GNU GPL Malware?

If you see a snippet of javascript that looks malicious and begins with /*GNU GPL*/ and ends with "<!--ce7ed70d30ae259fa4babe8cbf7849b9-->" it's malicious and apparently if you want to use it you are free to modify it as you see fit. Perhaps the only stipulation is that you provide the source code when you use it as a way to infect client computers. I think that means no right-click javascript trapping! Anywho, it appears to call out to a server in a subdomain of: ampsguide.ru on port 8080. Which then creates an iframe to the same server, etc...

Happy opensource pwning!

Hacking iPhone SMS Alerts

I couldn't find a good way to change my SMS alert sounds on my iPhone w/o running winterboard or some other UI program. Instead this is a way to do it w/o installing any additional software.

Requirements: Jailbroken iPhone w/SSH, Mac of some sorts with iTunes and SSH/SCP client. or Windows for some of it.

1) Make a backup of all the original files (/Applications/Preferences.app/English.lproj/Sounds.strings and /System/Library/Audio/UISounds/sms-received*.caf)
2) Convert whatever mp3 you want to make the alert a caf file. http://support.apple.com/kb/HT1348 to convert it to aiff, and then rename the .aif file to .caf.
3) Rename the file(s) to sms-received[1-6].caf, and make a note of what number you create (this is necessary if you want to change the name of it).
4) Copy the newly created file back over to your iPhone, the following mapping applies. 1-Tri-tone, 2-Chime, 3-Glass,4-Horn,5-Bell,6-Electronic.
5) From now on this requires a Mac, or someway to do it on windows that I don't know.
6) Copy your back of Sounds.strings to Sounds.strings.new
7) Run plutil -convert xml1 Sounds.strings.new
8) Keeping the above mapping in mind, change whatever name you want in the now XML version of Sounds.strings.new, and save the file.
9) Run plutil -convert binary1 Sounds.strings.new
10) Copy this Sounds.strings.new to your iPhone, overwriting /Applications/Preferences.app/English.lproj/Sounds.strings.
11) Enjoy and don't complain to me if you mess something up.

[Edit: Apparently I can't use google correctly (Another Tutorial), but that ones lacks the ability to change the labels]

NFSEN UI Patch

It looks like the NFSEN sourceforge project isn't that active, so I'm just going to throw my patch up here. The patch prints out additional information about public IP space from the Dshield IP lookup. The result will look something like this:



First patch lookup.php

--- /home/nfsen-1.3/html/lookup.php 2007-07-20 07:32:48.000000000 -0500
+++ /home/nfsen-1.3_new/html/lookup.php 2009-01-27 09:46:12.000000000 -0600
@@ -51,12 +51,26 @@ header("Content-type: text/html; charset
<body>

<?php
-
-nfsend_query("@lookup", $opts, 1);
-nfsend_disconnect();
-unset($_SESSION['nfsend']);
-CloseLogFile();
-
+if (preg_match('/(?:^10\.|192\.168\.|172\.16\.)/',$lookup))
+{
+ nfsend_query("@lookup", $opts, 1);
+ nfsend_disconnect();
+ unset($_SESSION['nfsend']);
+ CloseLogFile();
+}
+else
+{
+ $url = 'http://www.dshield.org/ipinfo.html?ip='.$lookup;
+ $ch = curl_init($url);
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+ $output = curl_exec ($ch);
+ preg_match('/(<table.*?table>)/ms', $output, $regs);
+ $tab = preg_replace('/(?:class.*?=.*?".*?"| \(click for more detail\))/','',$regs);
+ $tab = preg_replace('/ipdetails/','ipinfo',$tab);
+ $tab = preg_replace('/href.*?=.*?"/','target="_blank" href="http://www.dshield.org',$tab);
+ curl_close ($ch);
+ echo '<h3>' . $tab[1] . '</h3>';
+}
?>

</body>

Then patch lookup.css

--- /home/nfsen-1.3/html/css/lookup.css 2007-07-20 07:32:46.000000000 -0500
+++ /home/nfsen-1.3_new/html/css/lookup.css 2009-01-27 09:28:27.000000000 -0600
@@ -21,3 +21,13 @@ h3 {
margin-top:10px;
margin-bottom:6px;
}
+
+td {
+ font-family: Verdana;
+ font-size: 10px;
+ margin:0px;
+}
+
+tr {
+ margin:0px;
+}

Dell Mouse Hack

Simple hack to physically change the direction of the scroll wheel on a Dell 5 button mouse. The thing that makes this so easy is that the leads for the scroll wheel are plugged into the mouse board. So by simply switching the wires you can change the mouse so scrolling up actually scrolls down and vise-versa. A simple 7 minute prank you can pull on co-workers.

Step 1: Hope they have a mouse that looks like:














Step 2: Pull it apart














Step 3: Remove the white wires with a small screw driver by prying up (only slightly) the white tabs on the plug


Step 4: Cross the streams

Step 5: Reassemble

Kill-o-copter!

Maybe I could make up a story about how sweet it is a to pen-test a helicopter, or perhaps regale you with stories about how I flew on my own private 'copter. Unfortunately, neither of those are true... instead you get to view some of the work stress-relief practiced around here.

This is/was an IMEX Stinger VX helicopter, completely ready to fly. Or in our case, crash. We managed to break both skids, a tail support and completely dislodge the rotor gears in about 10 minutes. See... we really are good at breaking stuff!

Security - 1. Kill-o-copter - 0.

Pwning Javascript Malware: a soup to nuts approach

First some words of caution. This will (or should) set off any anti-virus software you have running on your machine. Also, this is live malicious code so please don't run it... and is the reason we use Linux to poke at this stuff. Again, live + malicious = bad so don't run it.

It seems other than a handful of ISC posts, javascript de-obfuscation references are few and far between. So taking what ISC and others have started, and maybe finished privately (just think if you shared we wouldn't be having this talk now, and I could have watched more episodes of BSG), we have constructed our own process of malware de-obfuscation. Don't worry this won't be a lame tutorial on how to hex decode something, or look you can change eval(unescape("...")); to document.write(unescape("...")). This will give an overview of looking at multiple levels of obfuscation using arguments.callee written specifically for Internet Explorer. So where's the "amazing" part? I'm going to tell you how to do it with SpiderMonkey on Linux.

A quick rundown of things you will need:

1. SpiderMonkey patched to print eval(), but I'll show you why that's not necessary any more
2. mystubs.js and mypost.js available here
3. This script to emulate Internet Explorer's arguments.callee functionality
4. A version of Chaosreader patched to do de-chunking (if you're getting this stuff from a chunked session)
5. Some sort of text editor
6. And the Javascript you want to de-obfuscate

If you can't find some malicious Javascript to de-obfuscate, you can download our example and follow along. The password for the zip file is 'pwned'.

After downloading the Javascript (evil.js from the zip file) open it up in your editor and add the following to the top:

window="";
window.location="/";
location="";
location.href="http://tag58.com/cgi-bin/index.cgi?ad";

This will allow us to fake the necessary information back to SpiderMonkey as to what objects the page has and where the page is located (in this case tag58.com).

Now we want to get the Javascript prepared for reversing. If you notice in this specific example it uses arguments.callee, then does a toString() and then gets the length. You will also notice that it concatenates the location.href to arguments.callee.toString(). So, how do we bypass all of these different tamper-resistant techniques? Simple, we use the script that emulates the IE version of arguments.callee.toString(). Copy and paste the entire function, from the first 'f' to the last '}', into a new document. Then without adding any spaces copy the http://...ad from above immediately after, save and exit (step2.js from the zip file). Finally run the script on the file you just created and note the output (which output is used depends on where in the script you want to inject it).

Now look for the part in the script that says TngP47fdn = TngP47fdn.toUpperCase(); and change that to TngP47fdn = "<output>"; Where <output> is the last bit from the script under [toUpperCase()]: (step2-function.js). Producing the file step3.js. This next part is the cool part. You can go through the trouble of patching SpiderMonkey to print out all calls to eval() or since you've subverted the tamper-resistant technique you can change them all to document.write(), *TaDa* To do this change the portion in the code from wegif4kx2(nmyWKuRI4) to document.write(nmyWKuRI4), and you'll notice all of the goodness being spewed forth when you run <path>/js -f <path>/mystubs.js -f step4.js -f <path>/mypost.js. As a side note, you can now put random code in the Javascript in the step4.js if you want to further debug the code to figure out how exactly the de-obfuscation routine works because by patching in the expected results the script doesn't know any better.

Simply wash, rinse and repeat until you get the meaty-goodness. I've tried this on quite a few of the samples I was able to get a hold of, and it has worked, but if you try it and it doesn't work let me know.

i hate you asprox

ok, 4 separate client incidents today and counting. you are lucky that you are easy to IPS. some of the sites compromised seem to be pretty prominent.