The other day me and one of my buddies were just sitting around monitoring our TCP/IP traffic when all of a sudden we started receiving ack packets from addresses we had not sent any data to at all. The interesting thing was, the packets only contained a packet header and 23 bytes of data. “Go away, we're not home” was the message we were sent. After taking the recipient of the packets off the web temporarily I hopped a few gateways and ran a port scan on the computer that had sent us the packets. It was a normal Windows machine with all the typical ports open, 123, 139, and 445 if I remember correctly, but port 21 was also open. Looking into this further it was apparent that indeed port 21 was open, but not for file transfer protocol. Whenever any data was sent to the port it closed the connection and sent the “Go away, we're not home” message. In fact probing any port, even closed ports, on the machine produced this response.
Turning to the web for answers, we realized that these machines that we had stumbled upon, 5 to be exact, were most likely a part of the storm botnet. After collecting a few more pieces of data we decided to leave the machines alone.
Today I was reading a little more about the botnet on the web when I came across a webpage on which Microsoft takes credit for dismantling the storm botnet.First of all the storm botnet is hardly dismantled. Second, its Microsoft's fault the botnet got as large as it did in the first place. Even if they did reduce it in number, thats nothing to brag about. Their product is hosting something with enough power to mess up the Internet across the globe. Its not the time for bragging.
Proprietary software makes me ill.
Tuesday, February 17, 2009
Monday, February 9, 2009
Removing Ads from Free Web Hosting
About an hour ago, I decided that I wanted to build a website in addition to this blog. I quickly scourged Google for free web hosts, and found only a few that offered "no-ads" but they all had some sort of catch or queue. Being impatient I reluctantly chose a site that offered free web hosting, but put its own Google Adsense ads on your page. I wouldn't have minded, but I wasn't given control over the ads' placements or color schemes and they really looked hideous. I realized I would have to figure out a way to remedy the situation myself.
After uploading a sample webpage, I navigated and veiwed its source. After re-uploading, a few slightly modified versions of that page I noticed that the hosting service was appending the code for all of its ads right after the first <body> tag. I experimented with comments, trying things like <body <!-- but whenever I placed the last > the ad code would escape the comment.
I decided to bend the rules of HTML. To solve the problem I made the first <body <!-- tag and then another <body> after it. The ad code generated by the HTML parser ended the comment and my second body tag worked perfectly. Wa-lah, no ads. Mark one loss for HTML parsers. Mark one win for me.
After uploading a sample webpage, I navigated and veiwed its source. After re-uploading, a few slightly modified versions of that page I noticed that the hosting service was appending the code for all of its ads right after the first <body> tag. I experimented with comments, trying things like <body <!-- but whenever I placed the last > the ad code would escape the comment.
I decided to bend the rules of HTML. To solve the problem I made the first <body <!-- tag and then another <body> after it. The ad code generated by the HTML parser ended the comment and my second body tag worked perfectly. Wa-lah, no ads. Mark one loss for HTML parsers. Mark one win for me.
Sunday, February 8, 2009
Hacking using GRUB Bootloader
Grub bootloader is used to select on operating system to boot at startup on most GNU/Linux machines or machines that dual boot. Grub works by loading the operating system you want and sending the boot parameters required for different boot options. However, the freedom to choose such parameters grants the user a little too much freedom. Most operating systems come with a safe or single user mode that allows the user administrative access on the local machine in order to fix the machine However, since this mode does not prompt for authentication, a user given access to the GRUB bootloader could very simply boot to this mode and have complete control over a machine.
For example, root access on a Unix machine with Grub can be as simple as restarting the machine, waiting for the grub bootloader to run, highlighting the operating system to boot and pressing 'e' to edit the bootloader settings for that entry. Administrative access is granted on Unix machines in single user mode, or run level 1. This mode can be accessed by adding the word 'single' to the end of the kernel line. After booting to single user mode, an attacker can drop to a root terminal and create a new user with administrative access or install another backdoor. System compromised.
For example, root access on a Unix machine with Grub can be as simple as restarting the machine, waiting for the grub bootloader to run, highlighting the operating system to boot and pressing 'e' to edit the bootloader settings for that entry. Administrative access is granted on Unix machines in single user mode, or run level 1. This mode can be accessed by adding the word 'single' to the end of the kernel line. After booting to single user mode, an attacker can drop to a root terminal and create a new user with administrative access or install another backdoor. System compromised.
When Security goes Bad
Whenever any hacker comes in contact with any form of security, his first thought is always, “How could someone bypass this.” This is the question that has been fueling the world of software security for decades. After all security is a good thing, security keeps us and our information safe. But what happens when something is too secure? This is not a typical question to ask oneself, especially in a world where the only way to completely secure your computer from malware is to completely unplug it from the wall. However, when something is too secure the effects can be as devastating as insecurity.
My older laptop is a Toshiba Satellite M105 with a Phoenix Trusted Core BIOS. One day as part of an experiment, I set a BIOS password on the computer. A week passed before I returned to thus particular project, and I could no longer remember the BIOS password. I thought it was no big deal, and looked up the Phoenix backdoor passwords which included BIOS, CMOS, phoenix, and PHOENIX. After trying the first three, my computer shut off, and after the last I was still locked out. An hour later I had disassembled my laptop and taken a soldering iron to the BIOS battery. A few hours later I hoped the BIOS would forget the password. I got a bad checksum error, but when I tried to continue I was again prompted for the password. I understand the backdoor passwords not existing, because thats just stupid, but there is no way for me to recover this password short of reprogramming part of the BIOS and replacing a chip. There is a plausible possibility that I might not get to use that computer ever again.$700 down the drain to good security.
My older laptop is a Toshiba Satellite M105 with a Phoenix Trusted Core BIOS. One day as part of an experiment, I set a BIOS password on the computer. A week passed before I returned to thus particular project, and I could no longer remember the BIOS password. I thought it was no big deal, and looked up the Phoenix backdoor passwords which included BIOS, CMOS, phoenix, and PHOENIX. After trying the first three, my computer shut off, and after the last I was still locked out. An hour later I had disassembled my laptop and taken a soldering iron to the BIOS battery. A few hours later I hoped the BIOS would forget the password. I got a bad checksum error, but when I tried to continue I was again prompted for the password. I understand the backdoor passwords not existing, because thats just stupid, but there is no way for me to recover this password short of reprogramming part of the BIOS and replacing a chip. There is a plausible possibility that I might not get to use that computer ever again.$700 down the drain to good security.
Subscribe to:
Posts (Atom)
