DOs and DON’Ts for malware/virus/botnet writer/user.

( Disclaimer: I am not supportive of virus/malware programming. )
Note: I have not blogged for 3 week, because I am quite busy recently. Originally, I am posting 3 post in one go, instead of 2 post, but the last post, which is a paper on the structure of KeServiceDescriptorTable(Shadow), and its related structure/method/functions, is not yet finished. I will be away for a week, so you can expect this paper around 1 to 2 weeks from now.
Regarding MzBot, as I mentioned, I am quite busy. So if you really want to add in feature, I can perhaps send you the source ( for the usermode part. ), or you can mod the EXE like how you mod Maple.

Although I have left the world of writing everything that’s evil and nasty, but just recently, I came across many poorly written virus. Just to name a few, some how this spyware called spylocked got stuck on my brother’s box. ( It’s a hijackware actually. ). What it does is pretty simple, it will constantly alert the user that there’s “spyware” in the computer, but the fact is, the only spyware around is itself, all it want you to do is to pay $$$ to the author, for a fake anti-spyware. It also make itself hard to uninstall.

There’s also the case of Mark Russinovich came across a botnet client that rename mIRC.exe as explorer.exe, and run whatever command that’s issued in the channel that it joined.

Anyway, enough ranting about noob virus that doesn’t work properly, here’s the tips:

- Don’t be evil
Remember, white hat dudes are always around. Unless you are hacking retard, or else someone will definitly catch you.

- Don’t use Visual Basic
This is common sense, Visual Basic is the big no-no when it comes to programming anything but fancy GUI that does practically nothing. All “virus” written in Visual Basic is source inclusive, I know you don’t mind people peeking at your virus’ source right? You released your virus under GPLv2? Cool! Do worry if your victim’s in a lack of MSVBVM60.DLL.

- Don’t use mIRC
We heard of the case of Zango sueing PC Tools, maybe mIRC will sue McAfee or something, who knows? Anyway, there are too many dudes out there abusing mIRC to write “botnet”, so the security dudes’ got fed up, they don’t allow mIRC to pass normally.

- Don’t target POSIX boxes
POSIX boxes are too portable, you have to ensure that your virus works on a toaster, before you can ensure that it works on NetBSD… =Z

- Don’t use commercial packers
Watch out! If you do, your virus will be stuck in someone’s unpacking tutorial!

- Don’t think they can’t find you if you do DLL injection
Spylocked’s main executable’s a DLL that runs in explorer’s process space. The author must be a mentally disabled to be satisfied with that level of protection.

- Don’t name it as picture.jpg.exe
We live in the twenty-first centuary, people’s not as dumb as to fall for some old social engineering tricks. Be more creative, there are other ways of getting people to run your code. Or even better, get your victim’s Windows to run the code for you, if you are lucky, you might just come across a bug that would allow code injection in any Windows computer.

- Don’t use other’s virus
AV Vendors are faster than you, always.

- Do make it clear that Ctrl-Alt-Del isn’t working
Things that you can do:
+ Delete taskmgr.exe
+ Screw OpenProcess()
+ Screw QuerySystemInformation()
+ Access I/O port 0×64 whenever they open Task Manager
+ Hammer _EPROCESS
+ Set PspCidTable a bomb
+ Mess the mm to give you an Address Space
+ Anything else that works

- Do delete your main executable
Renting a “house” on a foreign computer is too expensive, why not borrow other process’ executable? ntoskrnl.exe seemed to be a good choice. Don’t forget to delete your main executable after you injected into some other program.

- Do delay a bit before you do whatever that you are going to do
Please don’t
mov al, 0FEh
out 64h, al
the moment you get your code in your victim’s box. The rootkit philosophy is to be hidden, not to destroy. It would be more valuable to hide your code, than to give them coupons to free reboots, or free system reformat. It’s better that they don’t know.

- Do give dudes’ at Symantec/McAfee/F-Secure/ fun!
Imagine, those dudes sit in front of their computer the whole day disassembling lousy virus written by some noob with an absense of a main body of neurons. ( aka: Brain ) Very sadly, this is their job… Just in case your virus gets into these guys’ hands, please do ensure that they are well entertained! A completely metamorphic packaging, inclusive of built-in Virtualization method, with a dosage of high memory VM call… preferably some stack call method. That should do the job of enlightening their job.

- Do inject/intercept packet in NDIS if you need network
Local firewall in your victim’s box just doesn’t give a damm about the packets, if you send them by direct packet injection into the miniport driver’s queue.

About Memory Management and Memory Allocation

Introduction
One of the many functions of an Operating System is to manage the memory, and distribute them amongst running processes and threads.

The operating system does this by having a pool of memory, that means unused memory, then assign memory from the pool to any program/process that request for it.

This act of assigning memory from the pool, to the program/process is called memory allocation

Two method of memory allocation
- Direct Memory Mapping
This method directly notify the operating system that you need an amount of RAM, and the operating system would assign it to you.
The disadvantage of this is that system call ( direct notification to the operating system ) is an expensive process, as in it is slow. Further more, there are often restrictions that one have to allocate to page size, or it will be rounded up to page boundary. ( Normal page size is 4k on x86 CPU if I am not wrong. ) Another advantage is that you get to set the I/O privilege of the pages.
Example of implementation:
mmap(); // POSIX
VirtualAlloc(); // Windows

- Allocate from heap
This method is to preallocate a few page ( called the program heap ), then whenever a request for memory is issued, it will see if the free space in heap is big enough to fulfill the request. If it is, then it will directly assign those memory from the heap to the program. Otherwise, it will allocate more page, then assign the memory. Note that this method happens outside of the Operating System.
Disadvantage is that there’s an extra layer, and does not allow you to specify the I/O privilege of the pages that you are allocating. The advantage is that one can allocate any size of memory, without the limitation of page size. Also, it is faster, as most of the time it doesn’t involve in system calls.
Exampe of implementation:
mallloc(); // ANSI C

Benchmarking
The easiest way to understand the performance of these memory allocation routine is to do a benchmark.
I conducted one on my laptop ( For specs, see previous post. ). The contesters are:
- mmap() on Linux // PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE
- malloc() on Linux
- VirtualAlloc() on Windows // MEM_COMMIT, PAGE_EXECUTE_READWRITE
- malloc() on Windows

The software versions are:
Linux kernel 2.6.18, glibc 2.3.6
Windows XP SP2

The procedure as follow:
1. Start timing.
2. Allocate x byte.
3. Access the first byte of the allocated memory.
4. Free the memory.
5. Repeat step 2~4 for a total of 2048 times.
6. Stop timing and record reading.

Timing is done with the following API/Function:
gettimeofday(); // POSIX/Linux
QueryPerformanceCounter(); // Windows

Hmm, probably accurate enough, although:
Sleep(10); Resulted in around 89xx microsecond
while
usleep(10*1000); Resulted in around 100xx microsecond
// Note: Sleep() is a Windows API, while usleep() is a POSIX one.

The program is compiled with Visual C++ 6 on Windows, and gcc on Linux. ( duh! )

Benchmarking Result
Let’s visualize it:

Click to enlarge?

Seemed that malloc() on Windows is sort of messed up after 64kb allocation
Perhaps Microsoft should fix it?

It even spoilt the graph, that we only see the green line.

This is the graph without malloc() on Windows:

Click to enlarge?

Seemed that all 3 function scaled O(1) before 128kb.

I wondered how malloc() on Windows scaled.

So this is the third graph with all 4 function, but only with test case
Click to enlarge?

As seen from the graph, all the 3 function from the previous graph scaled O(1), while malloc() on Windows goes at out of control at around 16kb.

Conclusion

On Linux: Use malloc to save trouble, it scales quite well. Use mmap if you want to do advanced memory management.
On Windows: Use malloc before 16kb size, use VirtualAlloc() for bigger page size.

Is it just in TJC, or systems all over Singapore is like that?

This post’s regarding various security holes I see in the schools’ computer system. Please note that I am not trying to hack the school’s system. ( I promised Mr. Low that I won’t. ) This is posted here in the hope that they will fix it. Also, I did not actively audit the system, these are just some that I come across without auditing.

Wireless system
When I first came into Temasek Junior College, I met the IT assistance/manager ( His name is Yang Le, or however it should be spelt ), and he bet with me that I cannot retrieve the schools wireless password. He also claimed that the password is secure, because it is long…

However, a standard WPE password must be 26 character long, and is made up of hexidecimal. Therefore, his password is as strong as all the other WEP passwords. His claim of his password being more secure is a false claim.

Anyway, the bet is still on, so that day, I spent half an hour coding a simple keylogger on my previous laptop, a Compaq Presario 1500. It took me 5 minute to start up my comp, another 5 minute to start up Visual Studio 2003, and another 7 minute to create a new project. ( That laptop retired just one month ago, since it is too old. )

A keylogger’s done in 10 minutes time, abusing the GetAsyncKeyState() API is quite fun indeed. I am quite amazed that one of my classmate, S??????n recognized that it is C++ language. ( Name censored for privacy. )

I keylogged him ( The IT Assistance ), and obtained the wireless password. Which is just as what my classmates found out from our senior, the factory defualt for 3com wireless accesspoint.

Later, I talked to Mr. Low, the IT manager ( or whatever position he held. ). He told me that it is the factory defualt, not for security, but because it is troublesome to change every of the accesspoint in the school.

The nature of wireless network allowed every single computer on the network, or in some circumstances, any computer within the range of the transmitter, to recieve what everyone’s talking about on the network. Since the signal’s transmitted into the air.

With this nature of wireless network, information is easily accessible. Therefore, the extra security measurements need to be in place.

The e-learning portal – The MaTrix
I am quite pleased that the e-learning portal have a basic form of encryption in place to prevent password from being transmitted as plain text. They also ensured that the password cannot be derived from what is sent across the net.

How they achieved this is described below:
1. When the login page is displayed, the server generate a seed and send you.
2. When you login, the password is encrypted with digestive algorithms like md5. Furthermore, to prevent brute force of md5 with precomputed table, the salt/seed is added to the password.
3. Together with the username and seed, the password in the form of hash is sent to the server.
4. The server md5 the password from the database, with the seed, then compare the result to the one recieved from your browser.
5. It set the cookie if it matches.

The method is quite good, but not without weakness:
1. We now know that the passwords are stored in plain text, which is not a good practice. ( Maybe not, seemed that the password’s passed md5() twice… )
2. We don’t need the password to login, we just take the hash, username, and seed ( that we obtain by some ways ), then we can send it to the server like how legitimate logins are made, the server would acknowledge the login, and we are in.

To fix no. 2, the server should set a timeout for each seed.

The Student Portal
I am quite pleased that the student portal is taking the same strategy as The MaTrix, md5 the password before it is send onto the net.

Yang Le ( Or however his name may be spelled. ) did a good job in writing the Student Portal. It is more advanced in security than the MaTrix, as it made use of the ASP Session ID properly.

I dare not say that the Student Portal is secure, but I would say that it is secure comparatively to the MaTrix.

There is a vulnerablity in the staff/student directory page, that allowed arbitrary remote SQL code execution. By submitting a specially crafted string as the keyword, the attacker can do anything to the database, that includes… sadly… drop database;.

To fix it, the search page should convert special characters, such as “‘”, “:”, “;”, into escaped form, eg: “\’” ( Examples in this sentense is without the double quotation — ” )

Another vulnerablity with the student portal is that the search page doesn’t not limit the interval of your search query. This could be a potential vulnerablity to DDOS, probably given the power of 2 to 3 computer, any attacker can crash the Student Portal SQL server or even the web server, if they are the same box.

To Yang Le, in case he is reading my blog: I am waiting…. For a proper legal statement of the student portal.

After all, I have not even started. This is just some bugs that I spotted while in school. Perhaps I will start the real auditing when Mr. Low give me the permission…

————————————————————
The weird thing about my blog is that it does not have any link to other’s blog, eg: my classmate’s blog.

My blog is going to have a link section!

Those who want to be linked, please leave a comment.

For h4xx0rs, I don’t want to link your “life” blog, sorry. Techical blog only. ( A mixed one’s alright.. perhaps… )

Some info on cryptography

Erm, first of all, this blog is NOT dead, I didn’t post for quite sometime is because I am really busy with my school works…

Seemed that many doesn’t know how to verify files….

Many’s impression of crytpography is that you have a key, that you can use to encrypt and decrypt. Like this:
“This is a message” ==> Encrypt with Key ( 561173 ) ==> “VGhpcyBpcyBhIG1lc3NhZ2U=” ==> Decrypt with the same Key ( 561173 ) ==> “This is a message”
( This is just a demo, erm… no Base64 is harmed?! )

The above type of cryptography is called symmetrical cryptography, meaning that the key that is used to encrypt can decrypt the data. With this type of cryptography, it is hard to keep the key secure. If the oth
er side need to decode the message, he will need the key, and if the key is send along with the message, then whoever’s evasdropping can get the key also…

Therefore, there’s a new type of cryptography… I mean, newer than symmetrical cryptography, but older than most of us anyway. ( and yes, that includes YoYo too, one of the leet-est member I ever have in DA, and he’s 38 last year. )

It is called asymmetrical cryptography, as the name suggest, the key to encrypt, and to decrypt is different. Furthermore, you cannot derive one key from another.

How is this applied? Let’s take an example:
Bob wants to send a message to Alice.
Alice generate a pair of key. She send the encryption key to Bob. ( Eavesdropper gets the key too… )
Bob encrypt the message with the encryption key, he then send it. ( Eavesdropper can’t decrypt it, since the encryption key cannot decrypt, and the decryption key cannot be derived from the encryption key. )
Alice gets the message and decrypt it.

Let me introduce some terminology:
- Public Key is the key that you would allow everyone to know. In the case of signing files, it will be the decryption key. In the case of encrypting files, it will be the encryption key.
- Private Key, opposite of public key. No one, except you, should have it.

Also to note, most modern cryptography algorithms allows encryption or decryption with a key. Meaning that it is not fixed that this key can only be used for encryption or decryption. If you use a key to encrypt, then you would need the other key to decrypt. And vice versa.
Ok, enough Cryptography-101… I mean enough basic stuff, let’s move on to real applications.
Cryptography software allows us to:
- Create a pair of key
- Encrypt a file, that only the recipient can
- Sign a file
.. etc..

The software that I propose is Gnu Privacy Guard, also known as GPG. This software is compatible with PGP.
Although it is a CLi software, but you won’t need to touch the CLi interface anyway… There are GUIs out there.

For Windows:
Please go to http://www.gpg4win.org/ and download the software.
Here’s a step by step on how to verify a signed file:
1. You need to import the author’s public key.
– Start GPA.
– If prompted to generate key pair, it is up to you that when you want to do it, or if you want to do it at all.

Default Startup Scene.

Now Click Server->Retrieve Key:

Next, key in the key ID.

Then, it will tell you that it got the key. ( It requires internet access to fetch the key. )

Just to ensure nobody meddled with the key, you can verify the fingerprint:

Ok, now we are done with importing the keys.

2. Verifying the file.
– Go to the directory where the file is.
– Right click -> GPGee -> Verify/Decrypt File

– Then, it will tell you if the signature and the file is valid, or not.

– OK, now you are done!

For more information on my public key, visit the About page.
Feel free to tell me if any of you created any key pairs, so I can add them in also.

There are also many information on cryptography software like GPG, Google It!

====================================================================

Just some side news here:
- GMS GG rev 1000, MzBot survived it.
- Debian GNU/Linux 4.0 ( Codename `Etch` ) Released! Finally! I have been waiting for it for 5 month! Beta testing it for 3 month! ( and met no bugs… LoL! )
- Gonna help in the K Desktop Environment Project, possible areas:
+ Kig, part of the KDE Edu package. If possible, I will persuade the school to drop GSP.
+ Plasma, the shell. I got some idea for Application Launching methods….
+ Chinese i18n
But before that, I gotta brush up my Qt skills…. The last time I did Qt C++ programming was…I can remember then…
…
That was my PSLE year… before I started fiddling this 10-year old online game called MapleStory, before I started writing mailing spammer/flooder….

My WS’ alive again!

Maybe it is just too much dust that accumulated on the DIMM slot, that the MOBO failed to recognise the DDR…
Anyway, after “washing up” the main board, my WS’ up and running again.

To those who replied to my previous post:
You only plug out the HD and to rescue data when you confirm that comp’s beyond repair.
MzBot source code ain’t that important that I would have to immediately plug out the HD and “rescue” the data. I can do it later when I really confirm that the box’ really beyond any repair. ( happens rarely, you don’t find your CPU+Mobo+RAM+Graphic card dead all at the same time… )
Even if I do rescue the data, I won’t be able to work on it anyway, both the router and my laptop’s Linux box.
Note that you don’t really have to put it as slave, when you have 2 IDE channel, all depends on the situation….
The bad thing’s that all the 4 slot in IDE is occupied in my other comp ( router + my dad’s workstation. ), there’s 4 hd and 1 cd rom. So if I really want to backup, I have to unplug something…

Oops! My WS’s dead!

There’s a bad news for me, that is my workstation for hacking works is dead. ( MzBot source’s in it, by the way. )
Almost all UCEs, cheats and bots by me’s written on it.
Except MzBot version 1, since it was done in Taiwan.

Spec:
- Intel Pentium 4 2.0GHz
It is a Willamette core, no wonder my dad compaint about the electricity bill… Also, it is without Virtualization extension. ( IVT wasn’t even available in Northwood.. LoLx. )
- DDR 512MB
Originally, I had 768MB of it, but the 256MB stick burnt off… So I am left with 512MB
- nVidia GeForce 4 MX440
This is the third card that I used on this comp, the first one was a nVidia GeForce 2 MX400 ( Inno3D ), the second one’s a nVidia GeForce 6800LE ( Asus ), but it burnt somehow, so I send it for repair, that’s why I am using a backup GeForce4 MX440.

This morning, when I tried to start it, the screen remain signal-less and the box gives no beep…

3 possibilities to rule out: Mainboard, RAM and Video Card. ( Erm… isn’t that almost everything? )
Seemed to me that the possiblity of Mainboard being dead’s the lowest…
Perhaps it is just the time that this box’ gonna stop functioning. It have been tortured 14 hours a day since year 2004. ( Or earlier )

Anyway, the development of MzBot might be halted until this box’ back working again.
( I am on my laptop now… )

MzBot

1. When it all started
Oct/Nov 2006, when my final year examination is over ( In which I slacked and scored only 73% ), I am really have an amount of time for me to spend on hacking.
One of my friend, tsj4j ( Spencer Thang, from RI ), came and ask me for a simple Autoclicker for use in Trickster Online, which also use the nProtect GameGuard. So I just use the same simple method of bypassing the usermode hook, and inject into the game process.
However, he later reported back to me that it doesn’t work!
I instructed him to briefly debug the Autoclicker, it ended up that the loophole of allowing the game process to bypass the SSDT hook is patched.
That inspired me to screw their hook.

2. November holiday, when I am bored
I went back to Taiwan on Mid November…
That was when I thought of the SSDT relocation, which is documented in both my blog ( See the MSBot case ) and in Dual’s blog.

3. Ideas put in action
At the end of the November, I wrote the driver and tested it out. ( The command line debugging utility for MzBot.sys, TiMBuS seen it before. )
The GUI is done on the 1st of December.
That night, my mom went to hospital to look after my grandpa ( who died just recently.. T_T ), so I can sleep anytime I want…
Around the midnight, I thought I want to leave something for the iNCA people, just in case it leaked out, so I wrote and embedded a letter to iNCA in MzBot. ( You all should try to get it out? )
I don’t really treat MzBot as an important project, neither would it be public, that’s why I didn’t really give it a proper protection, I only packed it with ASPR, and added a small anti-unpack ( Still can’t fool SunBeam.. )

4. Sigh…
Around the end of Feb 2007, many people in MSS requested me for MzBot, so I made a version that expires on 15 Feb, and gave it out, by sending it to them individually.
Then, somebody gave it to BrandonMS ( Thanks to SunBeam for notifying me. ), that’s how it all got leaked…

Appedix 1: Regarding the Autopotting:
The autopotting is working on my computer, so I don’t see why it isn’t working on yours…
There’s a way to make MzBot bypass MSBot or MSPro, but it is private. I only told 1 person about it, so if you are the person, you should know better than to leak.

The case of exploding Coka Cola

This is probably one of the very rare non-computer related blog entry that you can find in my blog.

In my family, the usual method of “drinking” coka cola is to put it in the fridge, or freezer rather, and let it freeze. Then, later, open the top of the frozen coka cola bottle with can opener, and eat it with a spoon…

It was recently, that the stock of coka cola in my house ran out, so my mom went out to buy another box. The previous box’s brought approximately one year ago, which is during the Chinese New Year.

After this, me and my brother put two bottles of it in the freezer, by around 7pm+, my mom’s in the kitchen cooking, but she heard a pop, she thought something exploded, but somehow she can’t find it… However, later on, around 8pm, when we open the freezer, we witnessed a messy scene in the freezer…

This is what the two bottles of it looks like after the mess in the freezer’s sorted out:

Click to enlarge

Big mess huh?

Water is a very special substance, it expands when coolen below 4 degree Celsius, if there are more water in the Coka Cola, then when frozen, the total volumn would increase more, and would then explode, thus I guess the company’s adding more water in their product to reduce the cost of production. Anyway, who knows?

And just one more old news: MzBot’s still working with nProtect GameGuard rev939… So, should I conclude: “Only private hacks/bots lasts.”?
My advice: Keep your hacking utility private…

( x86_64 & nVidia entry coming up soon.. LoL… )