Wednesday, March 31, 2010

Links and trojans and zipsploits, oh my!

A bit of a housekeeping post here, where I am just going to provide some links for cool stuff I have seen recently and provide some updates on some things mentioned in other blog posts.

First of all... the trojan.  Im still planning to write a malware detection and analysis style post using it as an example, but when I actually started writing the thing it started to grow out of all proportion to what I initially expected, and I have been far too busy (lazy) recently to do the thing justice and finish it properly.  But its coming soon. 

If you were waiting on me to tell you how to get rid of the trojan, stick the commands I have provided below in a batch file and run it from a command line until:
  • the adobeupdatemanager.exe, osa.exe and MPSvc.exe processes are dead (you should see ERROR: The process "x" not found in the output from taskkill, and the processes will disappear from Task Manager or tasklist), AND
  • the files referenced are gone (they are hidden system files by default so set the appropriate view options in Windows Explorer).  

You may need to run it a few times (fast), or run it in a never ending loop (e.g. "for /L %a in (1,0,1) do killtrojan.bat" ) and CTRL-C to kill because the processes can restart each other pretty quickly, and you have to kill the process before deleting the files.

The commands for the batch file:

attrib -S -H "C:\Program Files\Adobe\AdobeUpdateManager.exe"
attrib -S -H "C:\Program Files\Microsoft Office\Office11\OSA.exe"
attrib -S -H "C:\Program Files\Windows Defender\MPSvc.exe"

taskkill /IM adobeupdatemanager.exe /IM osa.exe /IM MPSvc.exe


del "C:\Program Files\Windows Defender\MPSvc.exe"
del "C:\Program Files\Adobe\AdobeUpdateManager.exe"
del "C:\Program Files\Microsoft Office\Office11\OSA.exe"

There are a few registry entries as well which you can track down and delete if you wish (its not strictly necessary if the files are deleted) - but be careful of this if you are not familiar with the purpose of the registry keys in question.  Find the appropriate entries by searching for the process name using regedit, and delete as appropriate.  Google the entry or key name if you're not sure what it does before you delete.


You can also just nuke the machine from orbit to get rid of the trojan ;)

Second, a (non-trojaned this time) version of the vulnerable version of BigAnt server to use to reproduce my second exploit tutorial?  Lincoln tells me that this is such a beast.  I haven't tested it myself yet to confirm its vulnerable, which is why I havent linked it from the main tutorial myself yet, but if you're desperate to get going with that you can give that version a bash.  If it works for you let me know and I will update the tutorial with the link.

Thirdly, PDF exploiting with Didier Stevens!  Now malicious PDF documents are nothing new, but this method does not use an exploit, and instead makes use of inbuilt PDF functionality to run executable content from within a PDF.  Very cool.  Here and here.

If you read the Offensive Security Blog you may have seen the two part malicious zipfile exploit tutorial from Peter Van Eeckhoutte.  If not, its posted here on his blog in one big document.  Very cool, and what's more it covers off on a exploit with a lot of bad characters, which is simething I have been intending to do for a while in one of my own tutorials (so it saves me from having to write that myself  - Excellent ;) )

Fifthly, this is an interesting looking site I found posted on the Internet Storm Center Diary.  Maybe a slightly more up to date replacement for sectools.org?

2 comments:

  1. I love your blog been following it for a while how come you haven't posted something new.

    ReplyDelete
  2. Encode

    The three most recent entries posted each took a while to prepare, so I have been taking longer breaks between, plus I just started a new job which is taking a lot of my time ATM. Hopefully will be able to get onto a more regular posting schedule in the near future...

    ReplyDelete