Friday, November 30, 2007

Advanced malware analysis and forensics using virtualization and free tools

Here are a few quick steps for performing malware analysis on various badware (viruses, works, trojans, rootkits) that you may find in the course of a computer forensics investigation. In this case, I'm analyzing a variant of Sohanad, a Instant Messaging Worm, also known as "the cool pics worm".

Tools of the trade:

Initial configuration of the workbench:

We're going to setup VirtualBox (or any other virtualization product) with a copy of Windows XP SP2, update it and take a snapshot so we can easily move back to a clean system.

  • Use VirtualBox to install WindowsXP SP2 in a Virtual Machine.

  • Take a snapshot of the Virtual Machine - Initial Install.

  • Install VirtualBox Guest Additions

  • Install Microsoft Update and update the system.
  • Create an ISO image of your tools, and mount it inside the Virtual Machine.
  • Take another snapshot of the Virtual machine - Updated and configured.
  • Add your tools to PATH to speed things UP.

Analyze the malware:

  • Use Process Explorer, Sysinternals Autoruns, RootKitRevealer, HiJackThis and so on to find running processes and targets for analysis, then put them in the virtual machine "sandbox". Also, make sure you check the Digital Signature for files you may suspect of being malware (Right Click - Properties - Digital Signatures). A good way of revealing malware is looking for suspicious entries in Sysinternals Autoruns (just hide signed Microsoft Entries, then look for Unsigned or Fake signature entries). Remember though, malware can also be digitally self-signed.
  • The Target: "New Folder.exe" - self described as "Worm2007" by "IT University".
  • Determine file type using "magic": file "New Folder.exe", PeID and File Analyzer to get headers info.
  • Use "strings" to parse the file for Unicode and ASCII strings: strings -n 8 "New Folder.exe"
  • Use "head " to see the first few lines of the file: head -5 "New Folder.exe" - We can already see this file is packed using UPX. upx -l "New Folder.exe" confirms this.

  • Uncompress the file: upx -d "New Folder.exe"

  • Parse the file again with "file" and "strings" - this time we can see a lot more information.

  • Use PE Explorer and "File Analyzer" to get even more information about PE Headers, dependencies and so on.

  • Fire up OllyDbg, IDA Pro Freeware, Immunity Debugger, WinDBG or your favourite debugger / disassembler and analyze the file.

  • Start Sysinternals ProcExp (Process Explorer - taskman on steroids), ProcMon (filemon and regmon combined), handle (check file handles) and TCPView and Wireshark (aka Ethereal) or MS Network Monitor, and run the piece of malware! We're going to see exactly what files and registry items it tries to change, what network connections it opens and what kind of network traffic it generates. We can also use "netstat -abn" to list network connections. We can later just restore the VirtualBox snapshot to get back to an untainted system.

  • We restart the machine to allow the malware to apply it's group policies and registry changes / autoruns properly :-). We can see the effect of the applied group policies (disables regedit and taskman, but forgets about gpedit.msc and tasklist for example).

  • We use Sysinternals Autoruns, RootKit Revealer and HiJack this to see how this piece of malware starts. With Sysinternals Autoruns we simply hide signed microsoft entries, and we can see 3rd party products, such as our piece of badware, hiding in lsass or svchost or ymessenger named entries.

  • We use HiJack This to list changes to our system like disabling regedit, starting a really strange "svchost32.exe" that shouldn't be there and making the IE default webpage "thec**" -> don't access it, it's the Malware's homepage…
O4 - HKLM\..\Run: [Task Manager] C:\WINDOWS\svchost32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

To remove the malware, you just need to reverse all the chances it has performed to the registry and filesystem. Once you've written down the location of the files from ProcMon and the running binaries from ProcExp, you can start by stopping the virus:

You can stop the Virus processes easily with Process Explorer, or you could just use "taskkill":
taskkill /F /IM svchost32.exe /T
You could also disable it from running at startup by removing it using Sysinternals Autoruns.

Once you've identified all the processes and what executables they were running from, just use WinDiff, EasyDuplicateFinder or something similar to find all identical binaries, and remove them.

You can the use "Fixed Checked" in HiJack this, and "reg add" or "reg delete", a .reg file or gpedit.msc to manually enable the Registry Editor or other disabled features in Windows. You could also use an offline Registry Editor. Example:
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /v "DisableTaskMgr"
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools"
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools"
reg add "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Window Title" /d ""
reg add "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""
To restore the missing files the malware removed (like msconfig.exe) just pop in the Windows cd, and use "expand" to uncompress and restore them: EXPAND -R D:\I386\MSCONFIG.EX_ c:\Windows\System32. Windows may also keep some copies of msconfig.exe around, but they may or may not be safe. Check the digital signature.

Building FTimes on Windows using Visual Studio

FTimes is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.

On systems like FreeBSD you can use ports to build FTimes, but on Windows you'll need to build it yourself.

Building FTimes on Windows is quite a complex tasks, and requires building OpenSSL and PCRE first (if you want SSL / PCRE / XMagic support). Make sure you read the INSTALL file in the FTimes distribution. You'll need the following tools:

Step 1: Build OpenSSL libraries:

  1. Unzip the source code (to say c:\build\openssl)
  2. Fire up CMD Shell (SetEnv.cmd from VisualStudio) and change to that dir (cd c:\build\openssl)
  3. perl Configure VC-WIN32
  4. MS\do_ms
  5. Edit ms\nt.mak and change /MD to /MT
  6. nmake -f ms\nt.mak (to build a static version - creates the *.lib files)
  7. Copy libeay32.lib and ssleay32.lib to C:\openssl\lib

Step 2: Build FTimes:

  1. nmake -f Makefile.vs USE_PCRE=N
  2. nmake -f Makefile.vs test
  3. nmake -f Makefile.vs install INSTALL_DIR="C:\Program Files\FTimes"
  4. Use ftimes: C:\Program Files\FTimes\bin\ftimes.exe

C:\Program Files\FTimes\bin>ftimes

Usage: ftimes --cfgtest file mode [-s]
ftimes --compare mask baseline snapshot [-l level]
ftimes --decoder snapshot [-l level]
ftimes --digauto file [-l level] [list]
ftimes --digfull file [-l level] [list]
ftimes --diglean file [-l level] [list]
ftimes --getmode file [-l level]
ftimes --mapauto mask [-l level] [list]
ftimes --mapfull file [-l level] [list]
ftimes --maplean file [-l level] [list]
ftimes --version

C:\Program Files\FTimes\bin>ftimes --version
ftimes 3.8.0 ssl 32-bit

Thursday, November 29, 2007

Solaris will soon run on IBM zSeries Mainframes

IBM and Sun Microsystems have been working for the past 18 months on porting OpenSolaris to IBM System Z (currently running z/OS) mainframes.

Malware and rootkit detection with Strider, RootKitRevealer and Rootkit Hunter

Removing nasty rootkits or spyware protected by "Hacker defender" and friends:

Strider GhostBuster detects API-hiding rootkits by doing a "cross-view diff" between "the truth" and "the lie". It's not based on a known-bad signature, and it does not rely on a known-good state. It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism.

It is similar to Mark Russinovich's RootkitRevealer from Sysinternals. Another interesting tool is Sophos Anti-Rootkit.

Also worth taking a look at LiveKd - run Kd and WinDBG kernel debuggers on a live system.

For a Linux/BSD/UNIX tool, take a look at Rootkit Hunter.

Tuesday, November 27, 2007

Computer Randomly Plays Classical Music

"Your computer may play "Fur Elise" or "It's a Small, Small World" seemingly at random. This is an indication sent to the PC speaker from the computer's BIOS that the CPU fan is failing or has failed, or that the power supply voltages have drifted out of tolerance. This is a design feature of a detection circuit and system BIOSes developed by Award/Unicore from 1997 on." - Microsoft Support

Cracking Cisco type 7 and type 5 PIX passwords with Cain and Abel

Number one reason you shouldn't paste your Cisco configs or password hashes on the Internet:

Cisco's PIX password encryption is a base64 encoded MD5 hashsum, using only one MD5 update (no salting or anything). This also permits for cryptanalysis attacks using rainbow tables to speed up the process.

Simple hashes like:

enable password RLPMUQ26KL4blgFN encrypted

Get cracked instantly. -> 1234

Also, note that MD5 has know weaknesses in the algorithm, that may allow for more complex password cracking attacks.

Also, if you're using a "type 7" password, that's pretty much useless, since it can get cracked instantly. People can just use simple tools such as Cain and Abel, or Solarwinds Router Password Decryption to reverse the crypto on type 7 passwords.

someuser privilege 0 password 7 06351A3149085123301517391C501918

IOS type 5 passwords (MD5 using 1000 rounds) is more complex, and harder to crack, but yous still shouldn't paste your hashes for everyone to see... Remember, even with type 5 passwords, you're still vulnerable to dictionary attacks, hybrid attacks, rainbow table attacks (PIX only), md5 repository attacks, or plain old password guessing.

If you're going to paste your config files anywhere, use the "show tech-support" command available in newer IOS versions. It gives more info, and strips confidential information, password hashes and such.

You can even use - a neat little Perl script to instantly decrypt type 7 passwords:

#!/usr/bin/perl -w
# $Id:,v 1.1 1998/01/11 21:31:12 mesrik Exp $
# Credits for orginal code and description,
# SPHiXe, .mudge et al. and for John Bashinski
# for Cisco IOS password encryption facts.
# Use for any malice or illegal purposes strictly prohibited!

@xlat = ( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41,
0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c,
0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 );


while (<>) {
if (/(password|md5)\s+7\s+([\da-f]+)/io) {
if (!(length($2) & 1)) {
$ep = $2; $dp = "";
($s, $e) = ($2 =~ /^(..)(.+)/o);
for ($i = 0; $i < length($e); $i+=2) {
$dp .= sprintf "%c",hex(substr($e,$i,2))^$xlat[$s++];

Monday, November 26, 2007

Covert Channels: NTFS Alternate Data Streams

Alternate Data Streams (ADS) are a NTFS feature introduced in the Windows NT Operating System to provide compatibility with Macintosh Hierarchical File System (HFS) - that uses both data forks and resource forks to store content. Data forks are used for storing the document content, while the resource fork is used to identify the file type and store application metadata (icons, fonts, etc), hardlinks, encryption.

Alternate Data Streams provide additional descriptions for files or folder such as author, thumbnail preview, keywords and such, and can be used to attach an independent named data streams to a file or folder stored on a NTFS filesystem.

ADS are very poorly documented, and Windows comes with no default tools to spot such streams (previous to Vista/2008 "dir /r"), hence their popularity as a covert channel.

Using a NTFS Alternate Data Stream using pipes and "more":

c:\streams>copy con foo.txt
This is the data stream.
1 file(s) copied.

c:\streams>type foo.txt
This is the data stream.

c:\streams>echo "This is the Alternate Data Stream" > foo.txt:bar.txt

c:\streams>type foo.txt
This is the data stream.

Only a handfull of applications are ADS aware. "TYPE" is not, as we can see:

c:\streams>type foo.txt:bar.txt
The filename, directory name, or volume label syntax is incorrect.

But more is ADS aware:

more < style="font-weight: bold;">covert channel.

11/26/2007 10:36 AM 0 baz.txt
11/26/2007 10:21 AM 26 foo.txt

c:\streams>type c:\Windows\winhelp.exe > baz.txt:winhelp.exe

11/26/2007 10:48 AM 0 baz.txt
11/26/2007 10:21 AM 26 foo.txt
2 File(s) 26 bytes
2 Dir(s) 5,525,233,664 bytes free

So, how do we spot such covert channels? We can use the systernals "streams" command. Using the -s flag, it will recurse through subdirectories and identify Alternate Data Streams (we can also use -d to delete them). Since Windows doesn't come by default with ANY tool to identify such ADS, and this NTFS feature is very poorly documented, it's hard to spot them without actually knowing they're there.

c:\streams>streams -s c:\streams

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals -

:winhelp.exe:$DATA 256192
:bar.txt:$DATA 38

In some versions of windows, we can also execute an alternate data stream executable using the "start" command, and the executable will show up in the tasklist / taskmanager as the regular stream. That way, malware can hide in regular Windows programs such as notepad.exe

In Windows Vista Microsoft has added the "/r" flag to "dir" so we can easily spot ADS:

c:\streams>dir /r
11/26/2007 10:48 AM 0 baz.txt
256,192 baz.txt:winhelp.exe:$DATA
11/26/2007 10:21 AM 26 foo.txt
38 foo.txt:bar.txt:$DATA

We can also create and use ADS in our applications, using such code:

hStream = CreateFile( "datafile:alternatestream", GENERIC_WRITE, FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, 0,NULL );

Here's something fun: Using an alternate data stream with a folder (say the C:\Windows directory to write our "memories" ):

Note: Other filesystems such as Apple HFS, Solaris UFS (extended attributes), Solaris ZFS, Veritas VxFS and Novell NWFS also support filesystem forks, that pose a risk to the system (tools may not always be aware of forks, backup applictions can ignore them and data loss may occur and, of course, they can be used as covert channels).

Note: MOW (ThePowerShellGuy) has a great article on accessing Alternate Data Streams from PowerShell:

PowerShell : Accessing alternative data-streams of files on an NTFS volume

Friday, November 23, 2007

Exploiting md5 and other hashing functions collisions for fun and profit

The crytographic hash function MD5 has been broken. In March 2005, Xiaoyun Wang and Hongbo Yu of Shandong University in China published an article in which they describe an algorithm that can find two different sequences of 128 bytes with the same MD5 hash.

More links can also be found on Wikipedia's MD5 page.

SHA-0 has also been broken and The security of SHA-1 has been somewhat compromised by cryptography researchers. Chinese cryptographers showed that SHA-1 is not collision-free. That is, they developed an algorithm for finding collisions faster than brute force. There was also an attack reported in RIPEMD.

Practical applications of md5 collisions:

  • Magnus Daum and Stefan Lucks have created two PostScript files with identical MD5 hash, of which one is a letter of recommendation, and the other is a security clearance.
  • Eduardo Diaz has described a scheme by which two programs could be packed into two archives with identical MD5 hash. A special "extractor" program turn one archive into a "good" program and the other into an "evil" one.
  • Here's a pair of valid X.509 certificates that have identical signatures. The hash function used is MD5.
  • Here's a paper demonstrating a technique for finding MD5 collisions quickly: eight hours on 1.6 GHz computer.
  • Hashclash - Vulnerability of software integrity and code signing applications to chosen-prefix collisions for MD5
  • The Status of MD5 after a recent attack (1996 whitepaper)
The following is an improvement of Diaz's example, which does not need a special extractor. Here are two pairs of executable programs (one pair runs on Windows, one pair on Linux).
  • Windows version:
    • hello.exe. MD5 Sum: cdc47d670159eef60916ca03a9d4a007
    • erase.exe. MD5 Sum: cdc47d670159eef60916ca03a9d4a007
  • Linux version (i386):
    • hello. MD5 Sum: da5c61e1edc0f18337e46418e48c1290
    • erase. MD5 Sum: da5c61e1edc0f18337e46418e48c1290

What does this mean? You should use at least 2 hashing algorithms (RIPEMD-160, Tiger, WHIRLPOOL, SHA-256, SHA-512), as the chances of finding the same collisions in more than 1 hashing algorithm are practically 0.

Thursday, November 22, 2007

100th post - feedback on improving content

This started off as a place for my notes, screenshots and specific tutorials for friends, but over 4 months of so, I've managed to get 100 posts (and a couple more drafts) on various technical computing subjects I stumble upon in my daily activities, or just cool stuff I like to promote. Problem is, I don't really get that many visitors - 69 average daily visitors (81.2% new) and up to 40 subscribers, and receive very little feedback (comments) or coverage (links).

Yes, I know some posts are long and boring, and the topic can be quite diverse (thus may not interest everyone and may bore my regular audience to death), but remember, most posts are usually target at a specific issue or person. The template needs a lot more work too (loading time optimizations, a social bookmarking bar with small icons, etc).

Apparently the secret to blogger popularity is in writing short subjective (or inflammatory) posts on common subjects every now and then, social bookmarking and an extensive "blogroll". That, or the Slashdot Effect. That's why you often find blogs posts on blog posts that have 10000 times more hits than the original.

So, what am I whining here about? Basically, I'm looking for some constructive criticism. Feedback people, feedback! What am I doing wrong, what am I doing right, what would you like to see here, and how could I get more readers without compromising it (e.g.: turn this into a LOLCAT blog). Feel free to add comments...

Paint.NET - tiny free Photoshop alternative for Windows or Mono

Paint.NET is free image and photo editing software for computers that run Windows. It features an intuitive and innovative user interface with support for layers, unlimited undo, special effects, and a wide variety of useful and powerful tools. An active and growing online community provides friendly help, tutorials, and plugins.

The programming language used to create Paint.NET is C#, with a small amount of C++ for installation and shell-integration related functionality. The source code is available under the terms of the MIT License.

The system requirements are:

  • .NET Framework 2.0
  • 500 MHz processor (Recommended: 800 MHz or faster)
  • 256 MB of RAM (Recommended: 512 MB or more)
  • 1024 x 768 screen resolution
The program itself is packed into a stunning 1.5MB, and is surprisingly fast and easy to use.

The program also runs on Linux and such (Solaris, MacOS, etc.) via Mono and makes a great light weight MIT licensed alternative to GIMP.

Get Paint.NET!

Wednesday, November 21, 2007

Reavealing passwords fields (asterisk *** ) stored in your Web Browser - Opera, Firefox, IE, whatever

As shown on RaimondCC's blog, revealing the password fields in a webpage is as easy as pasting a bit of JavaScript in the Web Brower (Firefo, Opera, IExplore, whatever supports JavaScript) address bar. Note to self: never let your Internet Browser (or any other application for that matter) remember your passwords, you're better off with Gator :-). This basically means people can recover any stored password with ease .

javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j < F.length; ++j) { f = F[j]; for (i=0; i < f.length; ++i) { if (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if (s) alert("Passwords found:\n\n" + s); else alert("No passwords found.");})();

UNIX Deployment Tools - JumpStart, IgniteUX, NIM, KickStart, AutoYaST, FAI

Bare metal recovery and mass deployment tools for UNIX and UNIX-like systems:

On Windows there's RIS, WDS or tools like Ghost, on UNIX platforms we have tools like JumpStart, IgniteUX, NIM, FAI, KickStart, etc. to help with massive deployment of operating systems.


  • Sun Solaris - Custom JumpStart and Advanced Installations - The custom JumpStart installation method is a command–line interface that enables you to automatically install or upgrade several systems, based on profiles that you create. The profiles define specific software installation requirements. You can also incorporate shell scripts to include preinstallation and postinstallation tasks. You choose which profile and scripts to use for installation or upgrade. The custom JumpStart installation method installs or upgrades the system, based on the profile and scripts that you select. Also, you can use a sysidcfg file to specify configuration information so that the custom JumpStart installation is completely hands-off.
  • Sun Solaris - JumpStart Enterprise Toolkit: provides a framework to simplify and extend the JumpStart functionality provided within the Solaris Operating System.
  • Sun Solaris Flash Archives (flar) - can be used with JumpStart technology to automate and speed up deployment or disaster recovery.
  • HP HP-UX Ignite-UX - is an administration toolset that allows: Simultaneous installation of HP-UX on multiple clients, The creation and use of custom installations, The remote recovery of clients, The creation of recovery media.
  • IBM AIX mksysb/mkcd/mkdvd: The mksysb command creates a backup of the operating system (that is, the root volume group). You can use this backup to reinstall a system to its original state after it has been corrupted. If you create the backup on tape, the tape is bootable and includes the installation programs needed to install from the backup.
  • IBM AIX NIM - Network Installation Management - is an excellent feature of the AIX operating system and is very important for teams or companies that have a need to install or upgrade many RS/6000 machines with the same images at the same time. NIM supports the use of mksysb images. Performing a NIM mksysb installation is faster than performing a NIM rte installation, and with mksysb, you can optionally include other installed software. You can use a mksysb image to install the nodes of a CSM cluster.

  • RedHat Linux Kickstart provides automation of Linux installation that uses a single kickstart file to install the system on multiple machines.
  • SUSE Linux AutoYaST - Automatic Linux Installation and Configuration with YaST2. AutoYaST allows unattended and automated installation. With AutoYaST, administrators can create a consistent baseline configuration for new installations in large or expanding deployments. In addition to AutoYaST, other installation methods include PXE Boot, CD-ROM, NFS, CIFS/SMB, HTTP, FTP, and the Service Location Protocol (SLP), which allows autodetection of install servers. ALICE, SuSEs former auto-installation system was a system built around the auto-installation features that were available with YaST1. In order to be able to use existing ALICE configuration files and resources, a special option is provided in the configuration system will let you convert ALICE configuration files into a control file readable by AutoYaST.
  • Debian GNU/Linux FAI - Fully Automatic Installation - is an automated installation tool to install or deploy Debian GNU/Linux and other distributions on a bunch of different hosts or a Cluster. FAI can also be used for configuration management of a running system.

  • Automatic OpenBSD Installation - Jumpstart-style procedure for installing OpenBSD servers
  • FreeBSD "JumpStart" Guide - This article details the method used to allow machines to install FreeBSD using the Intel PXE method of booting a machine over a network. Use sysinstall install.cfg for scripting.
  • BSD PXEBoot - while not unassisted, BSD systems can easily boot from PXE and install over the network.

  • Cfengine - an adaptive system configuration management engine - is an automated suite of programs for configuring and maintaining Unix-like computers. It has been used on computing arrays of between 1 and 20000 nodes.

Windows PE tools, LiveCD, Deployment Tools

Tools that help with Windows Deployment (Imaging, mass deployment, PXE, multicast, LiveCDs, bare metal recovery, disk cloning, "JumpStart" technology, automation tools, etc).

Cool Windows PE Tools:

  • Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD - Bart's PE Builder helps you build a "BartPE" (Bart Preinstalled Environment) bootable Windows CD-Rom or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks.
  • UBCD4Win is a bootable recovery CD that contains software used for repairing, restoring, or diagnosing almost any computer problem.
  • WinBuilder - Build customized Windows boot disks like LiveXP, VIstaPE, etc.
  • Windows PE 2.0 is the core deployment foundation for Windows Vista.
  • WAIK - Windows Automated Installation Kit - Customize and deploy Vista. Here's a guide.

Unattended tools, deployment tools:

  • nLite - Deployment Tool for the Bootable Unattended Windows
  • vLite - Deployment Tool for the Bootable Unattended Windows Vista. Remove Windows Vista components, integrate drivers, tweak, bootable ISO...
  • Windows PE is a tool based on Microsoft Windows XP Professional that allows IT staff to build custom solutions, and can run Windows setup, scripts, etc. Provides automation tools, deployment tools, etc.
  • WAIK - Microsoft Windows Automated Installation Kit (WAIK) lets you install, customize, and deploy the Microsoft Windows Vista. It lets you perform unattended installations of Windows, create Windows Images with ImageX and create Windows PE images.
  • Sysprep is a tool designed for corporate system administrators, OEMs, and others who need to deploy the Windows operating system on multiple computers.
  • NewSID from Sysinternals changes the computer's Security Identifier to help with disk image cloning to perform mass roullouts of Windows. Alternative to using Sysprep.
  • drbl-winRoll is a tool that enables MS-Windows client to accept commands from DRBL server, and it resolve windows hostname, SID duplication problem via using image clone tool at single local LAN.It can also change "workgroup" name via IP/netmask automatically.

Mass deployment, PXE:
  • Remote Installation Service (RIS) in Windows Server allows deployment of Windows images via PXE boot.
  • Windows Deployment Services (WDS). WDS is the next version of Microsoft Remote Installation Services (RIS). Windows Deployment Services is included in the Windows Automated Installation Kit (Windows AIK) and in Windows Server 2003 SP2. It supports advanced features such as customized images and has Vista support.
  • Unattended is an open source Windows 2000, XP and 2003 automation tool (similar to RIS) that also works on Linux and such.
  • Symantec Ghost Solution Suite provides a corporate imaging, deployment and system management solution.
  • Clonezilla is a free partition or disk clone software similar to Ghost.
  • Acronis Snap Deploy - Complete PC system deployment solution using disk imaging technology
  • RIS For Linux - deploy Windows from a *NIX system via PXE boot.

Other tools:
  • WUD - Windows Updates Downloader

Tuesday, November 20, 2007

Sun Shared Shell - Collaborative Remote Access

Sun Shared Shell (Shared Shell) is a collaborative service tool that allows, under your control, Sun Services engineers to remotely view and diagnose your Sun products. It is a Java application that provides secure, shared, remote access to a shell session that both customers and Sun Services engineers view at the same time. You can invite your collegues or additional Sun engineers to participate in the conference as needed. You are always in control of who participates and who has access to the remote access session.

It provides SSH or Telnet proxy services (tunneling SSH or telnet over HTTPS proxy).

Blue Pill - Malware Virtualization

Blue Pill is a prototype malware that uses the virtualization capabilities of AMD processors (AMD-V extensions, previously know as Pacifica) to inject a rootkit in a running Vista operating system to create a lite hypervisor that takes complete control of the underlying operating system.

According to Joanna Rutkowska, a stealth malware researcher at Singapore-based IT security firm COSEINC, the author, by using Pacifica, Blue Pill would be able to trap a running instance of the operating system into a virtual machine, and would then act as a hypervisor, with complete control of the computer. Joanna Rutkowska claims that, since any detection program could be fooled by the hypervisor, such a system would be "100% undetectable". While this statement was proven false, it's still a fun toy to play with, especially since the source code is available.

GaG - the Graphical Boot Manager

GAG (initials, in spanish, of Graphical Boot Manager) is a Boot Manager program. It's loaded when the computer is turned on and allows you to choose the operating system you want to use.

It's also a great tool to boot systems with a broken bootloader, and a great alternative to using SuperGrubBootDisk.

Its main features are:

  • Allows boot of up to 9 different operating systems.
  • It can boot operating systems installed in primary and extended partitions on any available hard disk.
  • Can be installed from nearly all operating systems.
  • GAG doesn't need its own partition. It installs itself in the first track of the hard disk, wich is reserved for these kinds of programs. It can also be instaled on a floppy disk, without using the hard disk.
  • It has a timer to boot a default operating system (selectable by the user).
  • The configuration menu can be protected with a password.
  • The program works in graphic mode (needs a VGA or better graphic card), and has a lot of icons.
  • Hides the primary partitions which allows the user to have instaled more than one DOS and/or Windows in the same hard disk.
  • Allows a password to be put on each operating system, denying access to non-authorized people.
  • Allows the boot manager text to be translated to all languages.
  • Can exchange disk drives, allowing to boot from the second, third... hard disk operating systems such as MS-DOS.
  • Has the SafeBoot system, that allows to boot your hard disk even if GAG is accidentally overwrited.
  • Supports a great variety of keyboards (QWERTY, AZERTY, QWERTZ and DVORAK keyboards).
  • Fully support for hard disks up to 4 terabytes (4096 gigabytes).
  • Full version and free software (distributed under GPL licence, with source code)

Monday, November 19, 2007

VMware - using named pipes to redirect serial console output

Most kernel debuggers (and some headless operating systems) require the use of a serial console. When running inside a VMware virtual machine, this could complicate things.

A neat way to solve this problem (and get your self a home made "LOM") is to use named pipes (well, it's actually a Unix Domain Socket) to redirect serial output to a TCP port.

Just add a Serial Port to your Virtual Machine, set the Virtual Machine end as the client, and the other end to an application.

Now we'll need to make use of a Named Pipe TCP Proxy Utility.

Windows users will probably pick NPTP (it has an easy to use GUI) and UNIX users (well, Linux, since VMware supports that) will pick something like Socat (an extended netcat that supports pipes, etc).

Some Windows user may prefer a command line alternative (with source code available). VMwareGateway also supports running as a service. It listens on localhost on port 567. The name of the pipe is \\.\pipe\vmwaredebug.

So, what about those who run VMware on Linux?

Well, we'll create a serial port in VMware, same as above, and point it to a file.
Then, we'll use socat:

% socat -d -d -d /path/to/port tcp4-listen:6666

See the socat manpage and examples for more info.

What about people who can't run VMware (eg: not running Linux or Windows)?

Well, qemu supports serial port redirection! See the '-nographic' option.

Sun Blackbox - underground datacenter in a Japanese mine

Remember Project Blackbox?

Sun to set up datacentre in coal mine

"The disused coal mine is located in the Chubu region on Japan's Honshu island. Sun will build 30 Blackbox self-contained datacentres containing a total of 10,000 servers (cores). This can be increased to 30,000 cores if there is the demand for it."

Switch This - 3456 port Infiniband switch from Sun

Sun's big ass switch

Key Specifications

  • 3456 ports based upon 5-stage Clos fabric
  • Custom double wide rack chassis
  • 24 horizontally installed line cards, each provides 144 DDR 4x ports
  • 18 fabric vertically installed line cards each with 8 module high performance fans
  • Passive orthogonal midplane provides direct connection between line cards and fabric cards
Photos From Dresden - Sun's new Constellation System architecture

Sunday, November 18, 2007

Great Content

Don't miss out on "great content"

Is it me, or was that just a pop-up telling me a I missed the previous pop-up? So much for Firefox pop-up blocker...

Saturday, November 17, 2007

VMware Server 2.0 Beta

VMware Server (formerly GSX Server) provides free virtualization.

What's new in VMware Server 2 Beta 1:

  • Web-based management interface: A new Web-based user interface provides a simple, flexible, intuitive and productive way for you to manage your virtual machines.
  • Expanded operating system support: VMware Server now supports Windows Vista Business Edition and Ultimate Edition (guest only), Windows Server 2008 (Longhorn Server Beta 3), Red Hat Enterprise Linux 5 and Ubuntu 7.1, among others.
  • Greater scalability: Take full advantage of high-end hardware with support for up to 8GB of RAM per virtual machine, up to two virtual SMP (vSMP) processors and up to 64 virtual machines per host.
  • 64-bit guest operating system support: Run high-performance operating systems in virtual machines with support for Intel EM64T VT-enabled processors and AMD64 processors with segmentation support.
  • Support for VIX API 1.2: This feature provides a programming interface for automating virtual machine and guest operations.
  • Support for Virtual Machine Interface (VMI): This feature enables transparent paravirtualization, in which a single binary version of the operating system can run either on native hardware or in paravirtualized mode.
  • Support for USB 2.0 devices: Transfer data at faster data rates from USB 2.0 devices.

Friday, November 16, 2007

qemu - kqemu accelerator ported to other platforms

QEMU is a generic and open source machine emulator and virtualizer. When used as a virtualizer, QEMU achieves near native performances by executing the guest code directly on the host CPU. A host driver called the QEMU accelerator (also known as KQEMU) is needed in this case. The virtualizer mode requires that both the host and guest machine use x86 compatible processors.

QEMU Accelerator (KQEMU) is a driver allowing the QEMU PC emulator to run much faster when emulating a PC on an x86 host. It basically makes qemu speeds comparable to those of VirtualBox or VMware.

KQemu has been ported to various platforms (x86):

More fun using Tempest for Eliza and a photodiode

You don't need a AM radio to use Tempest for Eliza. You can also use a photodiode and an amplifier to make your monitor play music! You basically convert sound to light and then convert that light back to sound... pretty neat stuff. See YourMathsTutor for a diagram and instructions on how to build your own.

Firebug - awesome Web debugging tool - Firefox plugin

Firebug is a really cool Firefox plugin that lets you edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

If you're doing web development or just want to see why a webpage is loading slowly, you NEED Firebug!

Sandboxie - a transient storage area jail

Sandboxie provides a transient storage area (a sandbox) where data flows in both directions between programs and the sandbox and read operation data may flow from the hard disk into the sandbox, but data never flows back from the sandbox into the hard disk. In other words, programs in the sandbox can NEVER modify your system.

That means you can run malicious programs or test software without any issue: when you're done, just empty the sandbox. It also means you can browse the web safer with Internet Explorer or Firefox or whatever. Compromised programs cannot interact with your system. And best of all, Sandboxie is free :-).

You can also use it sort of like filemon/regmon (procmon) to monitor file changes / registry changes:

Wednesday, November 14, 2007

IBM's AIX 6.1 released, Open BETA ended

The AIX 6.1 open beta has ended, and AIX 6.1 has been released. Those with older processors such as Power 3 will need to upgrade (to POWER6, POWER5, Power 4 or PPC970 processors) if they plan to run AIX 6.1.

Cool new features in 6.1:

  • Workload Partitions
    A new, software based, virtualization approach that complements the existing IBM System Logical Partitions by reducing the number of operating system images that have to be managed when consolidating workloads.
  • Role Based Access Control
    Provides improved security and manageability by allowing administrators to grant authorization for management of specific AIX resources to users other than root by associating those resources with a role that is then associated with a particular system user.
  • AIX Security Expert enhancements
    The AIX Security Expert has been enhanced to provide an option to store security templates directly in a Lightweight Directory Protocol (LDAP) directory—simplifying implementation of a consistent security across an entire enterprise.
  • Name Resolver Caching Daemon
    The Name Resolver Caching Daemon is a new facility to cache host lookup information locally which can improve the performance of applications that access this type of information multiple times.
  • probevue dynamic tracing
    probevue is a new dynamic tracing tool that can simplify debugging complex system or application code. This tool allows a developer or system administrator to dynamically insert trace breakpoints in existing code without having to recompile the code.
  • System Director Console for AIX
    This new facility provides direct access to the System Management Interface Tool (SMIT) in a Web browser. The System Director Console for AIX is included with AIX 6 and does not require any other Web server or other software.

Virtualization - the new old thing everyone hypes about

Oracle has built their own virtualization technology, Oracle VM, on top of Xen.

MIT releases the source code for MULTICS

Multics (Multiplexed Information and Computing Service) was early mainframe time-sharing operating system, and a predecessor to UNIX. Thanks to MIT, Multics is now OpenSource!

Monday, November 12, 2007

Security Pro Admits to Hijacking PCs for Profit

Security consultants ran botnets on their client machines."

"A computer security consultant accused of installing malicious software to create an army of up to 250,000 "zombie" computers so he could steal identities and access bank accounts will plead guilty to four federal charges."

"According to an FBI informant who asked not to be named, Schiefer was a member of Defonic, a hacker group that included the individuals identified in the paragraph above as Zach "Majy" Mann, as well as "0x80". Another member of Defonic --- Cameron "cam0" LaCroix -- earned his reputation after breaking into Paris Hilton's cell phone account and later leading the group in breaching data giant LexisNexis, a stunt in which cam0 and several others pulled sensitive records on more than 310,000 people, including a number of Hollywood celebrities."

So much for trusted 3rd parties.

Solaris digital forensics whitepaper

Evtim Batchev - Solaris Kernel Dissection for Fun and Profit
Sun Blueprints - Digital Forensics

How to Charge an iPod using electrolytes and an onion

You can charge your iPod from an onion and some sugar/salt/water combination (or Gatorade / Powerade which are then stored within the cells of an onion.

Now they're after piratebay... again.

Now that they've managed to take down demonoid, they're after piratebay:

Prince sends army of lawyers to take on Pirate Bay (The Register).
Prince to sue The Pirate Bay (CNet)

The Pirate Bay has already faced several attempts and treats by the governments of Sweden and the United States to shut down the site, as well as tons of legal treats from Microsoft, Dreamworks, EA, MPAA and so on, all waving the Digital Millennium Copyright, not realizing that US law does NOT apply in Sweden.

There seems to be quite a big movement against "copyright infringement" and "piracy", shutting down sites such as and demonoid, with no regard to the fact they don't provide any actual content themselves.

The Blogosphere is safe for another day

The attack that was supposed to occur on the 11th failed to materialize, even though sites such as have distributed packets like "E-Jihad30.exe".

F-Secure reports that "this tool creates a botnet using a server at — a domain registered to Iraq. However, we've been monitoring this server all day and its IP address continues to point to So at least regarding this botnet, nothing is gonna happen."

The "Electronic Jihad Program" is part of the long-term vision jihadi Web site has to use the Internet as a weapon, something that affects any organization that relies on the Web. Electronic Jihad allows users to target specific IP addresses for attack in order to take any servers running at those IP addresses offline. The application even includes a Windows-like interface that lets users choose from a list of target Web sites provided via the Al-jinan site, select an attack speed (weak, medium, or strong), and the click on the "attack" button."

This is all an attempt to manipulate large masses of people to take part in a distributed Denial of Service attack, and serve the purposes of the tool's creators. In other words, they actually expect people to run the trojan / virus / work /whatever themselves.

And again, script kiddies have been doing this for years, and have had little effect on the "Interblag".


Silly tests

Overall, you scored as follows:

0% scored higher (more computer geeky),
0% scored the same, and
100% scored lower (less geeky).

Compared to those in the same age group as you:

0% scored higher (more computer geeky),
0% scored the same, and
100% scored lower (less geeky).

What does this mean? Your computer geekiness is:

Step aside Bill Gates, Linus Torvalds, and Steve Jobs... You are by far the SUPREME COMPUTER GOD!!!

My computer geek score is greater than 100% of all people in the world! How do you compare? Click here to find out!

Funny it seems to give that "0% scored the same" to all who get 100, huh? Besides, the questions aren't that good either.

Sunday, November 11, 2007

xkcd takes life. Seriously.

xkcd is an inspiration to us all...

A couple of days later, I stumble across this:

Inspired by XKCD: MBR Love Note

Just a note: if you plan to mess with that, do keep a copy of your MBR (you might actually want to copy a bit more than 512 in this case, go for safe MB, then you can restore how much is needed from that).

dd if=/dev/yourdisk of=mymbr bs=512 count=1

You can later restore that to disk

dd if=mymbr of=/dev/yourdisk bs=512 count=1

-----> Cool :D

Note: In response to the comment by Criveti Mihai, the binary for the MBR sector actually is in the zip file at src/love/love/mbr.bin .. except if you were to install it via DD, you would need to install a message on sector 3 as well.

Friday, November 09, 2007

The Inevitable Rise and Liberation of Music

After giving away the "source code" to his music (garageband/logic* or raw formats), and making it available via torrents, Trent Reznor (Nine Inch Nails) and Saul Williams are giving away their album as an 83MB zip file containing the entire record as 192Kbps DRM-free LAME encoded MP3s along with a PDF booklet.

"The Inevitable Rise and Liberation of NiggyTardust!" is a joint Trent Reznor / Saul Williams feature. If you feel like supporting the artist, feel free to donate 5$, and get the higher quality version in either mp3 or flac format:

  • 320Kbps MP3 (very high quality, larger file size - approx 128MB)
  • FLAC lossless (exact CD quality but unplayable in iTunes and Windows Media Player - approx 395MB)

All files are 100% DRM Free.

"Personally, I would like people to support artists," Reznor said. "After all, we as artists dedicate our lives to producing the best music we can. It's been a painful process for me personally (to see the changes in the music industry). But should I be angry at the audience that wants to hear music so much, an audience that is so passionate about hearing it they go online to get it two weeks before the music debuts? No, I want them to be that way."

It's good to see artists are finally supporting music and not RIAA or DRM or the industry cronies.

Did I mention NIN has their own official youtube feed?

Music too expensive? "You know what that means - steal it! steal it, steal some more, give it to your friends and keep on stealing. Bet I didn't make any friends by saying that" - Trent Reznor

Neat little follow-up:

Gene Simmons (KISS bass "axe" player) blames college kids for ruining music biz:

"Every little college kid, every freshly-scrubbed little kid's face should have been sued off the face of the earth. They should have taken their houses and cars and nipped it right there in the beginning."

Oh yeah, blast those teens with their Humvees and villas who steal music from the poor little artists!

Demonoid BitTorrent site taken down by record industry

The CRIA threatened the company renting the servers to us, and because of this it is not possible to keep the site online. Sorry for the inconvenience and thanks for your understanding.

The Canadian Recording Industry Association (CRIA) has managed to take Demonoid down, just a few weeks they forced them to block Canadian traffic.

Al Qaeda declares Cyber Jihad on the West

/bin/laden to attack the blogosphere starting Sunday, Nov. 11th.

In a special Internet announcement in Arabic, picked up DEBKAfile’s counter-terror sources, Osama bin Laden’s followers announced Monday, Oct. 29, the launching of Electronic Jihad. On Sunday, Nov. 11, al Qaeda’s electronic experts will start attacking Western, Jewish, Israeli, Muslim apostate and Shiite Web sites. On Day One, they will test their skills against 15 targeted sites expand the operation from day to day thereafter until hundreds of thousands of Islamist hackers are in action against untold numbers of anti-Muslim sites.


First Forensic Forum defaced

The "First Forensic Forum" an open forum for digital forensic practitioners and security professionals has been defaced. Good thing they have no shortage of forensics and security professionals to evaluate the situation and track down the vulnerabilities that were exploited :-).

"S4udi-S3curity-T3rror" wrote: "The F3 For Security Hacked. What's Happened In The world. Thay Are No Security Or What"

It goes to show you this sort of thing can happen even to the best in the field (security professionals).

They were using Zeus webserver at the time.

Which, oddly enough, seems to have a pretty clean security track record. So it might have been human error (permissions and that sort of thing) or badly written applications. Some of the errors on the website seem to indicate a badly written PHP application.

Warning: main() [function.include]: Failed opening '/content/StartupHostPlus/f/3/' for inclusion (include_path='.:/usr/local/lib/php') in /content/StartupHostPlus/f/3/ on line 104

And again, he has been keeping himself pretty busy lately:

Results 1 - 10 of about 13 for "S4udi-S3curity-T3rror was here"

S4udi-S3curity-T3rror. Was Here. ====================================================== !!!!! The Global Trust Security Hacked. :\ What Happen In The world ...

S4udi-s3curity-T3rror was here
This Site Was Hacked. By. S4udi-S3curity-T3rror | NorTh Hacker. Don't Scare Just Rename The Index :). =========================================== ...

S4udi-s3curity-T3rror was here
HACKED. Big Error By. S4udi-S3curity-T3rror. --------------------------------------------------. TrusT_Me If You Know The Trust. S4curity@HotMail.Com ...

You get the picture. From "" or "" he seems to change the index.

sudo dd if=~/loveletter of=/dev/rwd0c

xkcd ftw!

In love with a BOFH :-).

Open Source at Microsoft, working on ATK

At the 1 year anniversary of the Microsoft/Novell "Collaboration Agreement" press release they have anounced that Microsoft and Novell plan to support GNOME ATK - Accessability Toolkit to create a cross-platform accessibility model that links together the existing Windows and Linux frameworks used to build assistive technology products that enable people with disabilities to interact with computers.

It would be interesting if they were to use Mono as the development platform.

It's good to know that Novell, Sun and even Microsoft pitch in to create a unified accessibility model.

It is interesting to see Open Source at Microsoft, and even Silverlight for Linux. It would be for the best if they'd play nice and collaborate for the greater good.