Centroid.EU Blog
(this blog is mostly encrypted - adults only)||
|
Previous Page
January 9th, 2016
My dad got a virus on his Mac (Snow Leopard OS X I think). Before we
reinstalled it with El Capitan I saved the binary, the install script, and
an lsof output of this trojan called WebShoppy.
First unpack my tarball I made, first impressions are that there is a
._3166.sh file that was copied along with the 3166.sh script when I made
the tarball, possibly a trait of the virus.
alpha$ tar -xvzf ws.tgz
ws
ws/._3166.sh
ws/3166.sh
ws/list.open
ws/WebShoppy
let's take a look at this ._3166.sh file it seems to be binary code so I'm
going to hexdump it.
alpha$ hexdump -C ._3166.sh
00000000 00 05 16 07 00 02 00 00 4d 61 63 20 4f 53 20 58 |........Mac OS X|
00000010 20 20 20 20 20 20 20 20 00 02 00 00 00 09 00 00 | ........|
00000020 00 32 00 00 00 79 00 00 00 02 00 00 00 ab 00 00 |.2...y..........|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000050 00 00 00 00 41 54 54 52 00 00 00 00 00 00 00 ab |....ATTR........|
00000060 00 00 00 9c 00 00 00 0f 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 01 00 00 00 9c 00 00 00 0f |................|
00000080 00 00 17 63 6f 6d 2e 61 70 70 6c 65 2e 54 65 78 |...com.apple.Tex|
00000090 74 45 6e 63 6f 64 69 6e 67 00 00 00 75 74 66 2d |tEncoding...utf-|
000000a0 38 3b 31 33 34 32 31 37 39 38 34 |8;134217984|
000000ab
Next I will show you parts of the 3166.sh script which was placed in the $HOME
of my dad's user.
...
# existing check
brands=(flashmall webshoppers webshoppy smartshoppy)
brandExists=false
for currBrand in "${brands[@]}"; do
if [ `pgrep -i $currBrand | wc -l` -gt 0 ]; then
brandExists=$currBrand
fi
done
...
Here it checks for the following programs already running on this computer.
However it clobbers brandExists if multiple instances of these four programs
exist.
...
# user
sudo -u $INSTALLER_USER launchctl unload $plist_user >> ${mmtmp}/${insname}.lo
g 2>&1
sudo -u $INSTALLER_USER /bin/rm -f $plist_user
sudo -u $INSTALLER_USER cp $orig_plist_path $plist_user
sudo -u $INSTALLER_USER launchctl load $plist_user >> ${mmtmp}/${insname}.log 2>&1
...
it will then try to add what is a crontab like entry (launchctl). So it
registers itself into the system to always start up every boot.
plist_user is $HOME/Library/LaunchAgents/com.WebShoppy.agent.plist in the
scripts case.
On to the binary, What I found interesting was the content was encrypted, but
strings on mac os x doesn't list all printable symbols, so on OpenBSD I was
able to see who compiled this binary from environment variables packed into the
binary. Chances are it's someone who had their computer hijacked.
...
03wnh{ul7yffwqtvs!vcd2gxr5vl{xjgisx5fvvrpriwyy2F|qvvgnB
pwe|hxlw}".i$0nl#hyrmmgjyoru)$Tejjwo%'ru!vywsoqn)viir0%3h'0npk$+Fiwp g#+$6j&%y~p
!wg{nvwc+vfpp)fvssrebxmxs&_ce$Tejjwo_ce$]r`wiu#QjxbWg{nvw'e^]&
...
/Users/janetlev/macwebtools/WebHelper/
...
So there is ciphertext in the binary as you an see. I did find the janetlev
user string in there as well. She's likely innocent, I don't accuse her.
And finally I'd like to show an lsof output of the WebShoppy active in the
System before we wiped it.
WebShoppy 491 mydadsuser cwd DIR 1,2 1224 2 /
WebShoppy 491 mydadsuser txt REG 1,2 56664 19581804 \
/Applications/WebShoppy/WebShoppy
WebShoppy 491 mydadsuser txt REG 1,2 600832 15963057 \
/usr/lib/dyld
WebShoppy 491 mydadsuser txt REG 1,2 344538318 19594212 \
/private/var/db/dyld/dyld_shared_cache_x86_64
WebShoppy 491 mydadsuser 0r CHR 3,2 0t0 306 \
/dev/null
WebShoppy 491 mydadsuser 1w CHR 3,2 0t0 306 \
/dev/null
WebShoppy 491 mydadsuser 2w CHR 3,2 0t0 306 \
/dev/null
It doesn't seem to be doing too much. Perhaps it does things on a timer basis.
If anyone has hints on how I could have done the analysis or post-analysis any
better let me know.
0 comments
January 8th, 2016
When you think of safety, you are naive to think you'll get it anywhere after
the sun goes down. Be smart, don't put yourself in situations where you're
defenseless, avoid hotspots. In Cologne ruthless gangs of organized criminals
roamed the train station on new years eve. The police were helpless, due to
being outnumbered. One may now think of how to bring the individuals to
justice, and face recognition technology comes to mind. Where will it end
us up though? In a totalitarian society where everyones face is recognized
in real time?
One thing to remember is that it was organized crime that
terrorized the few women and men who were rather defenseless. But the herd of
sheep now know the wolf is about, and we need to think of ways to protect
ourselves. For one, strong cryptography in voice and data is needed, and
should not be backdoored. When organized crime does things they do it big and
they want to get at the next victims online banking. Be smart, keep the
crypto strong it is a foundation, a pillar for fighting the evil in society
who group up. We know the wolf exists now and isn't just a fable. We need
the right tools to combat him while keeping our society with it's laws and
freedoms intact and sturdy.
0 comments
January 6th, 2016
I have donated 100 euros to Theo de Raadt and OpenBSD. He'll have to get me
really angry for me to donate to the foundation and even more angry for me to
not donate, lol.
0 comments
January 3rd, 2016
Have you ever wanted to go offline for good? No Internet for the NSA to track
you. No online marketing. No email, and in my case no job. Believe it or
not I went offline for about a year in 2001. I was misinformed when 9/11
happened, having only an FM radio to get my information. But imagine if an
offline life was manageable. Can we do this at all? Make my workstations
PC's again. Meaning it really is a personal computer and not a cloud
extension. I'm interested in organizations who facilitate an offline life.
Would I take the leap?
0 comments
January 1st, 2016
In my network which consists of 1 access point and 2 repeaters to create
a WLAN bridge between 3 routers, I tried to change the Wifi password.
Simple, I thought. I'd start with the repeater furthest away from me and
change its WLAN password, then do the same on the access point and the same
for the repeater closest to me. Was I in for a mental boxing match where I
did not win. The repeaters decided they did not want to accept the access
point because somehow I had WPS set to active, or was that it? Or was it the
"hidden" link to find which station to connect to which had a password of its
own. I still don't know what I did exactly to make these repeaters finally
connect to my AP. On top of that they changed their IP's and I had to re-
configure my router to even connect to them. Talk about making a function
hard, when it should be as simple as changing a light bulb! No kudos go
to AVM with their Fritz line of Access points and Repeaters. They still
owe me one regardless, due to losing ARP packets on their AP. Why did I
ever invest into crap?
0 comments
January 1st, 2016
It's 2016. The following book has lost its significance.
This is the third edition of DNS and BIND, and it doesn't cover bind9 and it
doesn't cover DNSSEC. However this book guided me for a while when I was
writing on delphinusdnsd prior to writing the DNSSEC code. I can only put this
book back into my bookshelf because it looks good. But that's about it.
I would recommend the authors works to anyone, they are written in an easy
to understand fashion. Just don't get an old book like this one :-).
0 comments
January 1st, 2016
I have released delphinusdnsd 1.0.0. You can download it here. The SHA256 code to the tarball looks
like this: 8914aa55437081e44895a4cecdfff82b4a3be03fb38dd65d073c71e1be187e41.
I've worked on this release for over a year. Some parts are incomplete still
but I feel I gotta get it out the door. When is a DNS server ever complete
though one may ask? Anyhow, enjoy!
0 comments
December 31st, 2015
A ghost haunts Europe. It's the power ghost. Once there is no more oil
either available or sanctioned due to the environmental effects, where will
we get our power from? One corporation in Germany
has a plan.
But do we really want to upkeep the power hegemony in Arabia and Sahara just
to get our power? These are political factors which don't convince the
technical ones.
0 comments
December 29th, 2015
0 comments
December 29th, 2015
December 23, 2015 Merry Christmas
December 22, 2015 I joined Twitter
December 21, 2015 Happy Solstice
December 19, 2015 Getting ready for delphinusdnsd release
December 15, 2015 More sky photos coming up
December 13, 2015 An ejection from Atacama?
December 11, 2015 100 million X speedup from classical computer
December 7, 2015 Thinking of getting a third Internet Link
December 5, 2015 Trying to run letsencrypt beta
December 3, 2015 Anonymity
December 1, 2015 What happens when...
November 29, 2015 23 days until the December Solstice
November 29, 2015 10 Years
November 20, 2015 10 years Delphinusdnsd in 9 days
November 18, 2015 Keeper of the Isis Light
November 13, 2015 DNSSEC validation tools
November 10, 2015 Delphinusdnsd does TLSA RR and thus DANE
November 8, 2015 Happy Anniversary Delphinusdnsd!
November 8, 2015 swshell.de is DNSSEC enabled now
November 4, 2015 Donated to OpenBSDFoundation
October 31, 2015 pledge(2) Don't do this!
October 27, 2015 Outlook Delphinusdnsd 1.0.0 not before XMAS
October 26, 2015 AVM FritzBox Router losing ARP packets
October 24, 2015 Open Sourced CodeBlue version 1
October 22, 2015 MPS open sourced
October 20, 2015 Oct 21, 2015 Cars that fly?
October 19, 2015 Luna-27
October 17, 2015 Upgraded supercluster
October 11, 2015 Yesterday OpenBSD 5.8 arrived
October 10, 2015 Status update on Delphinusdnsd
October 7, 2015 OpenBSD 5.8 poster arrived
October 7, 2015 Autumn Programmer
October 3, 2015 Happy Birthday R.
October 3, 2015 For God's sake! Stoererhaftung is in the Way!
October 2, 2015 Happy Birthday M.
September 30, 2015 Wrote a donation to OpenBSD
September 27, 2015 Profit for the poor!
September 26, 2015 European Union where is your strength?
September 23, 2015 Happy September Equinox!
September 15, 2015 I'm not hiring
September 10, 2015 Equinox in less than 2 Weeks
September 5, 2015 Delphinusdnsd now answers to version queries
September 5, 2015 The last homely house on Earth
August 31, 2015 Changed DNS setup
August 29, 2015 Cancelling io.solarscale.de, eventually
August 27, 2015 Resisting Refugees is Shameful
August 26, 2015 Omega: a new VPS
August 22, 2015 Changes at work
August 21, 2015 Maxed my Soekris 6501
August 19, 2015 OpenBSD 5.8 Pre-orders are on
August 17, 2015 And still in the Rush
August 16, 2015 Still in a Consumer Rush
August 10, 2015 I started shuffling my $HOME/.ssh directory
August 9, 2015 Spampd and taking the -T out
August 9, 2015 Ordered a Book from Amazon
August 2, 2015 CryptoBooks virtualized
July 28, 2015 Delphinusdnsd status update
July 27, 2015 Opinion: Hacking Team are pigs
July 25, 2015 Two CryptoBooks side by side
July 24, 2015 New Network Plans
July 23, 2015 Macbook Pro and things
July 17, 2015 My CryptoBook
July 15, 2015 Donated $15 to FreeBSD Foundation
July 13, 2015 Purchased Netbook
July 10, 2015 Status update of Delphinusdnsd and DNSSEC
July 10, 2015 Hand-Down and a Story
July 9, 2015 Signatures of Time - Double Play
July 7, 2015 Freifunk was affected by an MTU issue
July 6, 2015 It definatly was hotter than 2003
July 4, 2015 Power outtage this morning
July 3, 2015 I have donated 20 euros to the Greece bailout fund
June 28, 2015 AKW Grafenrheinfeld has shut down over night
June 28, 2015 Status update on Delphinusdnsd and DNSSEC
June 25, 2015 RFC 4034 compliant AFAIK
June 25, 2015 Donated 50 euros to OpenBSD
June 24, 2015 Vacation cut short
June 23, 2015 Art display of my parents creations
June 22, 2015 Delphinusdns Project sponsors Luke Antins
June 22, 2015 Donated 150 euros to the Red Cross
June 21, 2015 Happy Solstice
June 20, 2015 The First Ever DNSSEC answer from Delphinusdnsd
June 18, 2015 Delphinusdnsd Hack days, entering production..
June 13, 2015 I'm on Vacation
June 6, 2015 Purchased two Books
June 5, 2015 Vacation in a week
May 22, 2015 Computers are better Rappers? Perhaps...
May 21, 2015 Advocacy for OpenBSD
May 21, 2015 My udptunnel program is open source now
May 19, 2015 Holidays less than a month away
May 15, 2015 OpenBSD 5.7 arrived
May 15, 2015 Freifunk Tunnel Masters
May 13, 2015 Anexit
May 12, 2015 Donated 25 euros toward Nepal
May 12, 2015 Purchased DJ mixer
May 9, 2015 Where do you get your clothes?
May 8, 2015 Pension, TV and Books
May 2, 2015 OpenBSD CD's delayed, upgraded anyways
April 30, 2015 Httpd died overnight
April 29, 2015 Goodbye Avon!
April 28, 2015 OpenBSD getting hammerfs through GSOC?
April 24, 2015 Happy 25th anniversary Hubble!
April 24, 2015 And the Park seemed inviting
April 22, 2015 Donated 50 euros to OpenBSD
April 22, 2015 Bought two singles
April 22, 2015 Vernal Equinox and Jesus
April 21, 2015 Exploring Xephem
April 20, 2015 Backport of patch for OpenSMTPD 5.4.2p1
April 15, 2015 The contraction of my VPS network
April 15, 2015 Blog Outtage this Morning
April 13, 2015 One year of mercury (computer)
April 11, 2015 Sorry no Linkedin, yet
April 11, 2015 Mac OS X 10.10.3 killed my screensaver!
April 9, 2015 Wildcarddnsd 0.9.1
April 7, 2015 Greece's war reparation demand
April 4, 2015 Happy Easter
April 1, 2015 Astronomers detect a giant star in Constellation Pisces
March 31, 2015 ESA what are your plans?
March 30, 2015 R.I.P. Paul Schenkeveld
March 29, 2015 Please, not another LEO ISS!
March 28, 2015 The catch-22 of mental illness
March 21, 2015 My Eclipse photos were a FAIL
March 14, 2015 Happy Pi day
March 13, 2015 Pre-Ordered OpenBSD 5.7
March 12, 2015 Wrote two members of parliament
March 12, 2015 Equinox in 8 days
March 7, 2015 Crackers are getting more careful
March 5, 2015 Oldlaptop's github repo
March 5, 2015 OpenBSD's httpd with webalizer
March 5, 2015 Softraid Crypto seems secure
February 27, 2015 God Speed Spock!
February 26, 2015 OpenBSD donations reached 397,000 dollars in 2014
February 25, 2015 Got a washing machine
February 24, 2015 Nearing 20 years UNIX experience
February 23, 2015 Ordered three books
February 21, 2015 Scarcity vs. Abundance
February 16, 2015 Moved the blog
February 14, 2015 Upper Lower Class
February 13, 2015 I'm sick
February 6, 2015 Next Week marks Two Years in My Apartment
February 5, 2015 Thinking of voting Die Linke in 2017
February 5, 2015 The last frontier, under the ice
February 3, 2015 Why I think "The Time Machine" doesn't work in reality
February 2, 2015 I want a Greek bailout
January 28, 2015 The rich can't buy smarts, can they?
January 27, 2015 Electricity (day) consumption up (unfortunately)
January 26, 2015 Cryptowars: Organised Crime and Terrorists
January 24, 2015 Administrivia
January 24, 2015 Is it more than Space Junk?
January 19, 2015 This is how fair the world is
January 13, 2015 And our rights diminish
January 11, 2015 I am not your subordinate
January 9, 2015 Ordered 3 books
January 5, 2015 My 150 Euro Calculator
January 5, 2015 Donation time again
December 31, 2014 Happy New Year!
December 29, 2014 Added supercluster to nameservers
December 28, 2014 Winter Flowers
December 24, 2014 Merry Christmas / Frohe Weihnachten!
December 17, 2014 NASA wants to go to Venus
December 16, 2014 My thought about Pegida
December 16, 2014 A domain expired, amdeutschhof.de
December 15, 2014 December solstice in less than a week!
December 12, 2014 Comparison between Mordor and the US
December 9, 2014 Farewell American Forces
December 8, 2014 Speak German at home...
December 6, 2014 When Fighters scramble
0 comments
Next Page
|
Search
RSS Feed
 Click here for RSS
On this day in
Other links
Have feedback?
By clicking on the header of an article you will be
served a cookie. If you do not agree to this do not
click on the header. Thanks!
Using a text-based webbrowser?
... such as lynx? Welcome back it's working again for the time being.
Older Blog Entries
March, 2023
February, 2023
January, 2023
December, 2022
November, 2022
October, 2022
September, 2022
August, 2022
July, 2022
June, 2022
May, 2022
April, 2022
March, 2022
February, 2022
January, 2022
December, 2021
November, 2021
October, 2021
September, 2021
March, 2021
February, 2021
January, 2021
December, 2020
November, 2020
October, 2020
September, 2020
August, 2020
July, 2020
June, 2020
May, 2020
April, 2020
March, 2020
February, 2020
January, 2020
December, 2019
November, 2019
October, 2019
September, 2019
August, 2019
July, 2019
June, 2019
May, 2019
April, 2019
March, 2019
February, 2019
January, 2019
December, 2018
November, 2018
October, 2018
September, 2018
August, 2018
July, 2018
June, 2018
May, 2018
April, 2018
March, 2018
February, 2018
January, 2018
December, 2017
November, 2017
October, 2017
September, 2017
August, 2017
July, 2017
June, 2017
May, 2017
April, 2017
March, 2017
February, 2017
January, 2017
December, 2016
November, 2016
October, 2016
September, 2016
August, 2016
July, 2016
June, 2016
May, 2016
April, 2016
March, 2016
February, 2016
January, 2016
December, 2015
November, 2015
October, 2015
September, 2015
August, 2015
July, 2015
June, 2015
May, 2015
April, 2015
March, 2015
February, 2015
January, 2015
December, 2014
November, 2014
October, 2014
September, 2014
August, 2014
July, 2014
June, 2014
May, 2014
April, 2014
March, 2014
February, 2014
January, 2014
December, 2013
November, 2013
October, 2013
September, 2013
August, 2013
July, 2013
June, 2013
May, 2013
April, 2013
March, 2013
February, 2013
January, 2013
December, 2012
November, 2012
October, 2012
September, 2012
August, 2012
July, 2012
June, 2012
May, 2012
April, 2012
March, 2012
February, 2012
January, 2012
December, 2011
November, 2011
October, 2011
September, 2011
August, 2011
July, 2011
June, 2011
May, 2011
April, 2011
March, 2011
February, 2011
January, 2011
December, 2010
November, 2010
October, 2010
September, 2010
August, 2010
July, 2010
June, 2010
May, 2010
April, 2010
March, 2010
February, 2010
January, 2010
December, 2009
November, 2009
October, 2009
September, 2009
August, 2009
July, 2009
June, 2009
May, 2009
Powered by BCHS
|