A friend of mine, who was a year younger than me at this time, was talking about his new job. He was writing code for a local company. This is extremely odd, since I live in a town of about 2500 people. I took a disk of my programs and went there. He hired me on the spot, and then introduced me to Pascal and loaned me a 200mhz Pentium with 32mb ram (a 4000$ machine at that time. I think it also had 10gb of scsi disk space!)

Anyway past the amazingly boring back story. After I had worked there off and on for about 4 years, I was starting to notice more and more security problems with the application. The application relied on code that was ported from DOS into windows 95/98. It was the database access. He had written his own flat-file & index database scheme. This required that the user running the application ran it from a share over the network. Complicated file locking schemes allowed multiple users to access the data. Except for one hold over from the original DOS code. You had to share you entire Drive. Yup the whole thing with full read/write access. The reasons were for convenience and there were several document folder and other things that the application accessed. Generally most people installed this program into their C drive. So 90% of the owners of this application were sharing their C drive out to people. Consider that their market is small, they did have (and currently still do) more than 50% of their market at about 4500+ users.

When access to the internet became more pervasive and broadband was becoming affordable for companies. I realized we had a problem. And to illustrate this problem, I ‘exploited’ the security holes.
This was a simple worm, simple enough I figured to just show what issues we are facing and what we are forcing our customers to do. No one in the company ever listened to my suggestions of simple steps to mediate the problem. Such as making a couple of fileshares, a Read only executable directory, and a read/write data directory, and several other shares to allow access of the network documents and other things. To them this complicated things on the end users side too much. Also to do tech support 90% of all the employees in the building shared their C drives, and their program folders.
The worm used an old exploit in Win98 dealing with the explorer.exe execution and the path. When windows started it executed the shell as ‘explorer.exe’. And as you should know to execute a program the OS searches the path. Explorer.exe was placed in the windows folder. But it turns out that the computer had a default path of C:\;C:\WINDOWS; If you were to place an explorer.exe into the C folder. well I’m sure you can see where this is going.

Once executed my program would immediately execute the real explorer. And then wait 2 minutes. After 2 minutes it would look for all computers on the network, and find folders that matched the criteria of being a ‘root’ share ( I believe I tested presence of a ‘Program Files’ directory and the windows/explorer.exe file were both there) Once a share was found, it attempted to copy itself to that share, After it copied itself to ALL available shares, It would play a sound resource the laugh of that Mutley Dog character. it would wait one minute do laugh again, and then 30 sec, and laugh again.

Once I was done writing and testing the code, I unleashed it unto the local network. I left work that night, not knowing how many computers I had infected in my first round.

When I came to work the next morning, all you could hear around the office was the sound of mutley, you would hear that laugh at least 3 times once every half hour. There were about 50 computers in the office. The Jig was up. The IT dept. had no clue what was going on, because norton didn’t detect it. Honestly they never had a clue.

After I figured my point was made, and nobody had figured out what was going on. I ran the program I wrote to ‘clean up’ the mess. It went around deleting explorer.exe files that matched the md5 sum of the original release.
All is well I thought. At least I thought it would be well. Within about 3 hours, machines started laughing again. I ran my program and 20-ish infections were found, the first run had almost 100% saturation, as in all of the machines I could see most of them had the worm.

After I ran it, and deleted the files, I thought phew, there all gone. I ran it a second time just to make sure. Turns out, little did I know, that computers that are powered off tend not to communicate with the network.

When I arrived at work the next day, again computers were laughing and I swear I was starting to go pale. I never expected this to be so amazingly pervasive. It seems logical that if you install it on all the computers that are visible on the network, and all of those machines installed it to visible computers, you’d just have to delete it from all the visible computers. Wrong! Well sorta. It turns out that each computer that got the worm installed on it, had different notions of what constituted a visible computer. Also a few people who ‘upped’ their security with passwords on their shares, were actually harboring the worm from my cleanup program. The worm got installed to those computers through other people who had the passwords, somehow my worm would get access to those computers. My only conclusion at that pooint was some people had mapped network drives to password protected shares, with saved passwords. This allowed the bug, because of windows propensity to just do what is convenient to install it to those computer. I never verified this, so it could be wrong.

I realized what I had to do, and I talked to my manager, he laugh at me, and said he thought it was annoying but mildly humorous. I told him I would stay after and go to each of the 50 computers in the office and delete it manually. He was really impressed at the emergent behavior of the worm, since he was actually working on some genetic algorithms in his free time.

I spend that evening cleaning up the worm. Took forever, I had to take the network switch offline, and go to the few computers that were needed after hours, and clean them first, then connect their cables back to the switch and get them up and running.

After I did that I figured now all will be good. Until the next Monday that is. On Monday I got a report from the IT guys that one of the training laptops was booted up and .. was laughing. They were gone from mid-week over the weekend and had returned. They heard the laughing but didn’t know what it was nor how to fix it.

They didn’t even bother to call IT, they just ignored it whilst onsite, not only that they plugged into a customers network.

I cleaned up the laptops, but they had already left their mark. Most of the computers on the network were reported infected by my tool, and by the late afternoon, it felt as if all of the machines were laughing at me.

I stayed yet again to fix all of the machines that were infected. This was starting feel like a ritual. After this last time, It was over. The managers who knew about it, hid that I had done it from those who would not be happy. Though most people knew I did it. The ‘man in charge’ did not. Which was good, because I would have probably lost my job. So I never really got to prove my point, all I did was make a massive headache for myself. Not only did I not achieve my end goal. It seems that life always finds a way.

6 months after everything had died down and most had forgotten the whole ordeal. I was sitting at my computer desk. Which had been moved across the prairie and right next to the IT room. From behind the doors, I heard a disturbing sound. A cooworker who heard it at the same time looked straight at me, and asked me if I had seen a ghost, And smiled. He knew why I was damn near pale white.

Turns out while that whole mess was going on 6 months ago, one of our founders children who works as a missionary in mexico, He took a computer with him down to the missionary camp. Well – he came back. His computer was ‘messed up’ and they could not get it to boot. So they removed the hard drive stuck it in another computer, and proceeded to boot it up. That action installed the worm all over again. Only this time we were up to 70+ computers, and it took me almost a week to fix it, and remove the worm. After that it never came back.

Okay, this amazingly long winded story, has a few lessons learned. Number one I don’t think anyone would write a virus/worm if they were the ones who would have to clean up after themselves. Second is, I never realize it, but emergent patterns start to form with the spread of this worm or any, it almost seemed alive at times, it was crazy to watch all of this unfold. Third if your going to write a worm, make sure it doesn’t advertise! esp. since any time I hear the mutley laugh I cringe horribly. I was under the naive impression that the bug would never spread out of the local network. I couldn’t imagine how, since it infected the harddrive. I had never considered that we had laptops that went to customers sites. And then plugged into their network, I don’t really know if the bug ever got out in the wild, but there were two incidences that could have made it possible. Thought I’ve still never heard of w32.mutley
Okay for those of you who wish to scold me for creating devious programs, save your breath. I learned my lesson, in more ways than this, but we’ll just leave it at that.

Oh yeah, BTW the whole point of the mess with the shares, well they never changed a thing. In order to run that app you have to share your whole drive with read write access. They do suggest using domains, and passwords, but ANY user can change ANY file in the shared folder. So a worm that wants to spread could easily exploit a simple exe swap trick to infect other computers on a network.

This is quite and interesting Conundrum. Ethically Do I alert the spammers of their mistake, which allowed one of our customers to download these files (open directory browsing). Do I do nothing? Should I write an email that states “I represent the following people attatched to this email, and they demand they are removed from your list at once”

I find the latter part quite amusing. Although I don’t truly represent them, and it would be a lie. I doubt a single soul on that list would really argue. but 1 out of 23 million is actually quite possible

Interestingly a little more than half of those people on the list are refered to as ‘adult’ customers.
What would you do? Or rather should I do with this list? I cringe at the thought of what a friend had told me. “Start a torrent and post it to mininova” – I’m glad he didn’t end up with the list!

I don’t understand how to call a windows kernel function, I see the other code doing it, but there is a complicated mix of code that eventually sets esi to point to a table for the library calls, [esi+0x4] = KERNEL32.GetSystemDirectoryA, [esi+0x10] = urlmon.URLDownloadToFileA

I think the code in the exploit build a lookup table at ESI and then call the functions as required, I’m not sure how it does that, and how it knows where the calls are located.

Is there a reference or a good tutorial/howto or an ‘exploit code for dummies’ book..

Also, I have a lack of good assembler tools, so I resorted to what I know – don’t hurt me – raw byte code – and using Borland Delphi’s debugger to parse through it. Any got recommendations on a assembler/dissasembler perhaps a good editor or IDE for such a conglomeration under windows ?

I find it amazing that I haven’t touch asm in 4 years or better but still haven’t really forgotten much

The library made use of a small set of utility functions. The library was called militarized.php some basic examples of what it had were defined as ..

militarize_integer($integer, $min, $max)
militarize_string($integer, $min_len, $max_len)
militarize_set($integer, $min_len, $max_len, $expected)
demilitarize_integer($integer, $min, $max)
demilitarize_string($integer, $min_len, $max_len)
demilitarize_set($integer, $min_len, $max_len, $expected)

Each of these functions were used at the beginning of a library function that HAD to have trusted variables such as …

function fetchUserDetails($uid) {
$uid = demilitarize_integer($uid, 1, 100000); // arbitrary maximum of 100000 users
$q = “select * from users where uid=’$uid’”;
}

The idea here was a militarized variable was expected, and was formated as an associative array with the keys ‘mil’, ‘value’ , ‘min’, and ‘max’ – obviously you couldn’t just use the variable in your code ‘as is’ when passed you had to demilitarize it, and second if you didn’t pass the right type, your code would fail. The code would also fail if the variable did not pass certain tests. For integers this would be a range, for strings this would be length, and for a set this would be length and the presence of said string in an array

Using this library also helped in asserting, during development, your intentions, because you had to call the function using the militarize_XXX routine as in :

fetchUserDetails(militarize_integer($_GET['uid'], 1, 100000));

So, what does everyone think about this? Simple enough, and very assertive as to what you intend to do, Is this overkill or do you think its appropriate? This does double up quite a lot in actually testing variables, as an integer variable with range 1-10 does not match an integer variable with a range 1-100 – I never completed coding the tests for sets to have comparitive arrays, I just checked the presence during the demilitarized side of things. I also hardly used sets anyway, and ended up using integers where possible. The only place I can remember using a set of strings was where the user could create the list of keys theirselves and the list was dynamic. I would fetch the list assert the value was in the list, and push it through..

“Cthulhu fhtagn” – When refering to computer security no one phrase can honestly say more than this for me. Inside each and every machine a monster lurks, this monster is nothing more than bits and bytes, with execution on its mind. Execution of what is the next question. It has no feelings, and its above morality, all it really wants to do is push the next set of instructions down its pipelines. Whatever instructions it gets it runs. For this reason and this reason alone we as users need to understand what we want and desire from our machines.

In a way this is a declaration of what my computer should do for me. This is a simple declaration, because when you get down to it, computers are incredibly simple. They are so simple infact that in order to run them you have to make a complex assortment of simple commands – all chained together like DNA. This DNA commands the machine. Like our own DNA it is subject to an inumerable number of attacks. Unlike in biology mutations are not likely to just randomly occur in a computer this is by design, so when we use our computers we expect them to work as designed and without mutation.

Unfortunately there are others out there who thrive on producing mutations. I will describe them as the “Cult of Cthulhu” helping to unleash a beast from within, and reak havoc on those that occupy cyberspace. Now I am not suggesting these people are bad. On the contrary these people are there to awake the ancient monster. Perhaps they are just misguided, but on occasion they release his daemons. And we get a glimpse of the whole – A glimpse of how to prevent the beast from ever comming to be. This helps us to understand the mutations, to protect against future mutations and to perhaps stop the beast.

I swear to no innate knowledge or ability that is better than the next. I can only claim two things; To do as I can and to understand as much as I can. I am a beginner as far as actively researching security and I’m learning an incredible amount as of late. I’ve been quite familiar with the internal operations of the beast or machines for some time. And hope to be enligtened and to enlighten others.

“That is not dead which can eternal lie.” That is what we are up against. Cthulhu fhtagn – Indeed.