:SIP SP P DIP DP TIME

SIP = Source IP
SP = Source Port
P = Protocol
DIP = Destination IP
DP = Destination Port
TIME = Time of event (HH:MM:SS.MS)

And it:

1. Builds a pseudo multi-dimensional array (awk doesn’t do “true” multidimensional arrays) with TIME as the value and SIP_P_DIP_DP as the key.
2. Checks the array and calculates the start time and end time and excludes events that don’t last at least 30 minutes (1800 seconds).
3. Prints out matching lines with in this format:
         SIP P DIP DP = <Start Time> <Middle Time> … <Middle Time> <End Time>
           * – this also reduces the data set to 1620 lines, since invalid groups are eliminated and the relevant lines are collapsed into a single line.

AND it runs at ridiculous speed.  Maybe on a faster box it would be ludicrous speed, but on my test box (rather old), it does this in about 2.25 seconds.  Rather fast if you consider the job, I think.

Other tests:

Data Set Size / Time = Rate
67,741 / 2.25s = 30,107.10/sec
556,834 / 29.12s = 19,122.05/sec
1,117,668 / 91.95s = 12,111.67/sec

Update to AutoIT Passphrase Info

I got a couple of questions in the comment box about the AutoIT passphrases.  Here’s an update/clarficiation:

• The debugger must be attached prior to entering a dummy passphrase, then paused after the error message comes up (at least for ollydbg).
• This does not seem to work with AutoIt version 3.x.  (Thanks Greg).  It does work on AutoIt version 2.x.

How to Practice Safe Web Browsing

Here’s the problem:  In the past, most computers connected to the Internet were directly connected.  In other words, another user on the Internet could connect to your machine directly.  This allowed malware to propagate rather quickly, connecting to vulnerable ports created by unnecessary programs running on your machine.  Today, most people utilize some sort of router or firewall.  Even Windows comes with a built-in firewall.  This means that “direct attacks” to your open ports become more difficult.  The attack target turned to “publicly accessible ports” such as web servers, FTP servers, mail servers, etc.  All the while, there was an attack vector that was slowly gaining momentum: client-side attacks – or attacks that require the user to actually do something.  Client-side vulnerabilities became the focus of hackers.  The most common vulnerability released nowadays involve client-side vulnerabilities.  ActiveX, JavaScript, e-mail endusers, etc have become the target.

What this means is that you can have millions of dollars of routers, firewalls, proxies, etc invested in protecting your network (or your home computer), but all you need to do is to open a web page to a compromised or malicious web site and whammo! your computer is hacked.  

Most people practice Safe E-Mail by not opening email from unknown persons or using Anti-Virus software to strip malware from emails.  But I’d venture to guess that 99% of people DO NOT practice safe web browsing.

Safe Web Browsing means that you disable all of the bells and whistles for unknown web sites.  This means the fancy drop-down menus, the scrolling text, the fancy flash sites, etc all go away.  But I want it! you say.  Well, you still can, with a little work.  You need to make use of the ‘Trusted Sites’ in Internet Explorer (I’m sure Firefox and other web browsers have something similar, but if you are not using IE then you can probably figure out how to find them!).  Internet Explorer has several zones available (Click on Tools/Internet Options then click on the “Security” tab).  Most websites are in the “Internet Zone.”  What you need to do is set the Internet Zone to a really high setting (i.e. HIGH) or customize the settings so that JAva, JavaScript and Active X don’t run AT ALL.  Then, set the “Trusted Sites” to “Medium.” 

When you have a website that you use often (i.e. paredes-ohana.org):

1. Click on Tools/Internet Options then the Security tab.
2. After that, click on “Trusted Sites” and then click on the “Sites” button. 
3. Uncheck the “Require server verification…” checkbox. 
4. Add the site by typing, without the quotes: “*.wordpress.com” in the “Add this Web Site…” field, then click on “Add”. 
5. Click OK until you close all the windows.
6. You may need to “Refresh (F5)” the web page if you were looking at it before doing this.

By doing this, you ensure that if you get redirected to a hacker site or happen to click on a bad link (like when Googling), you won’t get whacked by a client-side attack.  SInce most Microsoft products use IE settings, this should help with your other often attacked Microsoft applications too.  It’s more work, but once you start doing it, you’ll get used to it and it will seem natural.  Think of it as clutching your purse or watching your surroundings when you are walking in a bad neighborhood.  You don’t HAVE to do it, but it’s probably best to.