My weblog about all things that interest me (and hopefully you): viruses, programming in general, death & black metal, certain web sites... Well, it could be anything.

Thursday, January 27, 2005

A worm for MySQL?

Slashdot has an article on what seems to be a worm propagating using MySQL on Windows that is configured with a weak root password. More information can be found here.


Click here for full graph


I wonder how many web servers will get severe problems because of the many attacks on port 3306...

Update: I suspect the worm is written by some dutch person (or belgian) because it connects to an IRC server and goes to a channel named "#rampenstampen" which is typically dutch.

Wednesday, January 26, 2005

F-Secure not so smart (screenshot)


Here is a screenshot of the page from F-Secure in case they would withdraw it. Posted by Hello

F-Secure not so smart...

I just saw an article on the weblog of F-Secure about MyDoom, where they posted a picture with a part of the source code. I haven't seen the source code yet, so I tried to find it using Google and using terms taken from the picture: shit msvc inlined it to winmain. It gives you these results. I think it's not a very smart move from F-Secure, handing out a vector to find the complete source so easily.

Friday, January 21, 2005

Obfuscating PHP code

In a magazine of 29A i saw SPTH writing some tutorial on randomizing PHP code using routines for manipulating strings. I've done something similar, yet I use the built-in parser for PHP code that is included in the Zend engine. Here's a quick example of obfuscating PHP code using the tokenizer functions from the Zend engine:
<?

$source = join("",@file(__FILE__));
// Pass 1:
// - strip all comments
// - strip needless whitespace
$tokens = token_get_all($source);
foreach ($tokens as $token) {
if (is_string($token)) {
$pass1 .= $token;
} else {
list ($id,$text) = $token;
if ($id != T_COMMENT && $id != T_ML_COMMENT) {
if ($id == T_WHITESPACE) {
$text = preg_replace("/\s+/"," ",$text);
}
$pass1 .= $text;
}
}
}

// Pass 2:
// - randomize variables
// - insert random whitespace and comments
$tokens = token_get_all($pass1);
foreach ($tokens as $token) {
if (is_string($token)) {
$pass2 .= $token;
} else {
list($id, $text) = $token;
switch($id) {
case T_WHITESPACE:
$pass2 .= $text .
str_repeat(" ",rand(0,5)) .
"/*" .
str_repeat(" ",rand(0,5)) .
substr(md5(uniqid("")),0,rand(1,30)) .
str_repeat(" ",rand(0,5)) .
"*/" .
str_repeat(" ",rand(0,5));
break;
case T_VARIABLE :
if (!isset($vars[$text])) {
$vars[$text] = '$' .
chr(rand(0,1) ?
rand(65,90) :
rand(97,122)) .
substr(md5(uniqid("")),0,rand(5,10));
}
$text = $vars[$text];
default:
$pass2 .= $text;
}
}
}
print $pass2;
?>
References:
PHP Virus Writing Guide
Generic Polymorphism

Tuesday, January 18, 2005

Ok, I'm here...

Ok, my first post... I wonder how long I can keep up with this, and more important how long you can keep up with me. If don't agree with the things that I post here, better find yourself a more suitable site. Pessimistic as I am I wonder how long it will take before some n00b (=idiot) discovers this weblog and feels compelled to behave so childish to comment on every post with a "FIPO" (=FIrst POst) remark. I will remove the possibility to give comments entirely if this happens too often (treshold set at some unknown - but very low - level).

A little background on me:

I'm an ex-virus writer, been member of various groups like 29A. I'm still interested in viruses, but not actively involved in the scene anymore. Musical interests are mainly Death & Black Metal (I also play in a band myself, I play drums), I like to read books (mostly fantasy, current favorite writer is Neal Stephenson).