30 11 2006

I’ll try writing at for now.  Thanks for reading my writings and hopefully they’ve helped some of you!

Installing Windows Vista RC2

4 10 2006

I just installed Windows Vista RC2 and hit some bumps.   But I’m here now.  Just a couple of hints for Googlers who might be having problems.

I got a Dell XPS brand new, so I decided to install Windows Vista RC2.  Low and behold, I immediately get a blue screen before I can even copy a single file from the DVD.

Problem: Blue Screen with STOP 0x000000E1 (WORKER_THREAD_RETURNED_AT_BAD_IRQL)

This happens almost after I select the “Custom Install” button.

Solution: Disable SATA RAID.  In fact, disable all raid.  Just set your drives to normal ATA or SATA.

Problem: Unable to restore files backed up with Windows XP backup (*.bkf)

Solution: Grab your XP CD and copy the following files (all in I386):


Open a Vista command prompt and navigate to wherever your copied the files.  At the command prompt, do:


Now, you can launch NTBACKUP.EXE from that location and it should be able to restore your XP built-in backup created files.

Overall, Vista is working great.  I really like this new OS.  So far, it seems to have security in mind with all the nice locked down settings that don’t make you feel like you are in jail.  Try it and you’ll know what I mean. Go to

Please drop a comment with your experience with Vista.  This may be the first operating system I actually buy off the shelf (when it becomes available anyway).

Yet Another Update for AutoIT cracking

13 09 2006

UPDATE: New link for the file below:

I’ve been hopelessly trying to figure out how to bypass the pass-phrase for AutoIT v. One of our readers Daniel kindly posted a link to ANITWPA (, where they already did this. I downloaded the “improved” decompiler and it worked great. Here’s link to one of their mirrors (I couldn’t get to the original site):

Basically, they bypass the passphrase altogether. I managed to get to the point in OllyDbg (great tool, BTW, I’ll post some OllyDbg things I recently learned soon) where I found out that:

  • The passphrase used for “encrypting” is stored in the file as an MD5 hash.
  • The resulting .exe file is UPXed.
  • To find the MD5, first use the upx.exe provided by autoit (\autoit-v3.2.0.1\Aut2Exe\upx.exe) to decompress the .exe:
    • Open a command prompt and use upx.exe with the “-d” switch:
    • EXAMPLE: upx -d mytestfile.exe
    • More about UPX can be found here:
  • This will decompress “mytestfile.exe” – it almost doubles in size.
  • The MD5 hash of the passphrase is found at offset 0x0005d618 in the decompressed file (you can use hiew or any binary file viewer – even OllyDbg!).
  • When you run the exe2aut to “decrypt” the file, it will take the passphrase you enter and convert it to MD5. There is also some XORing going on. This is where I’m weak right now.
  • At some point, it will open the EXE and do…something. This is where I was stuck.

I’ll examine the AutoIt3-Decompiler from CW2K to see if I can learn anything from them. If anyone has info on how they did it, please post a comment. From what I can see, it seems like they just “patched” the original AutoIT decompiler, probably to skip the whole checking of passphrases or fill in the MD5 passphrase from the one in the file.

Why am I doing this? Why do I care? Two reasons:

  1. To emphasise that people should NOT store passwords or sensitive information in their AutoIT scripts.
  2. To quote from the readme file in the “improved” decompiler above:

Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark.


Malware Evolves

24 08 2006

Malware hit another milestone in evolution – or even worse, it’s only been noticed now.

Previously, malware would arrive as a whole executable, being downloaded, emailed or dropped by passing worms.  Then, the “dropper” arrived, which is small code that contains just enough evil to download other parts of itself from other systems.  The worst ones hit random websites from a long list. Mitgleider comes to mind, where it connected to one of many IPs to get a list of other IPs to connect to.  The smallest dropper I’ve seen in the wild was 4KB (FSG-packed ect.exe – detected as Downloader-NE by McAfee).   Later, instead of downloading executables, they started downloading image files that were actually executables. 

The ISC now reports that a handler found malware that downloads what looks like garbage (ASCII strings) from other websites ONLY when fed with the proper malware headers.  Seems fair enough – whack a site (or host one) that feeds normal web pages, but when called with a special header, serves other purposes. We’ve all seen that before, I’m sure.  The last one I saw was a control channel that served code 302 web pages (permanently moved) to  So, even if you hit it with text browsers, etc, you would see nothing wrong.  But when given a specific code, it would give instructions to do something else. 

The scary part with this one is that the ASCII strings downloaded is actually an encoded executable. Encoded how? However the attacker wants. In this case, it was bit shifted and XORd by 0x13. Attackers could easily create their own “encoding” scheme and the download would be, well, undetectable. This leaves the workstation AV as the last line of defense. 

This worries me, especially since there seems to be an elitist, this-is-how-AV-will-work mentality in the AV industry.  Check the Matasano blog for some AV companies and researchers crying foul about a recent Consumer Reports test of AV products here and here.  The current mentality seems to be that modifying an existing virus for testing purposes is unethical and is an “unscientific” method of testing anti-virus products.  Uh, ok.  And test driving a car on a test track at top speed is also unethical and proves nothing.

Me? I’m preparing for the day an encrypted, time-dilated, port-hopping, host-hopping, TOR-using control channel to appear via an intelligent morphing virus spread by a fully functional disappearing Trojan delivered by a short-lived, network only worm that exploits device drivers.

Or maybe that day is already here, and we just don’t know it.

[FINALLY!] Google to warn over unsafe sites

7 08 2006

Although this does nothing to come close to mitigating this threat, this does help and at least brings attention to the matter.  Now if only people practiced more safe web browsing

Link to article on 

Internet search engine Google is to begin warning users about potential spyware or adware risks associated with websites it links to.
The world’s most popular search engine will present users with a warning message if they are about to enter a site that it known to contain spyware or other programmes that can seriously damage personal computers, allowing them to option of return back to the search results page instead of continuing on to the page in question.

The new feature, part of a growing raft of security measures introduced by Google, is set to go live this Friday, presenting what security experts call the first significant step in the fight against so-called ‘Badware’ – software designed to harm a user’s computer or scam them in some way.

It is estimated that, on average, around five per cent of all websites retrieved via search engines contain badware, making the measure increasingly necessary if web users are to continue trusting Google’s content.

© 2006 Adfero Ltd.

awk Talk

31 07 2006

Why I love awk:

if(!(x[key"-begin"])) { 
        x[key"-begin"] = x[key"-c"] = x[key"-end"]=$6; 
} else { 
        x[key"-c"]=x[key"-c"]" "$6; 
} END { for(item in x) { 
                if(match(item,"begin")) { 
                        tim1=t1[1]*3600 + t1[2]*60 + t1[3]; 
                        tim2=t2[1]*3600 + t2[2]*60 + t2[3]; 
                        if((tim2 - tim1) >= 1800) { 
                                print z[1]" "z[2]" "z[3]" "z[4] " = " x[y[1]"-c"] 

This awk lines above takes a large file (i.e. 68000 lines) with lines that consist of:SIP SP P DIP DP TIME

SIP = Source IP
SP = Source Port
P = Protocol
DIP = Destination IP
DP = Destination Port
TIME = Time of event (HH:MM:SS.MS)

And it:

  1. Builds a pseudo multi-dimensional array (awk doesn’t do “true” multidimensional arrays) with TIME as the value and SIP_P_DIP_DP as the key.
  2. Checks the array and calculates the start time and end time and excludes events that don’t last at least 30 minutes (1800 seconds).
  3. Prints out matching lines with in this format:
          SIP P DIP DP = <Start Time> <Middle Time> … <Middle Time> <End Time>
            * – this also reduces the data set to 1620 lines, since invalid groups are eliminated and the relevant lines are collapsed into a single line.

AND it runs at ridiculous speed.  Maybe on a faster box it would be ludicrous speed, but on my test box (rather old), it does this in about 2.25 seconds.  Rather fast if you consider the job, I think.

Other tests:

Data Set Size / Time = Rate
67,741 / 2.25s = 30,107.10/sec
556,834 / 29.12s = 19,122.05/sec
1,117,668 / 91.95s = 12,111.67/sec

Update to AutoIT Passphrase Info

25 07 2006

I got a couple of questions in the comment box about the AutoIT passphrases.  Here’s an update/clarficiation:

  • The debugger must be attached prior to entering a dummy passphrase, then paused after the error message comes up (at least for ollydbg).
  • This does not seem to work with AutoIt version 3.x.  (Thanks Greg).  It does work on AutoIt version 2.x.