Centroid.EU Blog
(this blog is mostly encrypted - adults only)
|
Previous Page
January 22nd, 2016
I have started signing my personal zones. I'm the only one using them with
my family so I can do this. I ran into some trouble yesterday and today
with DNSSEC replies. Also reply_mx() in delphinusdnsd didn't like DNSSEC.
I have stripped out the offending code but I'm gonna have to revisit it.
For anyone who is trying to run this wait for the 1.0.1 release which will
come out soon or use tonights snapshot from -current (midnight CEST) to get
the MX and NSEC3 fix. Sorry if anyone was bit by this, but I only had 1
DNSSEC test zone, and several zones are now unearthing bugs. I have my
weekend planned for writing on this.
0 comments
What's up or down with the Canadian Dollar?
January 21st, 2016
About three months ago I was exchanging my canadian pay and I was getting
what was reasonable money back. Today I'd be getting 144 Euros less. That
doesn't seem reasonable. I am still patient but patience is running thin,
I may have to re-negotiate my work contract to be paid in a more stable
currency.
0 comments
Preparing to sign my zones -> DNSSEC
January 20th, 2016
I still haven't signed the rest of my zones. I will do that in the next
coming days and see if it works. I hope so. Delphinusdnsd is capable I think.
Noone is downloading it yet though, dunno why.
0 comments
To Human Artificial Systems
January 19th, 2016
Money markets are mainly artificial. They exist only in our minds, with
consequences on the body when there is a lack of resources. Let me say this.
Would the stock market collapse when a star in the center of the galaxy
collides with a black hole? No. Why not??? We have a brilliant way to look
beyond the earth's (who we think we've conquered) hemisphere to the stars.
Just because we are shielded does not exclude us from events happening in our
cosmic neighbourhood. We need to include some reality with our artificial
systems. Don't get me started on the price of oil either.
0 comments
Dissecting WebShoppy Mac OS X trojan
January 9th, 2016
My dad got a virus on his Mac (Snow Leopard OS X I think). Before we
reinstalled it with El Capitan I saved the binary, the install script, and
an lsof output of this trojan called WebShoppy.
First unpack my tarball I made, first impressions are that there is a
._3166.sh file that was copied along with the 3166.sh script when I made
the tarball, possibly a trait of the virus.
alpha$ tar -xvzf ws.tgz
ws
ws/._3166.sh
ws/3166.sh
ws/list.open
ws/WebShoppy
let's take a look at this ._3166.sh file it seems to be binary code so I'm
going to hexdump it.
alpha$ hexdump -C ._3166.sh
00000000 00 05 16 07 00 02 00 00 4d 61 63 20 4f 53 20 58 |........Mac OS X|
00000010 20 20 20 20 20 20 20 20 00 02 00 00 00 09 00 00 | ........|
00000020 00 32 00 00 00 79 00 00 00 02 00 00 00 ab 00 00 |.2...y..........|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000050 00 00 00 00 41 54 54 52 00 00 00 00 00 00 00 ab |....ATTR........|
00000060 00 00 00 9c 00 00 00 0f 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 01 00 00 00 9c 00 00 00 0f |................|
00000080 00 00 17 63 6f 6d 2e 61 70 70 6c 65 2e 54 65 78 |...com.apple.Tex|
00000090 74 45 6e 63 6f 64 69 6e 67 00 00 00 75 74 66 2d |tEncoding...utf-|
000000a0 38 3b 31 33 34 32 31 37 39 38 34 |8;134217984|
000000ab
Next I will show you parts of the 3166.sh script which was placed in the $HOME
of my dad's user.
...
# existing check
brands=(flashmall webshoppers webshoppy smartshoppy)
brandExists=false
for currBrand in "${brands[@]}"; do
if [ `pgrep -i $currBrand | wc -l` -gt 0 ]; then
brandExists=$currBrand
fi
done
...
Here it checks for the following programs already running on this computer.
However it clobbers brandExists if multiple instances of these four programs
exist.
...
# user
sudo -u $INSTALLER_USER launchctl unload $plist_user >> ${mmtmp}/${insname}.lo
g 2>&1
sudo -u $INSTALLER_USER /bin/rm -f $plist_user
sudo -u $INSTALLER_USER cp $orig_plist_path $plist_user
sudo -u $INSTALLER_USER launchctl load $plist_user >> ${mmtmp}/${insname}.log 2>&1
...
it will then try to add what is a crontab like entry (launchctl). So it
registers itself into the system to always start up every boot.
plist_user is $HOME/Library/LaunchAgents/com.WebShoppy.agent.plist in the
scripts case.
On to the binary, What I found interesting was the content was encrypted, but
strings on mac os x doesn't list all printable symbols, so on OpenBSD I was
able to see who compiled this binary from environment variables packed into the
binary. Chances are it's someone who had their computer hijacked.
...
03wnh{ul7yffwqtvs!vcd2gxr5vl{xjgisx5fvvrpriwyy2F|qvvgnB
pwe|hxlw}".i$0nl#hyrmmgjyoru)$Tejjwo%'ru!vywsoqn)viir0%3h'0npk$+Fiwp g#+$6j&%y~p
!wg{nvwc+vfpp)fvssrebxmxs&_ce$Tejjwo_ce$]r`wiu#QjxbWg{nvw'e^]&
...
/Users/janetlev/macwebtools/WebHelper/
...
So there is ciphertext in the binary as you an see. I did find the janetlev
user string in there as well. She's likely innocent, I don't accuse her.
And finally I'd like to show an lsof output of the WebShoppy active in the
System before we wiped it.
WebShoppy 491 mydadsuser cwd DIR 1,2 1224 2 /
WebShoppy 491 mydadsuser txt REG 1,2 56664 19581804 \
/Applications/WebShoppy/WebShoppy
WebShoppy 491 mydadsuser txt REG 1,2 600832 15963057 \
/usr/lib/dyld
WebShoppy 491 mydadsuser txt REG 1,2 344538318 19594212 \
/private/var/db/dyld/dyld_shared_cache_x86_64
WebShoppy 491 mydadsuser 0r CHR 3,2 0t0 306 \
/dev/null
WebShoppy 491 mydadsuser 1w CHR 3,2 0t0 306 \
/dev/null
WebShoppy 491 mydadsuser 2w CHR 3,2 0t0 306 \
/dev/null
It doesn't seem to be doing too much. Perhaps it does things on a timer basis.
If anyone has hints on how I could have done the analysis or post-analysis any
better let me know.
0 comments
Organized Crime is the Enemy
January 8th, 2016
When you think of safety, you are naive to think you'll get it anywhere after
the sun goes down. Be smart, don't put yourself in situations where you're
defenseless, avoid hotspots. In Cologne ruthless gangs of organized criminals
roamed the train station on new years eve. The police were helpless, due to
being outnumbered. One may now think of how to bring the individuals to
justice, and face recognition technology comes to mind. Where will it end
us up though? In a totalitarian society where everyones face is recognized
in real time?
One thing to remember is that it was organized crime that
terrorized the few women and men who were rather defenseless. But the herd of
sheep now know the wolf is about, and we need to think of ways to protect
ourselves. For one, strong cryptography in voice and data is needed, and
should not be backdoored. When organized crime does things they do it big and
they want to get at the next victims online banking. Be smart, keep the
crypto strong it is a foundation, a pillar for fighting the evil in society
who group up. We know the wolf exists now and isn't just a fable. We need
the right tools to combat him while keeping our society with it's laws and
freedoms intact and sturdy.
0 comments
Donation time
January 6th, 2016
I have donated 100 euros to Theo de Raadt and OpenBSD. He'll have to get me
really angry for me to donate to the foundation and even more angry for me to
not donate, lol.
0 comments
The invisible man
January 3rd, 2016
Have you ever wanted to go offline for good? No Internet for the NSA to track
you. No online marketing. No email, and in my case no job. Believe it or
not I went offline for about a year in 2001. I was misinformed when 9/11
happened, having only an FM radio to get my information. But imagine if an
offline life was manageable. Can we do this at all? Make my workstations
PC's again. Meaning it really is a personal computer and not a cloud
extension. I'm interested in organizations who facilitate an offline life.
Would I take the leap?
0 comments
How hard can changing a password be?
January 1st, 2016
In my network which consists of 1 access point and 2 repeaters to create
a WLAN bridge between 3 routers, I tried to change the Wifi password.
Simple, I thought. I'd start with the repeater furthest away from me and
change its WLAN password, then do the same on the access point and the same
for the repeater closest to me. Was I in for a mental boxing match where I
did not win. The repeaters decided they did not want to accept the access
point because somehow I had WPS set to active, or was that it? Or was it the
"hidden" link to find which station to connect to which had a password of its
own. I still don't know what I did exactly to make these repeaters finally
connect to my AP. On top of that they changed their IP's and I had to re-
configure my router to even connect to them. Talk about making a function
hard, when it should be as simple as changing a light bulb! No kudos go
to AVM with their Fritz line of Access points and Repeaters. They still
owe me one regardless, due to losing ARP packets on their AP. Why did I
ever invest into crap?
0 comments
When a book loses significance
January 1st, 2016
It's 2016. The following book has lost its significance.
This is the third edition of DNS and BIND, and it doesn't cover bind9 and it
doesn't cover DNSSEC. However this book guided me for a while when I was
writing on delphinusdnsd prior to writing the DNSSEC code. I can only put this
book back into my bookshelf because it looks good. But that's about it.
I would recommend the authors works to anyone, they are written in an easy
to understand fashion. Just don't get an old book like this one :-).
0 comments
Next Page
|
Search
RSS Feed
Click here for RSS
On this day in
Other links
Have feedback?
By clicking on the header of an article you will be
served a cookie. If you do not agree to this do not
click on the header. Thanks!
Using a text-based webbrowser?
... such as lynx? Welcome back it's working again for the time being.
Older Blog Entries
November, 2023
October, 2023
September, 2023
August, 2023
July, 2023
June, 2023
May, 2023
April, 2023
March, 2023
February, 2023
January, 2023
December, 2022
November, 2022
October, 2022
September, 2022
August, 2022
July, 2022
June, 2022
May, 2022
April, 2022
March, 2022
February, 2022
January, 2022
December, 2021
November, 2021
October, 2021
September, 2021
March, 2021
February, 2021
January, 2021
December, 2020
November, 2020
October, 2020
September, 2020
August, 2020
July, 2020
June, 2020
May, 2020
April, 2020
March, 2020
February, 2020
January, 2020
December, 2019
November, 2019
October, 2019
September, 2019
August, 2019
July, 2019
June, 2019
May, 2019
April, 2019
March, 2019
February, 2019
January, 2019
December, 2018
November, 2018
October, 2018
September, 2018
August, 2018
July, 2018
June, 2018
May, 2018
April, 2018
March, 2018
February, 2018
January, 2018
December, 2017
November, 2017
October, 2017
September, 2017
August, 2017
July, 2017
June, 2017
May, 2017
April, 2017
March, 2017
February, 2017
January, 2017
December, 2016
November, 2016
October, 2016
September, 2016
August, 2016
July, 2016
June, 2016
May, 2016
April, 2016
March, 2016
February, 2016
January, 2016
December, 2015
November, 2015
October, 2015
September, 2015
August, 2015
July, 2015
June, 2015
May, 2015
April, 2015
March, 2015
February, 2015
January, 2015
December, 2014
November, 2014
October, 2014
September, 2014
August, 2014
July, 2014
June, 2014
May, 2014
April, 2014
March, 2014
February, 2014
January, 2014
December, 2013
November, 2013
October, 2013
September, 2013
August, 2013
July, 2013
June, 2013
May, 2013
April, 2013
March, 2013
February, 2013
January, 2013
December, 2012
November, 2012
October, 2012
September, 2012
August, 2012
July, 2012
June, 2012
May, 2012
April, 2012
March, 2012
February, 2012
January, 2012
December, 2011
November, 2011
October, 2011
September, 2011
August, 2011
July, 2011
June, 2011
May, 2011
April, 2011
March, 2011
February, 2011
January, 2011
December, 2010
November, 2010
October, 2010
September, 2010
August, 2010
July, 2010
June, 2010
May, 2010
April, 2010
March, 2010
February, 2010
January, 2010
December, 2009
November, 2009
October, 2009
September, 2009
August, 2009
July, 2009
June, 2009
May, 2009
Powered by BCHS
|