ok, and so i went to this one site http://www.lomalka.org/ and was just looking for some new stuff to play with. i clicked on http://windows.2003.and.windows.xp.sp.2.anti.product.activation.crack.v1.2.fixed.cracks.lomalka.org/CRACKS/W/I/Windows_2003_and_Windows_XP_SP_2_Anti_Product_Activation_Crack_v1.2_Fixed.en.html
and low and behold my little antivir goes off. wtf?
I am looking for a standard file virus, you remember the type that propagate itself by infecting other files and so on.
Now for the hard part, i have some requirements:
1. It must NOT crash or corrupt the system, like prevent it from rebooting, i do not want to reinstall each time i run it.
2. It must NOT require a network connection, the testing environment will be totally isolated from networks.
3. It must NOT crash any debugger tools.
4. It must NOT lock files while running.
5. It must NOT alter any ACL on NTFS partitions (Did any virus even bother to do this?)
With the release of the first unauthenticated remote executable exploit in a couple of years, many in the press have taken to predicting that a new worm is on the horizon. No doubt the AV companies are all prepared to disassemble, analyze, and most importantly name the new worm.
There are some things that will limit the effects of this worm. First, under XP Service Pack 2 it is widely thought that the only effect will be a denial of service attack. Where the real threat occurs is under previous service packs and older versions of Windows. Microsoft is probably the only one to comment on the percentage of Windows 2000/XP SP1 vs. XP SP2 machines available. Given my impression of organizations we have dealt with, the SP2 install set has been widely adopted.
Given all these issues, it's probably not worth getting too riled up about. Some events that should get your attention are if a reliable XP SP2 exploit payload is released, or there are a lot of non SP2 systems on your network. If the latter is the case, it's probably time to get with the program and upgrade. Don't bank on a reliable exploit not being released. Many smart people are thinking very hard about how to make this happen.
So I was sitting in Hoglund and Butler's Advanced Rootkits class playing with instdrv and injecting processes via device drivers, when I had an idea.
I know where rustok puts its rootkit driver from the partial unpacked disassembly I was able to do, but I can't get at it because its in an ADS which is hidden by the rootkit itself. But here I am playing with instdrv which lets you load and unload drivers by path.
So I told it to unload pe386.sys and then I ran lads.exe to see if I could find the ADS now. Indeed it was there. From there it was a matter of doing cat.exe c:\windows\system32\:pe386.sys > c:\owned.sys to extract the driver! However this driver is protected somehow so on to the next step :)
I am looking for Troj/Riler-S - the powerpoint 0-day exploit.
Uploaded: A file called 'Windows Picture And Fax Viewer.pif', which was sent in a link via AIM. All I know about it is that it's not packed with UPX.
I'm totally a newb to this sort of thing.
MD5(Windows Picture and Fax Viewer.pif)= e57d647eed5a6ff815cd472fee90b1ba
SHA1(Windows Picture and Fax Viewer.pif)= a1a9c7ae90f9a285223faa26e033755615a2ab57
SHA256(Windows Picture and Fax Viewer.pif)= fcbb213c123ad91942018b91576b17e6a60affcdc3e826152f021a7c13cecffc
CNet is running a story on the new Rustock/Mailbot.AZ malware making the rounds. The hiding methods used by Rustock are certainly a threat, but hardly anything new. If anything this is a good example of a piece of malware that amalgamates the different methods together.
Is anyone actually surprised this happened? Is Greg Hoglund going to pop a vein when he sees CNet headlining Rootkits == Malware?
Rustock is pretty interesting and challenging. I had to hide from IsDebuggerPresent() to get anything out of it. Below you can see where it is generating the file name for the .sys driver which holds the rootkit capabilities.
.text:00410530 push offset aWin23PeFilesLo ; "Win23 PE files loader"
.text:00410535 push offset aPe386 ; "pe386"
.text:0041053A push edi
.text:0041053B call ds:dword_40FA80
This looks interesting here :
.text:004105A9 push offset aCmd_exeCDel ; "cmd.exe /c \"del \""
Edited by Chamuco 7/16/2006
Thanks mythx for uploading Rustock. You can search for any of these sums in our search tool.