Other DJ’s can imitate this sound!

Places that viruses and trojans hide on start up

Friday, May 26th, 2006

1.
                        START-UP FOLDER. Windows opens every item
                        in the Start Menu’s Start Up folder. This folder is
                        prominent in the Programs folder of the Start Menu.

                        Notice that I did not say that Windows "runs" every
                        program that is represented in the Start Up folder.
                        I said it "opens every item." There’s an important difference.

                        Programs represented in the Start Up folder will run,
                        of course. But you can have shortcuts in the Start Up
                        folder that represent documents, not programs.

                        For example, if you put a Microsoft Word document in
                        the Start Up folder, Word will run and automatically
                        open that document at bootup; if you put a WAV file
                        there, your audio software will play the music at bootup,
                        and if you put a Web-page Favourites there, Internet
                        Explorer (or your own choice of a browser) will run
                        and open that Web page for you when the computer starts
                        up. (The examples cited here could just as easily be
                        shortcuts to a WAV file or a Word document, and so on.)

2. REGISTRY. Windows executes all
                        instructions in the "Run" section of the Windows Registry.
                        Items in the "Run" section (and in other parts of the
                        Registry listed below) can be programs or files that
                        programs open (documents), as explained in No. 1 above.

3. REGISTRY. Windows executes all
instructions in the "RunServices" section of the Registry.

4. REGISTRY. Windows executes all
instructions in the "RunOnce" part of the Registry.

5. REGISTRY. Windows executes instructions
                        in the "RunServicesOnce" section of the Registry. (Windows
                        uses the two "RunOnce" sections to run programs a single
                        time only, usually on the next bootup after a program
                        installation.)

7. REGISTRY. Windows executes instructions
                        in the HKEY_CLASSES_ROOT\exefile\shell\open\command
                        "%1" %* section of the Registry. Any command imbedded
                        here will open when any exe file is executed.

Other possibles:

                        [HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\"
                        %*"
                        [HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\"
                        %*"
                        [HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\"
                        %*"
                        [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\"
                        %*"
                        [HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\"
                        %*"
                        [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
                        ="\"%1\"
                        %*"
                        [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
                        ="\"%1\"
                        %*"
                        [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
                        ="\"%1\"
                        %*"
                        [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command]
                        ="\"%1\"
                        %*"
                        [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]
                        ="\"%1\"
                        %*"

                        If keys don’t have the "\"%1\" %*" value as shown, and
                        are changed to something like "\"somefilename.exe %1\"
                        %*" than they are automatically invoking the specified
                        file.

8. BATCH FILE. Windows executes all
                        instructions in the Winstart batch file, located in
                        the Windows folder. (This file is unknown to nearly
                        all Windows users and most Windows experts, and might
                        not exist on your system. You can easily create it,
                        however. Note that some versions of Windows call the
                        Windows folder the "WinNT" folder.) The full filename
                        is WINSTART.BAT.

9. INITIALIZATION FILE. Windows executes
instructions in the "RUN=" line in the WIN.INI file,
located in the Windows (or WinNT) folder.

10. INITIALIZATION FILE. Windows executes
instructions in the "LOAD=" line in the WIN.INI file,
located in the Windows (or WinNT) folder.

It also runs things in shell= in System.ini or c:\windows\system.ini:

[boot]
shell=explorer.exe C:\windows\filename

The file name following explorer.exe will start whenever
Windows starts.

                        As with Win.ini, file names might be preceeded by considerable
                        space on such a line, to reduce the chance that they
                        will be seen. Normally, the full path of the file will
                        be included in this entry. If not, check the \Windows
                        directory

                        11. RELAUNCHING. Windows reruns programs
                        that were running when Windows shut down. Windows cannot
                        do this with most non-Microsoft programs, but it will
                        do it easily with Internet Explorer and with Windows
                        Explorer, the file-and-folder manager built into Windows.
                        If you have Internet Explorer open when you shut Windows
                        down, Windows will reopen IE with the same page open
                        when you boot up again. (If this does not happen on
                        your Windows PC, someone has turned that feature off.
                        Use Tweak UI, the free Microsoft Windows user interface
                        manager, to reactivate "Remember Explorer settings,"
                        or whatever it is called in your version of Windows.)

12. TASK SCHEDULER. Windows executes
                        autorun instructions in the Windows Task Scheduler (or
                        any other scheduler that supplements or replaces the
                        Task Scheduler). The Task Scheduler is an official part
                        of all Windows versions except the first version of
                        Windows 95, but is included in Windows 95 if the Microsoft
                        Plus Pack was installed.

13. SECONDARY INSTRUCTIONS. Programs
                        that Windows launches at startup are free to launch
                        separate programs on their own. Technically, these are
                        not programs that Windows launches, but they are often
                        indistinguishable from ordinary auto-running programs
                        if they are launched right after their "parent" programs
                        run.

14. C:\EXPLORER.EXE METHOD.

C:\Explorer.exe

                        Windows loads explorer.exe (typically located in the
                        Windows directory)during the boot process. However,
                        if c:\explorer.exe exists, it will be executed instead
                        of the Windows explorer.exe. If c:\explorer.exe is corrupt,
                        the user will effectively be locked out of their system
                        after they reboot.

                        If c:\explorer.exe is a trojan, it will be executed.
                        Unlike all other autostart methods, there is no need
                        for any file or registry changes - the file just simply
                        has to be named c:\explorer.exe

15. ADDITIONAL METHODS.

Additional autostart methods. The first two are used
by Trojan SubSeven 2.2.

                        HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed
                        Components
                        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\Usershell
                        folders

                        Icq Inet
                        [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]

                        "Path"="test.exe"
                        "Startup"="c:\\test"
                        "Parameters"=""
                        "Enable"="Yes"

                        [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]

                        This key specifies that all applications will be executed
                        if ICQNET Detects an Internet Connection.

                        [HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap
                        object"
                        "NeverShowExt"=""
                        This key changes your file’s specified extension.

Posted in Uncategorized | 1 Comment »

A Guide to Becoming an Uebercracker

Friday, May 26th, 2006

�

�� A Guide to Becoming an Uebercracker

�� and Becoming an UeberAdmin to stop Uebercrackers.

�

Version: 1.1

�

� This is a paper will be broken into two parts, one showing 15 easy steps

to becoming a uebercracker and the next part showing how to become a

ueberadmin and how to stop a uebercracker. � A uebercracker is a term phrased

by Dan Farmer to refer to some elite (cr/h)acker that is practically

impossible to keep out of the networks.

�

Here’s the steps to becoming a uebercracker.

�

Step 1. Relax and remain calm. Remember YOU are a Uebercracker.

�

Step 2. If you know a little Unix, you are way ahead of the crowd and skip

past step 3.

�

Step 3. You may want to buy Unix manual or book to let you know what

ls,cd,cat does.

�

Step 4. Read Usenet for the following groups: alt.irc, alt.security,

comp.security.unix. � Subscribe to Phrack@well.sf.ca.us to get a background

in uebercracker culture.

�

Step 5. Ask on alt.irc how to get and compile the latest IRC client and

connect to IRC.

�

Step 6. Once on IRC, join the #hack channel. (Whew, you are half-way

there!)

�

Step 7. Now, sit on #hack and send messages to everyone in the channel

saying "Hi, Whats up?". Be obnoxious to anyone else that joins and asks

questions like "Why cant I join #warez?"

�

Step 8. (Important Step) Send private messages to everyone asking for new

bugs or holes. Here’s a good pointer, look around your system for binary

programs suid root (look in Unix manual from step 3 if confused). After

finding a suid root binary, (ie. su, chfn, syslog), tell people you have a

new bug in that program and you wrote a script for it. � If they ask how it

works, tell them they are "layme". Remember, YOU are a UeberCracker. Ask

them to trade for their get-root scripts.

�

Step 9. Make them send you some scripts before you send some garbage file

(ie. a big core file). Tell them it is encrypted or it was messed up and

you need to upload your script again.

�

Step 10. Spend a week grabbing all the scripts you can. (Dont forget to be

obnoxious on #hack otherwise people will look down on you and not give you

anything.)

�

Step 11. Hopefully you will now have atleast one or two scripts that get

you root on most Unixes. Grab root on your local machines, read your

admin’s mail, or even other user’s mail, even rm log files and whatever

temps you. (look in Unix manual from step 3 if confused).

�

Step 12. A good test for true uebercrackerness is to be able to fake mail.

Ask other uebercrackers how to fake mail (because they have had to pass the

same test). Email your admin how "layme" he is and how you got root and how

you erased his files, and have it appear coming from satan@evil.com.

�

Step 13. Now, to pass into supreme eliteness of uebercrackerness, you brag

about your exploits on #hack to everyone. (Make up stuff, Remember, YOU are

a uebercracker.)

�

Step 14. Wait a few months and have all your notes, etc ready in your room

for when the FBI, Secret Service, and other law enforcement agencies

confinscate your equipment. Call eff.org to complain how you were innocent

and how you accidently gotten someone else’s account and only looked

because you were curious. (Whatever else that may help, throw at them.)

�

Step 15. Now for the true final supreme eliteness of all uebercrackers, you

go back to #hack and brag about how you were busted. � YOU are finally a

true Uebercracker.

�

Now the next part of the paper is top secret. � Please only pass to trusted

administrators and friends and even some trusted mailing lists, Usenet

groups, etc. (Make sure no one who is NOT in the inner circle of security

gets this.)

�

This is broken down on How to Become an UeberAdmin (otherwise know as a

security expert) and How to stop Uebercrackers.

�

Step 1. Read Unix manual ( a good idea for admins ).

�

Step 2. Very Important. � chmod 700 rdist; chmod 644 /etc/utmp. Install

sendmail 8.6.4. � You have probably stopped 60 percent of all Uebercrackers

now. � Rdist scripts is among the favorites for getting root by

uebercrackers.

�

Step 3. Okay, maybe you want to actually secure your machine from the

elite Uebercrackers who can break into any site on Internet. �

�

Step 4. Set up your firewall to block rpc/nfs/ip-forwarding/src routing

packets. (This only applies to advanced admins who have control of the

router, but this will stop 90% of all uebercrackers from attempting your

site.)

�

Step 5. Apply all CERT and vendor patches to all of your machines. You have

just now killed 95% of all uebercrackers.

�

Step 6. Run a good password cracker to find open accounts and close them.

Run tripwire after making sure your binaries are untouched. Run tcp_wrapper

to find if a uebercracker is knocking on your machines. � Run ISS to make

sure that all your machines are reasonably secure as far as remote

configuration (ie. your NFS exports and anon FTP site.)

�

Step 7. If you have done all of the following, you will have stopped 99%

of all uebercrackers. Congrads! (Remember, You are the admin.) �

�

Step 8. Now there is one percent of uebercrackers that have gained

knowledge from reading some security expert’s mail (probably gained access

to his mail via NFS exports or the guest account. � You know how it is, like

the mechanic that always has a broken car, or the plumber that has the

broken sink, the security expert usually has an open machine.) �

�

Step 9. Here is the hard part is to try to convince these security experts

that they are not so above the average citizen and that by now giving out

their unknown (except for the uebercrackers) security bugs, it would be a

service to Internet. � They do not have to post it on Usenet, but share

among many other trusted people and hopefully fixes will come about and

new pressure will be applied to vendors to come out with patches.

�

Step 10. � If you have gained the confidence of enough security experts,

you will know be a looked upto as an elite security administrator that is

able to stop most uebercrackers. � The final true test for being a ueberadmin

is to compile a IRC client, go onto #hack and log all the bragging and

help catch the uebercrackers. If a uebercracker does get into your system,

and he has used a new method you have never seen, you can probably tell

your other security admins and get half of the replies like - "That bug

been known for years, there just isn’t any patches for it yet. Here’s my

fix." and the other half of the replies will be like - "Wow. � That is very

impressive. You have just moved up a big notch in my security circle."

VERY IMPORTANT HERE: � If you see anyone in Usenet’s security newsgroups

mention anything about that security hole, Flame him for discussing it

since it could bring down Internet and all Uebercrackers will now have it

and the million other reasons to keep everything secret about security.

�

Well, this paper has shown the finer details of security on Internet. It has

shown both sides of the coin. � Three points I would like to make that would

probably clean up most of the security problems on Internet are as the

following:

�

1. � Vendors need to make security a little higher than zero in priority.

If most vendors shipped their Unixes already secure with most known bugs

that have been floating around since the Internet Worm (6 years ago) fixed

and patched, then most uebercrackers would be stuck as new machines get

added to Internet. � (I believe Uebercracker is german for "lame copy-cat

that can get root with 3 year old bugs.") An interesting note is that

if you probably check the mail alias for "security@vendor.com", you will

find it points to /dev/null. � Maybe with enough mail, it will overfill

/dev/null. � (Look in manual if confused.)

�

2. � Security experts giving up the attitude that they are above the normal

Internet user and try to give out information that could lead to pressure

by other admins to vendors to come out with fixes and patches. � Most

security experts probably don’t realize how far their information has

already � spread.

�

3. � And probably one of the more important points is just following the

steps I have outlined for Stopping a Uebercracker.

Posted in Web/Tech | No Comments »

Perfect Match!

Friday, May 26th, 2006

For a long time it puzzled me how something so expensive, so leading edge, could be so useless, and then it occurred to me that a computer is a stupid machine with the ability to do incredibly smart things, while computer programmers are smart people with the ability to do incredibly stupid things. They are, in short, a perfect match.

Posted in Uncategorized | No Comments »

IIEE 19b-g

Friday, May 26th, 2006

A programmer is a person who passes as an exacting expert on the basis
of being able to turn out, after innumerable punching, an infinite
series of incomprehensive answers calculated with micrometric
precisions from vague assumptions based on debatable figures taken from
inconclusive documents and carried out on instruments of problematical
accuracy by persons of dubious reliability and questionable mentality
for the avowed purpose of annoying and confounding a hopelessly
defenseless department that was unfortunate enough to ask for the
information in the first place.

Posted in Uncategorized | No Comments »

Totally Automated! (cough cough…)

Friday, May 26th, 2006

Welcome to the totally‐automated, fully computerized world of the
twenty‐first century, where nothing can go wrong…go wrong…go wrong…

Posted in Uncategorized | No Comments »

It’s time for Tech Community!!!!()()()*

Friday, May 26th, 2006

      It’s time for the tech community to realize that turning to the federal
      government for help in this area is simply not productive. It’s like
      trying to teach a cow to configure BGP routers: You won’t succeed, and
      you’ll annoy the cow.

Posted in Uncategorized | No Comments »

A freagin CODE! got it?

Friday, May 26th, 2006

      There’s at least one Celtic‐related code story from Bletchley Park,
      though its not a Gaelic or code‐talker one. One of the intelligence
      honchos was referred to as C rather than by name (a practice later
      picked up by James Bond stories.) One Scottish worker there didn’t
      follow the practice, was chewed out for it, and replied along the
      lines: Well, Mr Menzies, if you don’t want people to refer to you
      by your family name, you shouldn’t be wearing a kilt in your family
      tartan…

Posted in Uncategorized | No Comments »

Archive for May, 2006

Places that viruses and trojans hide on start up

A Guide to Becoming an Uebercracker

Perfect Match!

IIEE 19b-g

Totally Automated! (cough cough…)

It’s time for Tech Community!!!!()()()*

A freagin CODE! got it?

Pages:

Archives:

Categories: