UGN Security Forums
My ProfileMember DirectoryLogin
Search our ForumsView our FAQView our Site Rules
View our CalendarView our Active TopicsGo to our Main Page

UGN Security Store
 

Network Sites UGN Security, The GoNix Initiative, Elite Web Gamers, Back of the Web, EveryDay Helper, VNC Web Design & Development
August
Su M Tu W Th F Sa
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31
Sponsored Links
Latest Postings
Latest Reviews
Page 1 of 2 1 2 >
Topic Options
Rate This Topic
#3244 - 08/16/03 12:32 AM For 20 minutes I was owned by a lamer
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
The story of how SilentRage was owned at 10:00 AM friday morning on August 15th, and how to prevent getting owned yourself.

Today I was checking my nettaxi account email when I noticed an email supposedly from "[email protected]". Being the suspicious type, I had my doubts, but found no harm in checking it out anyway. I downloaded the email with a POP3 client I had written myself. The moment I viewed the email I was presented with a ZIP file with no message. Knowing how buggy my POP3 client was, I pressed the "View Raw" menu button to see the email in the raw. There was a brief message and an attachment as shown below:

- BEGIN Email ------------------------------------
Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
qccqfckf

[Attachment: message.zip]
- END Email --------------------------------------

Not very descriptive, and I still had my doubts. However, it was getting more believable cause my nettaxi account is very old, and nettaxi very sucked, and I never used the nettaxi website to check my mail... and I saw no harm in opening the zip file.

Opening the 14KB zip file I was presented with an HTML file called "message.html". This is where I made my mistake. Instead of right-clicking and saying "View in Notepad" I double clicked it to execute the HTML page. I was presented with a webpage which only had 2 words "no message", and an embedded object that appeared to not work. I viewed the source, it went something like this:

Code:
<title>Message</title>
<body scroll=no bgcolor=white>
<FONT face="Arial" color=black 
style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">
No message</center>
<OBJECT style="cursor:cross-hair" alt="moo ha ha" 
CLASSID="CLSID:11111111-1111-1111-1111-111111111111" 
 CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe">
</OBJECT>
I looked for "foo.exe" in the root directory and it did not exist. I frowned thinking maybe it was a botched attempt to infect me with a trojan or something. It was soon after this that I was presented with a blue screen saying something about a driver IRQ error and that I needed to reboot, and if the problem persists I can do "this and this and blah blah blah". Since this error occured at exactly the same time I tried to view a file created by a recent putty install, I thought maybe it was just a one-time thing. So I rebooted, starting everything back up, and just as I was getting settled in BANG, I got the same blue screen.

I was 0wned

Mildly amused that I actually fell for a lamer trick, and mildly pissed at the same time... I rolled up my metaphorical sleeves and went to work. Hoping that the trojan or virus or whatever it was didn't corrupt something with the drivers, I immediately acted on the assumption that there was a program in startup that was causing a delayed crash (cause I did NOTHING that second time to trigger a crash). I rebooted once again, but this time into safemode waiting ages and ages for it to get through the safe mode OS loading process. I waited a bit... 1... 2... 3... no crash. Good, I'm about to kiiiiiiick some ass! I opened up regedit and looked under the CURRENT_USERS startup key, and found nothing at all in the list. I then went into the LOCAL_MACHINE startup list where I knew several things were there. I immediately spied a "VideoDriver" entry pointing to a program in the WINNT directory called "videodrv.exe". I laughed aloud mocking the lamer who thought they were so smart. Why the heck would I need a "video driver" executeable in startup? GAY I tell ya! I deleted the entry, and moved the file to a quantined location.

I was not satisifed with that... oh no. Where there's a little mess, there's a big mess swept under the carpet. SOME how that innocent looking HTML file got that damn program executed, and it was done SOME how by a temporary program called "foo.exe". I then did a search for all files created in the last day and came up with the following:

/WINNT/exe.tmp (foo.exe I presume?)
/WINNT/zip.tmp (contained message.html)
../temp/message.zip (the file that smacked me)

I then looked in the registry to see if the CLSID "11111111-1111-1111-1111-111111111111" existed, and as sure as cold makes perky nipples, I found it under CODEBASE. I exported and deleted the following from the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}]
"SystemComponent"=dword:00000000
"Installer"="MSICD"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}\Contains]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}\DownloadInformation]
"CODEBASE"="mhtml:file://C:\\Documents%20and%20Settings\\Dave\\Local%20Settings\\Temp\\message.html!File://foo.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}\InstalledVersion]
@="0,0,0,1"

I had ripped the malware program out of my system by the roots - and a little bit more besides just to be on the safe side. After I analyzed the files, this is how it worked:

message.html contained HTML, and an entire EXE within it. When I executed message.html, it extracted the EXE from itself into a file called "foo.exe" in my root directory. It then used the OBJECT tag to write to the registry and execute the program it extracted. The rest of the HTML overwrote it's own document so as to hide part of its code.

foo.exe copied itself to "exe.tmp" to be used perhaps in sending itself to other people, it also created the zip.tmp file as well. The foo.exe had some HTML appended to it, so it extracted all of itself minus that HTML into the program videodrv.exe. notepad viewing of videodrv.exe reveals no html at all - further enhancing its innocent appearance. Then it executed videodrv.exe and terminated.

videodrv.exe deletes foo.exe and does whatever it does in sending itself out to other people. It also waits 150 seconds before crashing the computer.

Keep all this in mind, and the techniques used to cleanse yourself if you should fall for a different lamer trick.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top
Sponsored Links
      
#3245 - 08/16/03 02:15 AM Re: For 20 minutes I was owned by a lamer
Crime Offline
UGN Super Poster

Registered: 03/01/02
Posts: 505
Loc: Tartarus


as nelson would say, "Ha Ha!"

Top
#3246 - 08/16/03 06:36 AM Re: For 20 minutes I was owned by a lamer
Imperial Offline
Member

Registered: 03/07/02
Posts: 201
Loc: inside
I wish you were witty crime...
_________________________
I am the Lizard King
I can do anything

Top
#3247 - 08/16/03 08:39 AM Re: For 20 minutes I was owned by a lamer
Chem Offline
UGN News Staff

Registered: 10/13/02
Posts: 364
Loc: Vagabond (Location Differs)
Any hope of tracing the email?
Im guessing they used an email spoofing program?
VisualRoute has a built in email tracer?
_________________________
C++ Should Have Been Called "D"

Top
#3248 - 08/16/03 10:11 AM Re: For 20 minutes I was owned by a lamer
Crime Offline
UGN Super Poster

Registered: 03/01/02
Posts: 505
Loc: Tartarus
Quote:
Originally posted by Imperial:
I wish you were witty crime...
na

Top
#3249 - 08/16/03 10:33 AM Re: For 20 minutes I was owned by a lamer
BackSlash Offline
UGN's Resident Homo

Registered: 03/16/02
Posts: 599
Loc: TN
it was me, i did it
_________________________
"It's better to burn out, than to fade away."

Top
#3250 - 08/16/03 01:14 PM Re: For 20 minutes I was owned by a lamer
Gremelin Offline

Community Owner
*****

Registered: 02/28/02
Posts: 7192
Loc: Portland, OR; USA
Rage, stop your obsession with thinking you're elite and safe from all viruses and install a fucking virus scanner...
_________________________
Donate to UGN Security here.
UGN Security, Back of the Web, Elite Web Gamers & VNC Web Design Owner

Top
#3251 - 08/16/03 01:59 PM Re: For 20 minutes I was owned by a lamer
HighLander Offline

*****

Registered: 03/07/02
Posts: 270
Loc: Canada
Well quite the story SR, Kuotos to you......
That is the story you mentioned last night on the IRC Chat I presume..........
_________________________
Unless you try something to which you have not already succeeded ~ Then you shall NEVER grow

Top
#3252 - 08/17/03 12:56 AM Re: For 20 minutes I was owned by a lamer
visage Offline
Junior Member

Registered: 06/12/03
Posts: 14
The random string of letters at the end of the email should have been the dead give-away SR. A lot of spam and fake e-mails contain a random string of characters at the end of the letter.


For more info on the actual exploit, here it is:
http://www.securityfocus.com/archive/1/259018/2003-04-13/2003-04-19/0


Applause on doing that all SR. I don't think I wouldabeen able to get rid of the entire thing.

Top
#3253 - 08/17/03 03:41 AM Re: For 20 minutes I was owned by a lamer
SilentRage Offline
DollarDNS Owner

Registered: 03/04/02
Posts: 1273
Loc: OH, USA
Quote:
Originally posted by Gizmo:
Rage, stop your obsession with thinking you're elite and safe from all viruses and install a fucking virus scanner...
I don't know if I'm elite. Tell me what elite means and I'll tell you if I fit the bill.

And virus scanners annoy me. They're about as bad as AOL - they get into everything and slows certain file accessing activities down. A periodic remote virus scan from my roommate's computer is all I need.
_________________________
Domain Registration, Hosting, Management
http://www.dollardns.net

Top
#3254 - 08/17/03 04:23 AM Re: For 20 minutes I was owned by a lamer
unreal Offline



Registered: 03/01/02
Posts: 860
Loc: KCRQ
I don't think I've had a virus scanner on my system for 2-3 years now...

Top
#3255 - 08/17/03 04:01 PM Re: For 20 minutes I was owned by a lamer
jonconley Offline
UGN Super Poster

Registered: 10/08/02
Posts: 955
Loc: Merrill, IA, USA
I have no scanner either. Its all about habits. I don't view attachments, don't allow html emails, don't go to questionable sites, don't download fake/infected files.

Plus most times when I go to fix someone elses computer I prefer to manually remove virus/trojan/adware myself. The scanners have problems or simply say they cannot do it, and I don't trust them to get it clean.

Windows fortunately has a few limited areas where these things can be triggered and hide, so its not too hard to see when something is going on and fixing it. Usually...

Top
#3256 - 08/18/03 05:08 AM Re: For 20 minutes I was owned by a lamer
Scalli0n Offline
Junior Member

Registered: 08/01/02
Posts: 68
I fixed this problem long ago by installing linux.

Top
#3257 - 08/22/03 10:09 AM Re: For 20 minutes I was owned by a lamer
MESELF Offline
Junior Member

Registered: 08/08/03
Posts: 68
actually...its not exactly a LAMER trick as you say. its one of the top threats as far as 'viruses' go. this ones technically a worm.

Quote from grisoft.com

I-Worm/Mimail
I-Worm/Mimail is a virus which is sending itself via e-mails with following text:

Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

---
Best regards, Administrator

The virus uses MESSAGE.ZIP file as an attachment, this archive file contains MESSAGE.HTML file, which is if fact its own EXE version of the virus, and a short script designed to copy the virus on the hard disk of infected computer, and to launch this file.
When computer is infected, virus creates the VIDEODRV.EXE file in Windows folder, where it also creates some temporary files (eml.tmp, exe.tmp and zip.tmp).
Virus is launched every time computer is started due to virus's key VideoDriver in ...\CurrentVersion\Run.
2003-08-01


End Quote

Top
#3258 - 08/22/03 11:34 AM Re: For 20 minutes I was owned by a lamer
Ntd Offline
Member

Registered: 01/21/03
Posts: 217
Loc: Melbourne, Victoria, Australia
How do you put an exe inside an HTML file?

Top
Page 1 of 2 1 2 >

Moderator:  Infinite 
Featured Member
Registered: 03/05/02
Posts: 9
Forum Stats
2146 Members
46 Forums
33826 Topics
68993 Posts

Max Online: 1567 @ 04/25/10 10:20 AM
Top Posters
UGN Security 26989
Gremelin 7192
§intå× 3255
SilentRage 1273
Ice 1146
pergesu 1136
Infinite 1041
jonconley 955
Girlie 908
unreal 860
Newest Members
Devo60, ali, lavos, Zanvin Green, Daktologist
2145 Registered Users
Who's Online
0 registered (), 314 Guests and 342 Spiders online.
Key: Admin, Global Mod, Mod
Latest News


Donate
  Get Firefox!
Get FireFox!