Centroid.EU Blog

(this blog is mostly encrypted - adults only)
  

Previous Page


Delphinusdnsd - ironing out the DNSSEC bugs

January 22nd, 2016

I have started signing my personal zones. I'm the only one using them with my family so I can do this. I ran into some trouble yesterday and today with DNSSEC replies. Also reply_mx() in delphinusdnsd didn't like DNSSEC. I have stripped out the offending code but I'm gonna have to revisit it. For anyone who is trying to run this wait for the 1.0.1 release which will come out soon or use tonights snapshot from -current (midnight CEST) to get the MX and NSEC3 fix. Sorry if anyone was bit by this, but I only had 1 DNSSEC test zone, and several zones are now unearthing bugs. I have my weekend planned for writing on this.

0 comments

What's up or down with the Canadian Dollar?

January 21st, 2016

About three months ago I was exchanging my canadian pay and I was getting what was reasonable money back. Today I'd be getting 144 Euros less. That doesn't seem reasonable. I am still patient but patience is running thin, I may have to re-negotiate my work contract to be paid in a more stable currency.

0 comments

Preparing to sign my zones -> DNSSEC

January 20th, 2016

I still haven't signed the rest of my zones. I will do that in the next coming days and see if it works. I hope so. Delphinusdnsd is capable I think. Noone is downloading it yet though, dunno why.

0 comments

To Human Artificial Systems

January 19th, 2016

Money markets are mainly artificial. They exist only in our minds, with consequences on the body when there is a lack of resources. Let me say this. Would the stock market collapse when a star in the center of the galaxy collides with a black hole? No. Why not??? We have a brilliant way to look beyond the earth's (who we think we've conquered) hemisphere to the stars. Just because we are shielded does not exclude us from events happening in our cosmic neighbourhood. We need to include some reality with our artificial systems. Don't get me started on the price of oil either.

0 comments

Dissecting WebShoppy Mac OS X trojan

January 9th, 2016

My dad got a virus on his Mac (Snow Leopard OS X I think). Before we reinstalled it with El Capitan I saved the binary, the install script, and an lsof output of this trojan called WebShoppy.

First unpack my tarball I made, first impressions are that there is a ._3166.sh file that was copied along with the 3166.sh script when I made the tarball, possibly a trait of the virus.

alpha$ tar -xvzf ws.tgz
ws
ws/._3166.sh
ws/3166.sh
ws/list.open
ws/WebShoppy
let's take a look at this ._3166.sh file it seems to be binary code so I'm going to hexdump it.
alpha$ hexdump -C ._3166.sh
00000000  00 05 16 07 00 02 00 00  4d 61 63 20 4f 53 20 58  |........Mac OS X|
00000010  20 20 20 20 20 20 20 20  00 02 00 00 00 09 00 00  |        ........|
00000020  00 32 00 00 00 79 00 00  00 02 00 00 00 ab 00 00  |.2...y..........|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000050  00 00 00 00 41 54 54 52  00 00 00 00 00 00 00 ab  |....ATTR........|
00000060  00 00 00 9c 00 00 00 0f  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 01  00 00 00 9c 00 00 00 0f  |................|
00000080  00 00 17 63 6f 6d 2e 61  70 70 6c 65 2e 54 65 78  |...com.apple.Tex|
00000090  74 45 6e 63 6f 64 69 6e  67 00 00 00 75 74 66 2d  |tEncoding...utf-|
000000a0  38 3b 31 33 34 32 31 37  39 38 34                 |8;134217984|
000000ab
Next I will show you parts of the 3166.sh script which was placed in the $HOME of my dad's user.
...
# existing check
brands=(flashmall webshoppers webshoppy smartshoppy)
brandExists=false
for currBrand in "${brands[@]}"; do
    if [ `pgrep -i $currBrand | wc -l` -gt 0 ]; then
        brandExists=$currBrand
    fi
done
...
Here it checks for the following programs already running on this computer. However it clobbers brandExists if multiple instances of these four programs exist.
...
    # user
  sudo -u $INSTALLER_USER launchctl unload $plist_user >> ${mmtmp}/${insname}.lo
g 2>&1
  sudo -u $INSTALLER_USER /bin/rm -f $plist_user
  sudo -u $INSTALLER_USER cp $orig_plist_path $plist_user
  sudo -u $INSTALLER_USER launchctl load $plist_user  >> ${mmtmp}/${insname}.log 2>&1
...
it will then try to add what is a crontab like entry (launchctl). So it registers itself into the system to always start up every boot. plist_user is $HOME/Library/LaunchAgents/com.WebShoppy.agent.plist in the scripts case.

On to the binary, What I found interesting was the content was encrypted, but strings on mac os x doesn't list all printable symbols, so on OpenBSD I was able to see who compiled this binary from environment variables packed into the binary. Chances are it's someone who had their computer hijacked.

...
03wnh{ul7yffwqtvs!vcd2gxr5vl{xjgisx5fvvrpriwyy2F|qvvgnB
pwe|hxlw}".i$0nl#hyrmmgjyoru)$Tejjwo%'ru!vywsoqn)viir0%3h'0npk$+Fiwp g#+$6j&%y~p
!wg{nvwc+vfpp)fvssrebxmxs&_ce$Tejjwo_ce$]r`wiu#QjxbWg{nvw'e^]&
...
/Users/janetlev/macwebtools/WebHelper/
...
So there is ciphertext in the binary as you an see. I did find the janetlev user string in there as well. She's likely innocent, I don't accuse her.

And finally I'd like to show an lsof output of the WebShoppy active in the System before we wiped it.

WebShoppy   491 mydadsuser  cwd      DIR              1,2      1224        2 /
WebShoppy   491 mydadsuser  txt      REG              1,2     56664 19581804 \
/Applications/WebShoppy/WebShoppy
WebShoppy   491 mydadsuser  txt      REG              1,2    600832 15963057 \
/usr/lib/dyld
WebShoppy   491 mydadsuser  txt      REG              1,2 344538318 19594212 \
/private/var/db/dyld/dyld_shared_cache_x86_64
WebShoppy   491 mydadsuser    0r     CHR              3,2       0t0      306 \
/dev/null
WebShoppy   491 mydadsuser    1w     CHR              3,2       0t0      306 \
/dev/null
WebShoppy   491 mydadsuser    2w     CHR              3,2       0t0      306 \
/dev/null
It doesn't seem to be doing too much. Perhaps it does things on a timer basis.

If anyone has hints on how I could have done the analysis or post-analysis any better let me know.

0 comments

Organized Crime is the Enemy

January 8th, 2016

When you think of safety, you are naive to think you'll get it anywhere after the sun goes down. Be smart, don't put yourself in situations where you're defenseless, avoid hotspots. In Cologne ruthless gangs of organized criminals roamed the train station on new years eve. The police were helpless, due to being outnumbered. One may now think of how to bring the individuals to justice, and face recognition technology comes to mind. Where will it end us up though? In a totalitarian society where everyones face is recognized in real time?

One thing to remember is that it was organized crime that terrorized the few women and men who were rather defenseless. But the herd of sheep now know the wolf is about, and we need to think of ways to protect ourselves. For one, strong cryptography in voice and data is needed, and should not be backdoored. When organized crime does things they do it big and they want to get at the next victims online banking. Be smart, keep the crypto strong it is a foundation, a pillar for fighting the evil in society who group up. We know the wolf exists now and isn't just a fable. We need the right tools to combat him while keeping our society with it's laws and freedoms intact and sturdy.

0 comments

Donation time

January 6th, 2016

I have donated 100 euros to Theo de Raadt and OpenBSD. He'll have to get me really angry for me to donate to the foundation and even more angry for me to not donate, lol.

0 comments

The invisible man

January 3rd, 2016

Have you ever wanted to go offline for good? No Internet for the NSA to track you. No online marketing. No email, and in my case no job. Believe it or not I went offline for about a year in 2001. I was misinformed when 9/11 happened, having only an FM radio to get my information. But imagine if an offline life was manageable. Can we do this at all? Make my workstations PC's again. Meaning it really is a personal computer and not a cloud extension. I'm interested in organizations who facilitate an offline life. Would I take the leap?

0 comments

How hard can changing a password be?

January 1st, 2016

In my network which consists of 1 access point and 2 repeaters to create a WLAN bridge between 3 routers, I tried to change the Wifi password. Simple, I thought. I'd start with the repeater furthest away from me and change its WLAN password, then do the same on the access point and the same for the repeater closest to me. Was I in for a mental boxing match where I did not win. The repeaters decided they did not want to accept the access point because somehow I had WPS set to active, or was that it? Or was it the "hidden" link to find which station to connect to which had a password of its own. I still don't know what I did exactly to make these repeaters finally connect to my AP. On top of that they changed their IP's and I had to re- configure my router to even connect to them. Talk about making a function hard, when it should be as simple as changing a light bulb! No kudos go to AVM with their Fritz line of Access points and Repeaters. They still owe me one regardless, due to losing ARP packets on their AP. Why did I ever invest into crap?

0 comments

When a book loses significance

January 1st, 2016

It's 2016. The following book has lost its significance.

This is the third edition of DNS and BIND, and it doesn't cover bind9 and it doesn't cover DNSSEC. However this book guided me for a while when I was writing on delphinusdnsd prior to writing the DNSSEC code. I can only put this book back into my bookshelf because it looks good. But that's about it. I would recommend the authors works to anyone, they are written in an easy to understand fashion. Just don't get an old book like this one :-).

0 comments

Next Page

Search

RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries


Powered by BCHS