2013-06-23

A UNIX System! I know this!

I warned you all. I was going to do it.

When I was a kid that actually knew and used UNIX (AT&T and AIX at the time), I knew in my heart of hearts that there was no video-game-like flying graphical file manager for UNIX. A lot of us made fun of the computer scenes in Jurassic Park. Well, I was wrong. All of us were. Here's the 20+ year-old Fusion (fsn) file manager running on a 20-year old computer.


2013-06-21

Olde-school DES Cracking

I like old computers. I like playing with different operating systems, including old ones. A year and a half ago, give or take, I received an SGI Indy from someone who was cleaning out the shed. This was a low-end machine from SGI, but a relatively high-end workstation by most standards of the era, meant for people doing 3D design and CAD work. This one was made in 1996, about a year before the product line was discontinued.


I've never used IRIX (Silicon Graphics' implementation of UNIX) before, but when the machine booted, I was presented with a graphical account chooser, not too different from what you might see on a modern computer (except lacking 20 years of graphical finesse). Of course, the first account I try to get into is root, because I would like to actually get this machine on the network. I cannot.  I try a few other accounts until I come across one without a password. Then, I checked out /etc/passwd and found that the hashes weren't even shadowed. You can see several accounts don't have passwords at all.
When you encounter password hashes like this, they're traditional salted DES passwords. I haven't actually cracked DES passwords since 1996 or so. By the time I got my first job in information security (early 2000), password shadowing was common practice, and better hashing algorithms were in place.

I had a Kali Linux VM running on my laptop already, so I scribbled the password hash on a piece of paper, then re-constructed a fake password file from this one line and set John The Ripper loose on it.

In the mean time,  I tried some tricks from the console to get the machine to boot up in single user mode, but I was faced with quite a bit of adversity. Official single user mode required the root password, and attempts to bypass the root password (like calling a shell for init) didn't work.

Trying to load a shell as a kernel, obviously, wouldn't work, but it didn't stop me from trying, thus causing a panic and crash.

A short while later, I heard a noise on my laptop, and saw this:
That password worked just fine, and I was on my merry way.

Humorously, a few folks also tried cracking the same password on their equipment. One ended up finding it in under 2 minutes with 4 threads on an i5-2400 desktop, Fritz smashed it in a mere 13 seconds on a 32-core VM. I should probably see how fast JTR would get it on the laptop natively, with 4 threads outside a VM, but I'm not going to bother with that.

Now I just need to get Fusion installed on this IRIX box so I can reproduce the cheesy scene from Jurassic Park.

2013-06-18

Decoding VBScript Malware-infected HTML files

I have been running across malware like this lately.  It appears to be a local infection that appends some VBScript to HTML files on the webmaster's computer, spreading to the Internet when it's uploaded. Alternatively, it could be an infection on a Windows IIS server.


At any rate, WriteData is a hex string that goes on and on for a good couple of screen lengths, followed by some more VBScript to open a file handle, write binary data to it, then execute the dropped binary.

Since it appears this HTML file has been infected multiple times, I use uniq to get only one copy of the WriteData line. I split it with cut based on the double quotes to get only the hexadecimal part. I decided I'd try to use xxd to decode it. xxd can create or read hex dumps. I save xxd's output to svchost.exe (which is what the VBScript would have called it).

Finally, I use file to determine what kind of file svchost.exe is, presuming it'll be a Windows executable file.

No surprises there. I uploaded it to VirusTotal, and it looks like we have a ZBot (ZeuS) on our hands.