[OT] The Rant of a “Republic” Indian Hacker

For me, the very foundations of Hacker-dom is based on three very fundamental steps:
1. Grasp the fundamentals
2. Question everything
3. Question everything, without being a fanatic

As ironical (or rather illuminating, depending on the way you see) it may sound; as I start my very first step to understand the fundamentals of Indian constitution on the 59th Republic Day, I also start to learn to question it. It’s disturbing to learn that the borderline difference between pretending to be a democratic nation, and actually being one, has already depleted. What pains me more is that we “celebrate” the Republic day in the form of a “holiday”, without actually caring about being sovereign and republic.

I am starting to get fed up of getting used to all the abnormalities in the normal flow of life.

AdSense exploited by malware (Trojan.Qhost.WU)

1. Life & Code

By http://www.flickr.com/photos/13798876@N02/1466880287/

(The title of this section is taken from Johnny’s blog of the same name, Life and Code. Although my implementation of the phrase isn’t in terms with Johnny’s, yet I could resist using it. πŸ™‚ )

Life: Three days ago I found that there are some strange entries in my local Apache web server logs. Something like:
127.0.0.1 - - [18/Dec/2007:19:39:26 +0530] "GET /iview/msnnkhac001160x600Xdig1600000185msn/direct;wi.160;hi.600/01 HTTP/1.1" 404 352
127.0.0.1 - - [18/Dec/2007:19:42:19 +0530] "GET /pagead/show_ads.js HTTP/1.1" 404 320

Code: Bitdefender informs of a malware, termed as Trojan.Qhost.WU, is redirecting all the requests made to the Google’s ad server (page2.googlesyndication.com) by the victims browser to a rougue ad server.

2. Impact of the issue:

Reportedly, a big part of Google’s earnings comes from it’s Ad services. Thus this trojan is not only depriving Google of it’s earning’s, but also the publishers who work hard and hope to make some quick buck for their evening coffee.

3. The enigmatic “hosts” file:

You all know that every system connected directly to the internet is assigned a unique IP address. The domain name (viz. http://projectbee.org) is nothing but a unique name assigned to a unique IP (although more than one domain name can be mapped to an ip address, that is not our concern right now). This mapping is stored in DNS servers. Each time the browser tries to open up a site, a nearby DNS server is queried to find the ip address.
However, before all this, the DNS server of your local system, hosts file, is queried. (Don’t mistake me, this DNS server is just a metaphor πŸ™‚ ). The hosts file stores a domain name to ip address mapping for domains that don’t need a query to DNS server. e.g., localhost is mapped to 127.0.0.1, the loopback ip, i.e. the ip of local system.
On your windows 2000/NT onwards system, it’s located at %systemroot%\system32\drivers\etc\hosts and on your *nix systems at /etc/hosts. More info on location can be found here.

Now coming back to my problem; unable to find any satisfactory answer, I posted it on Slackers. (Giorgio) Maone, better known as author of the awesome NoScript plugin for Fx, immediately responded, and asked me to check my hosts file.
I had added a number of entries of ad serving sites to point to the local ip in my hosts file and forgotten. I did this to prevent ads from being loaded. Hence, each time any of these sites were called, the hosts file redirected the requests to my local server.
So pretty obviously, I was/am not infected.
“Why do you post the junk about your issue then?”, you ask.
“Because it was a strange coincidence, and because I can, honey :P”

4. How the exploit works?

It’s fairly simple, the malware modifies your hosts file and adds an entry for page2.googlesyndication.com to prevent DNS lookups and direct all the requests to the malicious server.

5. How do I protect myself?

1. Locate your hosts file and remove any entry for page2.googlesyndication.com. Alternately, you can even modify the entry to point to your local ip, in case you don’t wish to see those ads.
2. Let your Antivirus/AntiSpyware do it for you.

6. Conclusion

What! Dump M$ Windows for Linux. πŸ˜›
Seriously, “Linux ain’t easy to use” is a myth. Moreover, if you are into flashy looks, try compiz-beryl package. It IS Awesome… (and consumes amazingly less resources than…uh Vista.)

7. Bonus Tip

In case you wish to prevent your kids, partner, (or even parents) from visiting some sites; or do not wish to see those crappy ads from being loaded, you might consider editing your hosts file. For more information or even sample hosts files, use Yahoo! search.

IFrames – To be or not to be?

Update: Aah. It’s not that there couldn’t have been any better news :P, but today’s News is that Ma1 has agreed to provide feature to block frames through NoScript from the next version (1.1.7). NoScripts Rocks. πŸ™‚
Oh and Yes! Ma1 Rocks too …;)

I have been pretty busy since the last few weeks (and this trend is likely to continue for the coming weeks). Thus, my posts have been more of “news-flashes”. Apologies for that. I’ve now decided to blog about things/technologies I am working on. (Expect some write-ups on security scanners like w3af and code auditing tools like LAPSE.) However, I couldn’t stop myself from putting forward this debate on IFrames. First, let’s see what are the *evil* things that IFrames can do for… *cough*… you

CASE-I
A couple of days ago, Bank of India site was compromised. It was serving malwares to the visitors. This was done by “drive-by downloads“. The criminals were (invisible) IFRAMES.

CASE-II
I hope most of you are aware how dangerous Javascript can be. Of course, I am referring to XSS attacks. However, the recent research, notably from Jeremiah Grossman, RSnake and Gareth Hayes, showed another shockingly dark side of XSS with CSS (yes, Cascading Style Sheets πŸ™‚ ). The criminals here are IFrames, visited attribute, etc.

CASE-III
Gareth also gave a proof of concept on his blog to perform CSRF using CSS, even when Javascript is disabled. He (very wisely) used CSS to change the LOOK and FEEL of a Submit button to a link. Now, when a *smart* user is surfing the web with javascript disabled, he’d not worry about clicking a link, and may end up clicking on the *link* to submit the form.

CASE-IV
You decide… :).
I have anyways left some other known issues, I think.

Gareth has been preaching the evil nature of IFrames for quite some time now. Yesterday, he made a new entry titled “IFRAMES ARE EVIL” on his blog. He suggested using some attributes/tags to disable/enable iframes etc. Iframes have been on my mind for quite some time. I believe that Content Restriction, once introduced, can solve a number of issues. Till then, I believe, Maone’s NoScript can come to the rescue by proving optional feature to disable iframes. I know, this is definitely not a attractive suggestion, but who knew we’d have to browse with Javascript disabled!

Moreover, I thought it’d be a good opportunity to see what other researchers have to say about it. So, I posted it to the Slackers forum. I am watching keenly. πŸ™‚

Apache Headache: “no listening sockets available”

Update 1: I was unable to configure MySQL. Reason: It was installed in C:\(blah-blah) and , probably, do not have write rights in the directory. Installing it to D:\(bigBlah) solved the issue. Duh!

Update 2:Β I see a fairly good traffic coming here searching for the same problem. So, in case you are in a hurry, this is mostly a summary to inform you that in all probability, YOU HAVE SOME SERVICE RUNNING ON PORT 80. Check out using TCPView (if you are on windows). Hope that helps. πŸ™‚

I am currently working on an official XSS (Cross Site Scripting) presentation. I needed some screenshots of alert boxes and defaced site. So I installed Apache, configured it to work with PHP. (If you need help in installing and configuring MySQL, Apache and PHP, look here).

But this was day before yesterday. Yesterday, I needed to make a quick manipulation to the script, but… Apache won’t start. The error I was getting (using eventvwr) was:

>>> (OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted. : make_sock: could not bind to address 0.0.0.0:80 .

It’s pretty apparent that some other jerk was sitting and listening at port 80. Yesterday, however, was too hectic to discover the rat. Today, I ran TCPView (thanks to Shruthi for suggesting) to discover that inetinfo.exe was the ra**al. TCPView is one of the nicest tools created by the guys at SysInternals, which was later acquired by Microsoft. Rats!

Anyways, the fun part was stopping the service. I couldn’t kill it. Neither using TCPView, nor Task Manager. It would again span back to life πŸ™‚

So, finally I opened services.msc to stop the IIS server and change the automatic start mode to manual mode. Heck! I should have disabled… or even better, deleted the scoundrel. πŸ˜€

So, if you have the same problem, you are in all probability in office right now and hence may not be aware what services are running. Use TCPView to discover all those unnecessary network services. It’s a great tool. Further, you might also want to switch some stupid services from automatic start mode to manual (or disable :P). Use Services.msc.

Java vulnerable to remote compromise

ZDNet Asia reports that Google Security team has discovered as “Dangerous Java Flaw that threaten’s Virtually Everything“. The interesting part of this news is that, apart from a few scary statements, it doesn’t inform you anything else.

The Sun advisory page on this flaw, however, informs you about two flaws which are nothing but Buffer Overflows. Do not mistake me that I am undermining the impact of Buffer Overflow Attacks in any way. It’s just the ZD Net article’s title which’s bugging me. It makes the flaw look like an out of world ET attack scenario.

  1. A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.
  2. A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.

Now firstly, Buffer Overflows are no new form of attacks. They have been here since the existence of man (I admit that’s a little much :D), and they are here to stay. Thus, articles like this are more like FUD, IMHO.
Secondly, applet support is very limited in mobile devices. Not to mention that J2ME supports only PNG format. Thus, not “virtually everything” is everything.
Finally, image parsing library in Sun’s Java implementation is through a native library. It’s time that Sun writes a Java equivalent for it to avoid other similar issues. Further, since Java is now GPL, I also hope to see the code coming from some random, pimply, introvert teenage kid. πŸ™‚

The problems can be resolved by updating the packages. Detailed info provided on the Sun’s advisory.

TPM Boys withdraw paper from BlackHat USA

I hope you remember the young Indian security researchers Vipin Kumar (22) and Nitin Kumar (23), the TPM Boys [I guess, that’s the way they call themselves. At least their blog confirms that. πŸ™‚ ]They presented a Paper “Vboot Kit: Compromising Windows Vista Securityat Blackhat Europe – 2007.

The talk explained the (different) booting process of Windows Vista. It also introduced the concept of manipulating an OS during its boot process using VBootkit. Finally, they gave a live demo of VBootkit in action (on Vista).

This event was Slashdotted. VBootkit was also blogged by Bruce Schneier. Here is an interview of the “boys” at SecurityFocus by Federico Biancuzzi. In their own words, “Vbootkit is much like a door or a shortcut to access vista’s kernel……. since vbootkit becomes part of the kernel, it can do anything that Vista’s kernel can do.”

This all, however, is a news of past. The current news stirred more vigour and controversy. They had yet another paper “TPMkit: Breaking the Legend of Trusted Computing (TC [TPM]) and Vista (BitLocker)” scheduled to be presented at Blackhat USA – 2007. They withdrew there paper last week without any comments. This news was Slashdotted and resulted in a (typical) slashdotian variety of comments. Some even doubted if they really had any success in their research. Well, you cannot really blame them. That’s the fussy nature of our FOSS communities… errr… wait. Before you bash me, I’d like to remind you that it’s not (only) me who says that. It was originally cited by Mark Shuttleworth. An amazing number of people opposed Mark by creating a lot of Fuss. πŸ˜‰

Coming back to the story. A user, by the handle PoliTech, commented on Slashdot and reminded the Michael Lynn’s paper at Blackhat about his research on Cisco Routers. Cisco and ISS sued Lynn and the management of Black Hat conference. It’s worth noting that Lynn was an ISS employee. πŸ™‚

It should be also be noted that Vipin and Nitin’s previous presentation was in Amsterdam, Europe. This presentation, however, was scheduled in US… and the (stupid) US laws can screw things up. Based on Lynn’s case, it is quite apparent that Vipin and Nitin didn’t wish to get caught in any such undesirable situation.

I hope to see them present the paper at some other conference (or location) pretty soon. Best of luck guys.

OffTopic: Coincidentally, my younger brother’s name is Nitin. πŸ™‚

Month of Search Engine Bugs: “Mission Accomplished”

The Month of Search Engine Bugs by MustLive has come to an end.

MutLive reports:

In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine), MetaCrawler, Mamma, Google, Google Custom Search Engine (local engine), My Way, Lycos, Aport, Netscape Search, WebCrawler, Dogpile, AOL Search, My Search, My Web Search, LookSmart, DMOZ (Open Directory Project), InfoSpace, Euroseek, Kelkoo, Excite.

Altogether there were published 104 vulnerabilities in mentioned engines. Including Cross-Site Scripting (as XSS, and as HTML Injection), Full path disclosure, Content Spoofing and Information disclosure vulnerabilities. It is without taking into account redirectors in search engines (altogether there were published 23 redirectors).

Results of the projects: fixed 44 vulnerabilities from 104 (without taking into account redirectors). It is 42,31% fixed vulnerabilities. Owners of search engines have a place for improvements of their engines’ security.

Over a period of 30 days, 104 and vulnerabilities/bugs were discovered out of which only 44 have been fixed. Out of these 19 vendors, only two (Rambler and Ezilon) have thanked him for his commendable hardwork.

Several researchers, including Jeremiah, RSnake, Christ1an etc. blogged about it. Considering the complexities involved in the fixing a bug, they agree at some point that 44 is still a good number. However, there is one Big “Cheer” Leader which isn’t fixing the bugs. No points for guessing that the Leader believes in “not doing evil things”.

Rediffmail Bug. Anyone Interested?

The title may lure you to assume that I am going to talk about some security bug. Well, I am not… or I’d rather say I haven’t yet thought of any ways to exploit it. If you come up with something, do let us know.

Now back to the topic.
Almost all the huge players are now moving to the AJAX arena. They are in fact coming up with new technologies like Silverlight, Apollo, JavaFx. I am personally not a very big fan of AJAX, but then it doesn’t make any difference. I am, however, interested in these new athletes, particularly JavaFx.

One of the major concerns of any AJAX programmer, IMHO, should be to take care of a situation where the user DOES NOT HAVE or DOES NOT WISH to use Javascript. It should be a growing concern when we have plugins like NoScript (Oh! I Love it.) and we have reasons to use it. Apart from the security concerns, it blocks most of the stupid ads that I am not interested in.

Bottom line, there should be a minimal interface to fall back to (like the one GMail has). The rediffmail coders have done the same and provided a…. ummmm BackUpInterface thingy. However, they probably forgot that the *thingy* is there because the person’s browser DOES NOT SUPPORT Javascript.

My Story, My Words:
I used the NoScript plugin to forbid rediff.com domain, opened the site rediffmail.com, entered userid and password… and said… Khul Ja Sim Sim. πŸ™‚

Bingo I was in and was able to read my mails without any fuss. Then I decided to delete some mails… wait a sec! What the heck!
I am not able to.
Move mails??? Nopes.
Compose? Okay.
Send?? Sorry.
Save Draft? Sorry.
Cancel??? Sorry. πŸ™

I concluded that all that looks like a Button uses javascript. However, the links were, fortunately or unfortunately, working.
The Logout‘s like a link. So it’d obvoiusly work.
click.. click.. clickclickclick.
What the Heck!.
Logout operation calls some javascript function do_logout().

So basically, if I am an average internet user and do not have javascript, I’d log into my rediffmail account, read mails, try composing but won’t be able to send… and worse, I won’t be able to logout. Not understanding anything, I might close the browser window.
And what if I am at a cybercafe???

I am sure there is way to revive the session even if the browser window is closed (I remember reading of some similar old Yahoo! bug). If you’re interested, take on from here. πŸ™‚

Now for the other people. I would really like to know how many people actually have a rediff aaccount and actually use it .
I have one too… and I login in… say a month.
I am not at all blaming rediffmail service (Okay! A little :D), I am just interested in the figures.

Is Google Bomb REALLY Diffused?

I posted a very small article on Google Bombs; and quite co-incidentally few days later read that Google has started diffusing the bombs. Now “started diffusing…” makes sense when it has to be done manually, but aren’t we talking about terabytes and petabytes of data? We can never expect it to be done manually. Moreover, Google’s official announcement said the same. It also admitted that “…the impact of this new algorithm is very limited in scope and impact…”.

The phrase, however, seems to make some sense to me now, that I’ve discovered that some bombs are still lying around.
Try making a search for the word “BAD“.
Who do you see as the topper?
Quite interestingly, it was African Development Bank for me. Surprised?
I first thought that BAD might be the acronym for the bank’s name, as in case of NEHA, which is an acronym for National Environmental Health Association.
After a little playing around, I found that a few days ago, SEOmoz.org appealed to make Stephen Colbert as the Greatest Living American. And apparently, he has become the Greatest Living American πŸ™‚

Quite honestly, I am pretty happy that the algo is flawed.
An attempt to diffuse the bombs, in my opinion, was more public image oriented rather than result improvement oriented.

Footnote: May be BAD is not linked willingly (I firmly believe that it’s not), but then who said Google Bombs are all about linking willingly. May be they have some process which forms an acronym of the same name. But then how relevant is such and acronym if it doesn’t even appear on the home page?

Idle Nights: Devil’s Mind

I stay back in the office during night and return back at around 6-7 am, when everybody is coming :). These nights are supposed to be LONELY as I am the only one in the building (actually in all the four buildings combined), apart from the security guards and office boys, of course. However, I’ve found my companions, and ways to refresh myself. I’ll list some of them.

1. Online Web/Security Cameras: Some of you who know that Google provides an API for refining the search queries (with a capital “R”) also know that the giant’s database is like an ocean. And you never really know what’s inside an ocean unless and until you dive in it. As you dive deeper, your jaw drops in awe.
Long story cut short, I use the query to discover (a part of) all AXIS cameras online.
For curious lot, the query is: inurl:/view/view.shtml AXIS and sometimes intitle:”Live View / – AXIS” | inurl:view/view.sht
[As I am writing this, I wanted check the second query. So I chose one of the results and something spooky happened. Someone was already controlling the camera. hehe.
I was moving it right, he/she was moving it left. We fought for a while but then I closed the window. I am nice guy you see :D)

Okay let’s proceed.
So I have a bookmarked folder called “PastTime” on my browser, which has my favorite cameras bookmarked. My most fave are:
i) A coffee/wine shop camera, which is more lively during the night. Luckily, the camera is provided officially, so I can provide the link without any worries. Find the link to the camera here: buzzjunction_webcam

ii) A camera in the study room of a Polytechnic school of NewYork. It’s a small room with a coffee machine, a microwave oven (?), a printer, a sofa, a bookshelf, and an elliptical table with power connection for the laptops and notebooks.
And that’s the best part. People come here with there laptops, and sometimes I sit down looking at there screens, trying to figure out what they are doing. πŸ˜›
I have also become acquainted with some regular visitors.
A spectacled guy with a cap and a laptop. (He is leaving right now. No kidding. What a coincidence [jawdrop])
A black girl, who has the headphones exactly like mine.
Two Muslim girls, with one Dell XPS laptop (probably).
The bad part is, there are no visitors on sundays πŸ™
iii) A micro/nano lab camera of one of the world’s most famous universities. There’s nothing engaging about this, apart from the fact that the guys (or girls) roam around in spacesuit sort of dresses.
iv) A set of four surveillance cameras. Three of them pointing to car parking locations and one focussed inside some kind of room. I am still not able to get it yet. The only thing that makes me stick to it is the word “surveillance” πŸ˜€

There are couple of others focussed on traffic, colleges, hostels (I guess), lake, parks… but they are pretty boring and pictures are not really clear.
I’d like to try my hands on other cameras like linksys too. Let’s see when.

2. Google Again: Google queries can be real fun.
Have you ever come across a search result when Google tells you that the original number of results is pretty large, however, most of them are sort of repetitions hence they have been truncated.
Have a look at the following two pictures.

Β pic1.jpg
This one’s the normal result.


pic2.jpg
Here I ask Google NOT TO OMIT ANY RESULT.


You think that’s funny?
I leave it up to you to decide.

3. Slashdot, and blogs of others friends (and their friends) and some geeks like de Icauza etc. Initially I was a Digg addict, but then got completely fed up.
So guys, keep blogging. πŸ™‚

4. Movies and Documentaries: Net speed during the night is awesome (generally). So I don’t mind downloading them. Though I don’t get time to watch them.

5. Off late I’ve also found some vulnerabilities in the policies and network of my company. I try to keep the management informed.
After all it’s my company. I’d definitely not like any jerk to poke his nose in.

That’s it.
These five (along with the songs being played ALL the time) are currently more than enough to consume my free time (In fact more than JUST the free time).
But even after all this, it gets freaking lonely sometimes… not that I am complaining πŸ™‚

Amazing Interrupt Handling!

Q. Where do you think will you find an amazingly crafted code that would give priority to a Screensaver over a Keyboard/Mouse interrupt? No Kidding. Think.

Ans. If you guessed it to be an Operating System designed by the Redmond Giant, you are stupid. It’s not something to be guessed.
I just posted to let you know that I experienced this amazing feature when a (stupid) piece of Java code (along with Winrtgen, Cain’s Rainbow table generator) resulted in 100% of System process usage.
Lucky me πŸ™

A program called "3~" (Om)

I was returning back to my room at around 6:30 in the morning after spending the whole night, as usual, in office. Suddenly this though struck me.
I always talk about codes and related stuff and ask people to map their algorithms to real life while coding, especially in OOP languages.
I asked myself, what would it be like to describe myself as a code, a script… a program.
So I (climbed two my cabin, which is on the second floor) and here is my honest attempt. πŸ™‚

Om, unlike other programs, wasn’t really planned. There were no plans usually made back then in the early eighties; at least not in India. He was an additional functionality (a small script back then) of two programs, M & R.

However, since M & R were pretty solid codes in themselves, Om inherited most of the good features and was pretty healthy (I mean robust πŸ˜€ ) even as a tiny script.
So far so good. But it could never rely on conventional ways of compilation and execution. It was a rebel. Some people call such programs as “malfunctioning programs” :). Programs that do not do what they are meant to do.

Time passed on.
It received formal education that helped him access various code repositories to incorporate other functionalities. It gathered data about various modes and environment of operation. It also learnt efficient memory and execution-time management.
However, these all came at the price of dependencies on various libraries, viz., friends, relatives, emotions, money, etc.

Microsoft has some strange reason for assuming that all human beings use IE and are on a windows box. This assumption makes most of their products, even the web applications, dependent on these assumptions.

Dependencies are bad.
Bad were they for Om as well…

It gradually got frustrated (a human emotion).
It got frustrated at lots of things… at almost everything.
It got frustrated on the formal way of code development, the conventional way of execution, the hypocritical nature of the IDEs that are supposed to facilitate development, and lot more.

There’s an unwritten law, which says that all rebels become an outlaw sooner or later.
So did Om.
Most of the libraries on which it was dependent had grown up to be pretty matured libraries and the outlaw was no more supported.
Dependencies are bad…

…but some codes die hard.
Since most of the libraries on which Om was dependent were under GPL, it simply incorporated the required code snippets instead of referencing the libraries. This has made it a pretty complex and buggy code… but hey that’s why the saying goes:
There is code in my bug” πŸ™‚