+++The Mentor+++Written January 8, 1986
Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.
But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...
Damn underachiever. They're all alike.
I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."
Damn kid. Probably copied it. They're all alike.
I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.
And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike...
You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.
This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.
2010-05-26
The Manifesto
2009-08-06
BIND 9 Dynamic Update DoS
Vulnerability described in CVE-2009-0696 is very easy to exploit and the consequences can be disastrous.
All it takes is a singled DNS UDP packet with Dynamic Update structure specially crafted for any Zone which the target server is Master and the named process will exit.
As stated by ISC BIND's update ACLs do not mitigate this vulnerability. Since this is UDP then source IPs can be spoofed and nearly impossible to track down. Even DNS infrastructures which are designed to expose only slave servers to the Internet can be vulnerable if any of them have Master Zones for netblocks mentioned in RFCs 1912 Section 4.1 and 1918 Section 3.
Anyone who wishes to audit their environment can utilize the following Python script. Make sure you have permission to test your targets!.
Given the criticality of this vulnerability several IDS vendors have released detection signatures. However, as of this writing the above script evades the following signatures: Sourcefire and Emerging Threats. Both groups will be notified with necessary information.
All it takes is a singled DNS UDP packet with Dynamic Update structure specially crafted for any Zone which the target server is Master and the named process will exit.
As stated by ISC BIND's update ACLs do not mitigate this vulnerability. Since this is UDP then source IPs can be spoofed and nearly impossible to track down. Even DNS infrastructures which are designed to expose only slave servers to the Internet can be vulnerable if any of them have Master Zones for netblocks mentioned in RFCs 1912 Section 4.1 and 1918 Section 3.
Anyone who wishes to audit their environment can utilize the following Python script. Make sure you have permission to test your targets!.
Given the criticality of this vulnerability several IDS vendors have released detection signatures. However, as of this writing the above script evades the following signatures: Sourcefire and Emerging Threats. Both groups will be notified with necessary information.
2009-07-08
milw0rm is gone
This was on the site before it went down:
PS: I'm keeping their link here for historical reasons.
Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don’t :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn’t fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke
PS: I'm keeping their link here for historical reasons.
2009-05-29
Tornado exploit pack
Like most other exploit packs it's written in PHP with a MySQL backend. Control panel supports configuration options for several users (attackers).
Has the ability to control incoming traffic. It can either:
based on several criteria such as:
Displays several different statistics based on:
Exploit is delivered in the form of obfuscated javascript. Obfuscated ASCII encoded code and decryption function are delivered to the client as a single long line. This content is unique on every visit except certain parts of the decryption routine. Upon successful exploitation another request will be made to the exploit server to a different script which will deliver the binary to execute.
The following is a list of exploits available to the attacker, which can be individually selected to target:
Default script for exploit delivery is "count.php", while individual exploit modules are located in the "exploits/" directory with the following naming convention: "x#.php" where # is the numeric value starting with one (1).
Upon successful exploitation another request will be made to retrieve a binary for execution on victim's computer. By default the requested script will be "getexe.exe" with the following parameters:
Following is the schema of the database:
Has the ability to control incoming traffic. It can either:
- Ignore
- Redirect
- Display custom page
based on several criteria such as:
- Country of origin
- Visitor uniqueness
- Vulnerable client
- Not vulnerable client
Displays several different statistics based on:
- Victim's Country
- Originating web site (referer)
- Exploits used
- Detailed Log (IP, time, browser, exploit used, infected (yes/no), and referer)
- Overall Summary - OS and Browser breakd down of traffic and exploit effectiveness
Exploit is delivered in the form of obfuscated javascript. Obfuscated ASCII encoded code and decryption function are delivered to the client as a single long line. This content is unique on every visit except certain parts of the decryption routine. Upon successful exploitation another request will be made to the exploit server to a different script which will deliver the binary to execute.
The following is a list of exploits available to the attacker, which can be individually selected to target:
- MDAC (RDS)
- WebViewFolderIcon.SetSlice
- VML
- MS06-044
- WMF Firefox
- WMF Opera 7
- QuickTime
- WinZip
- Zenturi
- Yahoo Webcam
- Opera 9 - 9.20
- XML Core Services
- Java bytecode
- ANI
Default script for exploit delivery is "count.php", while individual exploit modules are located in the "exploits/" directory with the following naming convention: "x#.php" where # is the numeric value starting with one (1).
Upon successful exploitation another request will be made to retrieve a binary for execution on victim's computer. By default the requested script will be "getexe.exe" with the following parameters:
?o= integer value to identify attacker
&t= integer value represents time the exploit was generated
&i= integer value represent IP address of victim
&e= integer value represents exploit number used
Following is the schema of the database:
CREATE TABLE `stats1` (
`ip` int(10) unsigned default NULL,
`time` int(10) unsigned default NULL,
`country` tinyint(3) unsigned default NULL,
`browser` tinyint(4) default NULL,
`version` varchar(8) default NULL,
`os` tinyint(4) default NULL,
`refdom` varchar(32) default NULL,
`status` tinyint(4) default NULL,
`loader` tinyint(4) default NULL,
`expl` tinyint(4) default NULL
) ENGINE=MyISAM DEFAULT CHARSET=cp1251;
CREATE TABLE `users` (
`id` smallint(5) unsigned NOT NULL auto_increment,
`user` varchar(16) default NULL,
`pass` varchar(32) default NULL,
`premis` tinytext,
`options` tinytext,
`lasttime` int(10) unsigned default NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=cp1251 AUTO_INCREMENT=1;
2009-05-23
Improvements to Zeus
Zeus's development is active these days. Below is a table of release dates for each version:
This change log entry states that during HTTP communication of the Trojan with the C&C server the User-Agent used will be that of system's Internet Explorer. Before, it was a constant string embedded in the binary, which could have raised suspicion or blocked by ISPs.
2008/12/20 - 1.2.0.0
2008/12/30 - 1.2.1.0
2009/03/11 - 1.2.2.0
2009/03/28 - 1.2.3.0
2009/04/02 - 1.2.4.0
This change log entry states that during HTTP communication of the Trojan with the C&C server the User-Agent used will be that of system's Internet Explorer. Before, it was a constant string embedded in the binary, which could have raised suspicion or blocked by ISPs.
2009-04-26
Zeus / Zbot / Prg / Ntos / Wsnpoem
Real name of the trojan package is Zeus. It comes with a PHP based control panel and a Windows executable to build the trojan. Builder's job is to parse a text based config file, encrypt it, and embed some options into the trojan. The builder can also remove the infection from the system.
Main scripts of the control panel are:
"in.php"
"s.php"
Keep in mind that these filenames are not hardcoded anywhere but are only the defaults. If the filename is changed on the server then the bot client must be updated with a new configuration file, which it periodically polls off the server. Typical configuration file will have entries similar to the ones on this screenshot.
Currently, Zeus' build tree is 1.2.x.x which, depending on subversions, will utilize either RC4 encryption or a simpler form of it. Otherwise, the record and configuration structures remain the same between different 1.2.x.x builds. Older versions, prior to 1.2.x.x used a completely different structure and obfuscation method. They contained a unique field in the HTTP headers during C&C communication and thus were easily detected via IDS signatures from Emerging Threats (2003182, 2003183, 2007688, 2008100, 2008326)
So, what can this bot/trojan do?
It has the following abilities:
Here's an example how a communication flow between bot/trojan and C&C server will look like.
Main scripts of the control panel are:
"in.php"
Script which controls authentication to the admin panel as well as all reporting and configuration options of the botnet.
"s.php"
This is the script which accepts all communication from the bot client on a compromised computer. Depending on configured options it will either insert the data into a MySQL database, or store inside a seperate directory, or both.
It's responsable for decrypting the POST data and parsing individual stolen records. Basically, this is the main C&C script of the botnet.
Keep in mind that these filenames are not hardcoded anywhere but are only the defaults. If the filename is changed on the server then the bot client must be updated with a new configuration file, which it periodically polls off the server. Typical configuration file will have entries similar to the ones on this screenshot.
Currently, Zeus' build tree is 1.2.x.x which, depending on subversions, will utilize either RC4 encryption or a simpler form of it. Otherwise, the record and configuration structures remain the same between different 1.2.x.x builds. Older versions, prior to 1.2.x.x used a completely different structure and obfuscation method. They contained a unique field in the HTTP headers during C&C communication and thus were easily detected via IDS signatures from Emerging Threats (2003182, 2003183, 2007688, 2008100, 2008326)
So, what can this bot/trojan do?
It has the following abilities:
Credential stealing of FTP and POP3 on any TCP port.
Via a custom build can capture any data.
Capture of HTTP and HTTPS traffic.
Proxy server via Socks 4/4a/5, even if compromised device is behind a NAT.
Screenshot capture of the desktop.
Theft of "Protected Storage" data.
Here's an example how a communication flow between bot/trojan and C&C server will look like.
2009-02-28
Unique Pack
Exploits for Opera9, Firefox, Internet Explorer 4, 5, 6, and 7. Seperate module to exploit Adobe Reader util.printf() (CVE-2008-2992) vulnerability. Also, includes a module to deliver binaries via social engineering the visitor into accepting the download, similar to Fake AV.
So, what's so unique about it? Nothing really. Perhaps the fact that it obfuscates its PHP code which contains exploits, which isn't difficult to take off. Also, maybe because it doesn't use any parameter passing to scripts via URL, as most other packs do. Here's a summary of some scripts:
"cfg/config.php"
Defines variables for loader and exploit URLs, database credentials, and control panel credentials.
URLs are defined for loader script ("load.php") and Adobe PDF exploit ("pdf.php").
Filename of binary which will be dropped ("1.exe").
Database host, name, credentials. Default DB name is "spl".
Control Panel's script name ("admcp.php"), username, and password (double MD5 hash of real pass). Default user is "root".
"cfg/options.php"
Defines functions and text for 404 page. Functions to identify browser, operating system, country (based on GeoIP), and encoding function to Unicode for Javascript (eg: "%u9090").
"cfg/mod_vparivatel.php"
Configuration variables for social engineering module to convince the user to download the binary, similar to the idea used in RogueAV schemes.
"install.php" or "_install.php"
Database creation script. Will connect to the database with configured credentials and create necessary table.
CREATE TABLE `statistic` (
`id` int(10) NOT NULL auto_increment,
`ip` varchar(15) default NULL,
`os` varchar(30) default NULL,
`br` varchar(30) default NULL,
`country` varchar(2) default '--',
`good` int(1) NOT NULL default '0',
`mv` int(1) NOT NULL default '0',
`refer` varchar(300) NOT NULL,
`date` datetime default '2008-10-01 00:00:00',
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=cp1251 AUTO_INCREMENT=1;
"index.php"
Checks for presence of "install.php" and executes it. If visitor's IP was already logged then aborts with HTTP 200 status but shows a 404 page as defined in the variable of the "cfg/options.php" file.
Identifies country, browser, operating system, referer, IP address and updates the database. Includes "sploit.php" file for exploit generation.
"sploits.php"
Checks if "Unique" name is defined and aborts with 404 message from predefined variable if not defined. Determines the browser and loads appropriate exploit script:
"sploit/op9.php" - Opera
"sploit/ff.php" - Firefox
"sploit/ie7.php" - Internet Explorer 7
"sploit/ie.php" - Internet Explorer 4, 5, or 6.
"load.php"
Reads the executable which was defined in config file and serves it to the user. Updates database column "good" for this connection's IP address.
"pdf.php"
Contains the exploit for Adobe Reader ; CVE-2008-2992 ; util.printf(). Interestingly, the file contains obfuscated PHP script to generate the exploit. It has some protection against people attempting to modify the code and print out the exploit. It reads itself and looks for calls to "print | sprint | echo" and aborts if found. This prevents people from simply modifying the "eval" statement to see the real exploit code.
"vparivatel.php"
Delivers an executable file using social engineering technique similar to RogueAV by convincing the user of a threat or some required update. Messages can be customized per browser, operating system, and country.
Checks if visiting IP was already given a binary using this method and aborts if found.
If GET parameter "?a" is set then delivers the binary otherwise displays a convincing message and redirects back to itself with proper parameter.
Subscribe to:
Posts (Atom)