2008 August « Visible Procrastinations

Archive for August, 2008

[VIRUS] RE: Statement of fees 2008/09

Published August 29, 2008 security 6 Comments

From: Reid Zapata [mailto:tequilla65@hotmail.com]
Sent: Friday, 29 August 2008 7:43 AM
To: user@host
Subject: Statement of fees 2008/09

Please find attached a statement of fees as requested, this will be posted today.

The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.
Reid

WARNING!:
just in case anyone thinks that this one is a valid email. The attachment contains a zipped copy of a new Trojan (Win32/Emold.gen)

The attachment: Fees-2008_2009.zip
Contains the file: Fees-2008_2009.doc.exe

Only 10 of 36 (27.78%) anti-virus products currently detect this as a threat using virustotal, with the same result at virscan. Unfortunately McAfee VirusScan DAT-5372 is one of the products that doesn’t identify the threat.

UPDATE:
Now that I’ve been presented with an infected machine via this attachment I can tell you it is a variant of Braviax (braviax/cru629/beep.sys)

I’ll let you know about the clean up process when I get there

Note 1:
In %SystemRoot%\System32\
braviax.exe buritos.exe karina.dat {appears to be a DLL} winivstr.exe {FakeAlert-XPSecCener [Trojan]} wpa.dbl

In %SystemRoot%\System32\dllcache\
beep.sys figaro.sys

Note 2:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows Appinit_dlls --> karina.dat

HKCU\Sfoftware\Microsoft\Windows\CurrentVersion\Run HKLM\Sfoftware\Microsoft\Windows\CurrentVersion\Run braviax.exe buritos.exe

Note 3:
delself.bat
@echo off :try del "C:\WINDOWS\TEMP\rld63.tmp" if exist "C:\WINDOWS\TEMP\rld63.tmp" goto try del delself.bat

Note 4:
This version of Braviax will infect removable drives with autoexec.inf + system.exe which is a self replicating copy of the Braviax infection.

Note 5:
Removes the DESKTOP and SCREEN SAVER tabs from the Display Properties.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage = 1
Restore by changing registry setting from 1 to 0

Note 6:
Disables McAfee VirusScan and possibly the Windows XP firewall

Note 7:
In %SystemRoot%\System32\ you may also see a variant of the following
blphcgamj0ev6j.scr phcgamj0ev6j.bmp lphcgam0ev6j.exe

A quick search using regedit finds these hooked in as wallpaper and screensavers;

\HKLU\Control Panel\Desktop\ Converted Wallpaper = %SystemRoot%\System32\phcgamj0ev6j.bmp Original Wallpaper = %SystemRoot%\System32\phcgamj0ev6j.bmp Wallpaper = %SystemRoot%\System32\phcgamj0ev6j.bmp ScreenSaver = %SystemRoot%\System32\blphcgamj0ev6j.scr

CLEAN UP:

1. Unplug the machine from the network, this infection will continue to communicate and download other crud if it is left on the network

2. Restart in safe mode

3. Using the search function in explorer (or other tool if available) with the advanced options to search system folders, hidden files and folders, subfolders enabled. Delete all occurrences of the following;
braviax.exe buritos.exe karina.dat winivstr.exe wpa.dbl beep.sys figaro.*

4. Using regedit search for and remove keys that point at

braviax.exe buritos.exe karina.dat winivstr.exe wpa.dbl beep.sys figaro.*

5. Using regedit browse to \HKLU\Control Panel\Desktop\ and check the values for
Converted Wallpaper = Original Wallpaper = Wallpaper = ScreenSaver =
If these filled with values similar to note 7 (above) remove the values.

6. Clear the directory %SystemRoot%\Prefetch

7. A this point you should be able to reactive your firewall, make sure the settings haven’t been altered.

8. Re-install your Anti-virus product if it was disabled. Install any patches and the latest definitions (download these and bring them across to the infected machine on a burnt CD). Configure your antivirus to delete autoexec.inf and system.exe, this will avoid your recovery tools being infected.

9. Restore access to screen saver and wallpaper by changing registry setting from 1 to 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage = 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage = 1

10. At this stage things become a lot more complex as you need to determine what other rouge applications are running on the box and this will depend on how long the machine was on the network after it was infected. In most cases it is better to get the user’s data off at this stage and re-image the machine.

[1] Statement of Fees Malspam Campaign (AV XP 2008) (2008-Aug-28) [pandasecurityus]
[2] Statement of Fees (2008-Aug-23) [Sophos]

Build yourself a bootable Ghost USB key II

Published August 29, 2008 Ghost , geek , soe 31 Comments

Back in the original post Build yourself a bootable Ghost USB key, I outlined how to build a USB Boot key using an existing skeleton file that contained an existing set of drivers.

This generated some interest in how to add extra drivers to this existing skeleton file;

@Agur 2008-Aug-09
Going forward, what tutorial can you point me to in order to add new NDIS drivers to the bootable USB key?

@Ron 2008-Aug-29
How would I add more NIC drivers to the existing bootkey.zip?
I have several different Dell & IBM computers.

For this example we’ll add a Toshiba Tecra A3 as I have one of these sitting under my desk The Tecra A3 has a Marvell Yukon 88E8036 PCI-E Fast Ethernet Controller so our first trick is to obtain the DOS NDIS driver via Marvell (yuknd_v9.53.2.3.zip)

USB KEY DIRECTORY STRUCTURE
To start off let’s look at the directory structure of the boot key.
In the root directory we store the common driver sets (SCSI, CD, Mouse)
There is a GHOST directory which contains a copy of our Ghost.exe
The other folders (b57, E1000, E100B) are directories to hold the different network card specific files.
DRIVE: ├───b57 ├───E1000 ├───E100B └───GHOST

Extracting yuknd_v9.53.2.3.zip we can see that the NDIS drive is yuknd.dos, to make life easier we’ll create a folder yuknd to house the driver. We’ll now refer to this driver set as yuknd within all of the files and menus. All of the content from yuknd_v9.53.2.3.zip can then go into the /yuknd/ folder. This will include a copy of protocol.ini.

NOTE: You will also need to copy into this directory from one of the other network card folders a copy of NETBIND.COM, PROTMAN.EXE, protman.dos and dis_pkt.dos.

DRIVE: ├───b57 ├───E1000 ├───E100B ├───GHOST └───yuknd

CONFIG.SYS
The config.sys file in the root directory of the thumbdrive contains our boot menu that allows us to choose which driver set we are using. We need to add our new card to the menu.

===begin config.sys===
[menu] menuitem=CDROM, Access to Internal CDROM, DVDROM menuitem=Extcdrom, Access to USB CDROM, DVDROM (Sony, Pioneer) menuitem=Broadcom, NIC EVO530 and DC7600,GX280 and 620, NC8000 - DHCP menuitem=Intelpro, NIC EVO500,510 - DHCP menuitem=e1000, NIC HP dc7700 - DHCP menuitem=yuknd, NIC Toshiba Tecra A3 - DHCP [CDROM] [Extcdrom] device=USBASPI.SYS /v /w /e [Broadcom] DEVICE=\B57\protman.dos /I:\B57 DEVICE=\B57\dis_pkt.dos DEVICE=\B57\B57.dos [Intelpro] DEVICE=\E100B\protman.dos /I:\E100B DEVICE=\E100B\dis_pkt.dos DEVICE=\E100B\E100B.dos [e1000] DEVICE=\E1000\protman.dos /I:\E1000 DEVICE=\E1000\dis_pkt.dos DEVICE=\E1000\e1000.dos [yuknd] DEVICE=\yuknd\protman.dos /I:\yuknd DEVICE=\yuknd\dis_pkt.dos DEVICE=\yuknd\yuknd.dos [COMMON] DEVICE = oakcdrom.sys /D:cd1 DEVICE = btdosm.sys DEVICE = flashpt.sys DEVICE = btcdrom.sys /D:cd2 DEVICE = aspi2dos.sys DEVICE = aspi8dos.sys DEVICE = aspi4dos.sys DEVICE = aspi8u2.sys DEVICE = inicd.sys /D:cd3 LASTDRIVE = Z
===end config.sys===

AUTOEXEC.BAT
In autoexec.bat we also add some handlers for the new menu item;

===begin autoexec.bat===
@echo off SET TZ=GHO-10:00 MOUSE.COM CLS LH \MSCDEX.EXE /D:cd1 /D:cd2 /D:cd3 echo Loading... if %config% == CDROM goto GHOST if %config% == Extcdrom goto GHOST if %config% == Intelpro goto Intelpro if %config% == Broadcom goto Broadcom if %config% == e1000 goto e1000 if %config% == yuknd goto yuknd goto FAILED :Intelpro \E100B\netbind.com goto GHOST :Broadcom \B57\netbind.com goto GHOST :e1000 \E1000\netbind.com goto GHOST :yuknd \yuknd\netbind.com goto GHOST :GHOST cd \ghost echo Loading... GHOST.EXE goto END :FAILED echo Unknown boot menu selection goto END :END
===end autoexec.bat===

And you now have a additional network card option on your bootable Ghost USB key
PS: The Tecra A3 was a bad example in the long run as the boot from the USB key is not fully supported in the BIOS.

I’d use zombies …

Published August 29, 2008 geek , politics Leave a Comment
Tags: skeleton, strike, The Age, union, zombies

FAIRFAX Media will use strike-breakers to publish its flagship newspapers The Sydney Morning Herald, The Age and The Australian Financial Review in a high-stakes battle with staff after journalists yesterday walked out until Monday in protest at 550 planned job cuts.
A group of specially trained staff was put into action on Fairfax papers last night to ensure production could proceed.
…
While Fairfax can produce the SMH, The Age and the AFR with skeleton staffs of non-union labour, a union picket outside printing presses could compound difficulties if production staff refused to cross the line.
…
– Fairfax strike-breakers take over as staff walk out (2008-Aug-29) [The Australian]

I’d use zombies as they have toughness whereas skeletons gain improved initiative, and you wouldn’t want that.

Zombie Letters from e-zombie.com

Ctrl+C {Reuters} Ctrl+V
Ctrl+C {the wires} Ctrl+V
Ctrl+C {AP} Ctrl+V

banning cartwheels

Published August 27, 2008 security Leave a Comment
Tags: education, risk, stupid

Proving stupidity is alive and well in risk assessment the Belgian Gardens State School in Townsville (North Queensland) has banned all gymnastics activities during breaks, claiming it is protecting students from injury. Parents say students have been threatened with suspension if they are caught doing unsupervised playground acrobatics.

I wonder if they have already removed all of their playground equipment as this would surely lead to injuries?

Perhaps Glenn Dickson, the Belgian Gardens State School principal, should watch Gever Tulley’s 5 dangerous things you should let your kids do and have a good hard look at himself.

“It was just one principal’s decision and there’s no state-wide directive that cartwheels are banned in all Queensland schools or anything like that.”
– Rod Welford, QLD Education Minister

How about a state-wide directive for intelligent risk management processes?

[1] What a flippin’ joke – Townsville school becomes cartwheel cops (2008-Aug-26) [Townsville Bulletin]
[2] Minister calls for backflip in Townsville cartwheel saga (2008-Aug-27) [Townsville Bulletin]
[3] Remember ‘go outside and play?’ (2008-May-15) [Los Angeles Times]

testing times

Published August 26, 2008 Uncategorized Leave a Comment

testing times
(we have a *few* leads about the place)

This weeks links (2008-08-26)

Published August 26, 2008 links Leave a Comment

via net@night 63
The Guild
The Guild is an award-winning online sitcom about the lives of an online guild “The Knights of Good”, with each webisode 3-6 minutes long. http://www.watchtheguild.com/

I tried to care, but you would not shut up.
sympathy vs whinning (2008-Aug-19) [indexed]

`100 Things’ co-author Dave Freeman dies in LA
Defining ironic: LOS ANGELES (AP) — Dave Freeman, co-author of “100 Things to Do Before You Die,” a travel guide and ode to odd adventures that inspired readers and imitators, died after hitting his head in a fall at his home. He was 47.
- `100 Things’ co-author Dave Freeman dies in LA (2008-Aug-27) [AP]
Freeman’s relatives said he visited about half the places on his list before he died, and either he or Teplica had been to nearly all of them.
- ‘100 Things to do before you die’ author dies (2008-Aug-27) [The Age]
The book is available via Amazon 100 Things to Do Before You Die: Travel Events You Just Can’t Miss [Amazon]

Firefox 2.x users to be pushed 3.01 Update

Published August 22, 2008 firefox , patch Leave a Comment
Tags: firefox 3, update

Fx 2->3 Major Update / Fx 2.0.0.17 / Fx 3.0.2 [1]
Refocusing efforts on delivering a Firefox 2->3 major update within the next week. This will be from Firefox 2.0.0.16 to 3.0.1. We’re tracking some issues that might block the release but otherwise are looking good.

Mozilla will push out an update to all Firefox 2 users that will prompt them to update to version 3.0.1.

… Those continuing to live in blissful ignorance of Firefox 3 will soon be getting an upgrade notification — Mozilla plans to issue automatic upgrade notices to Firefox 2 users, perhaps as soon as next week.
The message will prompt you to install Firefox 3, but of course, if really don’t want to, you can always ignore the notice. … [2]

This may have negative affects for some users as there are reports of bookmark/rss feeds damaged in the upgrade process. There is also the issue of extensions being unavailable for v3.x that still work in 2.16.

Firefox 2.0.0.17/3.0.2 is schedules for final release on September 11 [1], so there is still at least one more upgrade available in the 2.x series. That said we are looking at and end of support in mid-December;

Note: Firefox 2.0.0.x will be maintained with security and stability updates until mid-December, 2008. All users are encouraged to upgrade to Firefox 3. – [Mozilla]

This allows a quarter to complete testing for any key systems/admin systems that have not yet been approved for support with Firefox 3.x

[1] Fx 2->3 Major Update / Fx 2.0.0.17 / Fx 3.0.2 (2008-Aug-18.) [Mozilla Wiki]
[2] Mozilla getting ready to push Firefox 3.0.1 on 2.0 users (2008-Aug-20) [ZDnet]
[3] Mozilla to Push Firefox 3 With Upgrade Notices (2008-Aug-21) [webmonkey]
[4] Mozilla preparing to push Firefox 3 update on all Firefox 2 users (2008-Aug-20) [DownloadSquad]

Skype (Mac) – how not to be a supernode, still no solution

Published August 19, 2008 skype 2 Comments

We are in the same boat. We have allowed Skype for Windows on our University network but are under a lot of pressure to allow Macs to use Skype as well. The lack of a roadmap from Skype doesnt do their reputation a lot of good and leaves us looking a bit daft. I think that Skype should come clean about their intentions if they are to be taken seriously as a business tool. – Budge (2008-Feb-17)

When will we have the ability to disable skype supernode functionality. It prevents the use of the linux and Mac clients at many universities. Is there an ETA on that? – gandalf.come (2008-Mar-26)

We had our solution for Windows over twelve months ago but are still waiting on a viable solution for our Mac clients. In the Skype Universities section they give methods to prevent Skype from becoming a supernode, but these are still mainly applicable to Skype for Windows, and with Skype for Mac OS X being stuck at version 2.7 the future looks none too bright for a 3.x release any time soon.

There are further complications with reports that the Mac and Linux clients do not become supernodes, although I have not seen definitive proof of this ‘fact’.

… but those that have reverse engineered the protocol suggest that the only playform that has supernode capabilities today is Windows (not even Mac or Linux Skype nodes ever become supernodes).
- MrBlog

The approach taken by CERN is interesting in the fact that they restrict the use of Skype to port 50123 to allow for better network traffic monitoring, I am not sure that this solution is viable in our environment but it worth consideration, where Fermilab uses procedures based on Firewall settings.

I think this one is another untested rumour; Unchecking the use ports 80 and 443 will disable supernode mode. There may be some truth in this given the details regarding configuring firewalls for using Skype.

I can’t connect to Skype from work or due to a restrictive firewall. Which ports need to be opened in order to use Skype?
If you aren’t familiar with firewalls or ports, it may be a good idea to ask a system administrator or tech-savvy friend to help you. The minimum requirement is that Skype needs unrestricted outgoing TCP access to all destination ports above 1024 or to ports 80 and 443 (the former is better, however). If you don’t allow either of those, Skype will not work reliably at all. Voice quality and some other aspects of Skype functionality will be greatly improved if you also open up outgoing UDP traffic to all ports above 1024, and allow UDP replies to come back in. … – Skype Knowledgebase

… looks like we’re still waiting

This weeks links (2008-08-18)

Published August 18, 2008 links Leave a Comment

Google Insights for Search

The internet is often portrayed as a dark and dangerous tool, flooded with porn and predators, but according to Google’s new search analysis tool, most web surfers are looking for a more innocent form of entertainment. — Porn pipped to the post as Google’s most popular (2008-Aug-21) [LIVENEWS.com.au]

With Google Insights for Search, you can compare search volume patterns across specific regions, categories, and time frames.

Airships Over London
In the Summer of 2008 Stella Artois: Star Over London takes to the skies,
offering over 1500 intrepid passengers the experience of a lifetime. … On boarding the airship you will be amongst a very limited number of pioneering guests to take this unprecedented airborne journey over London’s iconic landmarks.

~~PirateBay~~ Beijing Bay

“We were going to ignore the Olympics, but now we’re loading our cannons. Our weapons of mass distribution are pointed towards China.” The first action The Pirate Bay took is creating a new logo for the site, and renaming it to The Beijing Bay. In true Pirate Bay style the front page logo now links to the tag “give us the gold,” Peter said. – TorrentFreak

Rubberband Guns and Accessories
So, why do my kids need this stuff?
Seriously, get some toys, go outside and play. It’s good for you. Spend some quality time with your kids, your buddies or just get away from the TV and computer long enough for a good dose of sunshine.
Backyard Artillery