Rajaats Weblog

2009-11-05T23:20:00.002+01:00


Meh, I am surprised this still works. Hi Reddit!

Blue Frog is gone

2006-05-17T16:35:00.000+02:00

Alas, Blue Frog was quite successful fighting SPAM, but could not withstand the retaliating attack from PharmaMaster and has to shut down to prevent a large scale internet war... You can read their article about the shutdown at http://www.bluesecurity.com/

I think it is sad... shows who owns the internet, not the USA, no other country, but big criminal organisations.

So this experiment is over, now what?

Well, I think in Russia they found a way that works even better than BlueSecuritys initiative: http://mosnews.com/news/2005/07/25/spammerdead.shtml

Blue Frog Revisited

2005-08-18T14:04:00.000+02:00

As you've seen from my previous post, the email addresses from Blue Security itself were not included in the "Do Not Intrude" registry. Today I checked it again and discovered to my pleasure they now included their own addresses. Not only that, they added their complete domain, so if you check for pussyeater@bluesecurity.com it will also be protected.

I've now run their program for almost a month, and slowly I'm starting to see that the amount of spam I'm receiving is decreasing. I don't know wether it is just periodically decline or wether it is the success of Blue Frog. I hope it's the latter, because I really hate spam, even more than viruses or spyware because that is much easier to avoid.

Blue Frog fights fire with fire.

2005-07-20T16:35:00.000+02:00

Slashdot mentions a program from Blue Security, called Blue Frog, which is a program that tries to fight spam in another way than usual spam filters do. People who sign up become part of a DDoS network, but in a bit more sophisticated way than the screensaver Lycos used to distribute. You can add up to three email addresses that should be protected. Whenever you receive a spam email in one of those email boxes you forward it to an address at Blue Security (yoursignedupname@reports.bluesecurity.com), where they will look for the website linked to in the spam mail (a typical spam mail wants to direct you to their site). Then, on behalf of you they will warn the site owner and the ISP the site is hosted at that they are sending unsollicited email and should download a hash list and a tool to clean our their harvested emails database. If they do not comply, all the users that signed up and have the Blue Frog client running will start filling up the webforms with repeated requests to be taken off the spam list, effectively ruining the spammers business by adding filth to their selling databases and causing a DDoS attack.

I must confess I think this is a very nice idea, alas, as a former virus writer I'm known for having little ethical problems with these kinds of things and will gladly sign up, whereas other people might frown upon the tactics they use.

However...

Sceptical as I am I downloaded the "Do Not Intrude Registry" Compliance Tools, with which you can check wether you are using email addresses that have signed up for not receiving any spam mail anymore and created a small text file with the following addresses:

info@bluesecurity.com
postmaster@bluesecurity.com
webmaster@bluesecurity.com
sales@bluesecurity.com
root@bluesecurity.com
info-dep@bluesecurity.com
press@bluesecurity.com
marketing-dep@bluesecurity.com
careers-dep@bluesecurity.com
cleanup@bluesecurity.com
legal-dep@bluesecurity.com

and processed it with their tool. I was quite amazed that none of these addresses were listed as protected by their own system. I think a company should stand behind their own product and use it, how else could you convince people to use it if you don't use it yourself? How about Mikko Hypponen if he would use, say, Norton Antivirus to protect his computer instead of using F-Secure?

Man with spyware fixes problem by buying new PCs

2005-07-18T13:42:00.000+02:00

What if you're an idiot with too much money on your bank account? If it was April Fools Day I'd believe that this is a good hoax: Man with spyware fixes problem by buying new PCs.

At least it's a clear sign for hardware vendors that they should hire virus writers :-)

F-Secure in deep shit?

2005-05-27T10:00:00.000+02:00

Today I read that people in Finland are massively buying toilet paper because paper mills are shut down due to a lockout of workers in the paper industry. This could mean that F-Secure will be in deep shit. Imagine the poor researchers having to resort to contract their sphincter all day or use a buttplug while dissecting the latest variant of Sober.XYZ. This seriously will affect the quality of the research and the product line of F-Secure. We cannot allow this to happen!

To ensure that F-Secure won't buckle under severe internal pressure, we have to act now!

Send your (used) toilet paper to:

F-Secure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

A practical look at buffer overflows

2005-05-10T09:54:00.000+02:00

If you ever wondered how buffer overflows work, here is a very nice documented example of a buffer overflow and how to exploit it. If you know a bit of assembler, C and how to use a debugger it is a very interesting read.

Phising for dummies

2005-05-03T23:57:00.000+02:00

So you want to become a phiser?

First, to know what a phiser does look at the term phising on WikiPedia. In short, a phiser is someone who tries to fool somebody to fill in private/sensitive information on a website that is believed to be an official website the scam has been created for. Usually these requests come by email, give a link to a website where you should fill in the information and try to disguise it as a legit site.

How to spread emails to people and harvest email addresses to send to?

Thanks to F-Secure I found the source of MyDoom virus. Just change it a little to suit your needs. How I obtained this source is in an older entry on my weblog in case you want to look it up... Just make it a phising scam and worm in one so that you can reach a big audience...

What site to imitate?

Don't worry if you know only the online banking site you use yourself. F-Secure gladly provides you with a HUGE list of banks to impersonate (right-click, save to file). Pick one at random, look at the site, rip the layout and use that in your email you will sent to all the intended victims. Mind you that you use the same language and way of writing as the host of the site does. Spelling errors are a big no-no here, a scam should look perfect!

Examples... or not?

Take a look here, it's a test which checks wether you can be baited for a phising scam. Look at the examples and learn from them. Try your best to imitate the site you intend to copy.

How to save the data?

Goddammit, I'm not going to explain you how to program, use PHP or Perl to save the form data... Use The Fucking Search, Noob! (grin)

What to do with the data you collected?

Go shopping on the internet or something, I don't care about that... I just feel bothered by the fact that F-Secure yet again gives away information it really doesn't need to and just giving the wrong people the wrong ideas.

Thank you, Symantec!

2005-05-03T10:47:00.000+02:00

Today one of the workstations at my work got infected with Sober.P. Of course the end user should have known better than opening an email in the english language (not our native language), opening the zip file and running the executable inside it.

But on the other hand, this threat was found yesterday and (for once I have to agree with F-Secure) by the time European workers get back to their offices tomorrow morning, all antivirus programs should already stop it.

We use Symantec Antivirus for Exchange as well as a version running on the workstation, which are up to date and didn't detect it. I am no system administrator and it is not my job to prevent/repair shit like this, but I felt sorry for the person and used HouseCall to remove the infection.

So... thank you Symantec...

NOT!

$age++

2005-04-22T10:40:00.000+02:00

Oh happy joy! I managed to stay alive another year in good health. Today I turned 33 years old and (as Graham Cluley would say) still not have grown up.

To celebrate this with you, I give you the source code of one of my recent replicators (including virus). Can you figure out in which environment this program is able to run? I will soon elaborate more on the environment this code runs in and hope to interest you in writing some code as well.

Hint for AV'ers: you can't write a disinfector for this!

Published  Name        RTFM   
Published  Author      Rajaat                
Published  EMail       rajaat.itookmyprozac@gmail.com
Published  Country     The Netherlands   
Published  Comment     Birthday Release
Published  Version     0.5

Published  OpenSource  yes    
Published  Language    RC300
Published  OptionSet   Classic

Bank 01 BootUp
  BJump 30,1

Bank 02
Bank 03
Bank 04
Bank 05
Bank 06
Bank 07
Bank 08
Bank 09
Bank 10
Bank 11
Bank 12
Bank 13
Bank 14
Bank 15
Bank 16
Bank 17

Bank 18 Virus
  Trans 1,1
  Trans 1,2
  Trans 1,3
  Turn 1

Bank 19 UniversalJumper
  BJump #Active,1

Bank 20 QuickDisabler
@QuickDisabler.Run
  Move
  Comp %Active,2
  Set %Active,0
  Comp %Banks,0
  Turn 1
  Jump @QuickDisabler.Run

Bank 21 QuickRunner
@QuickRunner.Move
  Move
@QuickRunner.Run
  Scan #2
  Comp #2,1
  Jump @QuickRunner.NoNME
@QuickRunner.KillAllBanks
  Trans 5,1
  Set %Active,0
  Set #3,%Banks
@QuickRunner.Empty
  Trans 4,#3
  Sub #3,1
  Comp #3,-1
  Jump @QuickRunner.Empty
  Set %Active,1
  Jump @QuickRunner.Move
@QuickRunner.NoNME
  Comp #2,2
  Jump @QuickRunner.Move
  Set %Active,2
  Turn 1
  Jump @QuickRunner.Run

Bank 22
Bank 23
Bank 24

Bank 25 SpawnQuickDisabler
  Create 2,3,0
  Trans 1,1
  Set %Active,2
  Trans 2,2
  Trans 3,3
  Turn 0
@SpawnQuickDisabler.Create
  Create 0,1,1
  Trans 3,1
  Set %Active,2
  Jump @SpawnQuickDisabler.Create

Bank 26 SpawnQuickRunner
  Create 2,5,0
  Trans 4,1
  Set %Active,2
  Trans 2,2
  Trans 3,3
  Trans 4,4
  Trans 5,5
  Turn 0
@SpawnQuickRunner.Create
  Create 1,5,1
  Trans 4,1
  Set %Active,2
  Trans 3,2
  Trans 4,3
  Trans 5,5
  Jump @SpawnQuickRunner.Create

Bank 27
Bank 28
Bank 29

Bank 30 InitialBoot
  Set #Active,2
@InitialBoot.Create

  ; Create SpawnQuickDisabler
  Create 2,3,0
  Trans 19,1
  Set %Active,2
  Trans 25,2
  Trans 20,3
  Turn 0

  ; Create SpawnQuickKiller
  Create 2,5,0
  Trans 19,1
  Set %Active,2
  Trans 26,2
  Trans 21,3
  Trans 19,4
  Trans 18,5
  Turn 0

  Add #19,1
  Comp #19,4
  Jump @InitialBoot.Create

  BJump 31,@Phase2Boot.KillNeighbours

Bank 31 Phase2Boot
@Phase2Boot.KillNeighbours
  Set %Active,1
  Trans 32,2
  Trans 32,1
  Create 2,12,0
  Trans 33,10
  Trans 19,1
  Set %Active,10
  Trans 19,1
  Trans 32,11
  Trans 19,9
  Trans 18,8
  Turn 0
  Jump @Phase2Boot.KillNeighbours

Bank 32 Die
  Die

Bank 33 HugeStar
@HugeStar.Scan
  Turn 1
  Scan #2
  Comp #2,1
  Jump @HugeStar.NoNME
@HugeStar.Kill
  Trans 8,1
  Trans 8,2
  Trans 8,3
  Set %Active,0
  Set #4,%Banks
@HugeStar.EmptyIt
  Trans 11,#4
  Sub #4,1
  Comp #4,-1
  Jump @HugeStar.EmptyIt
  Set %Active,1
  Jump @HugeStar.Scan
@HugeStar.NoNME  
  Comp #2,0
  Jump @HugeStar.Refresh
  Create 2,12,0
  Trans 10,10
  Trans 9,1
  Set %Active,10
  Trans 9,1
  Trans 11,11
  Trans 9,9
  Trans 8,8
  Jump @HugeStar.Scan
@HugeStar.Refresh
  Trans 11,1
  Trans 11,2
  Trans 10,10
  Trans 9,9
  Trans 8,8
  Set %Active,10
  Jump @HugeStar.Scan

Bank 34
Bank 35
Bank 36
Bank 37
Bank 38
Bank 39
Bank 40
Bank 41
Bank 42
Bank 43
Bank 44
Bank 45
Bank 46
Bank 47
Bank 48
Bank 49

Pink Mika on the hunt for warez?

2005-04-08T11:11:00.000+02:00

F-Secure has posted on its weblog an article about the disclaimer on www.elitehackers.com (just google on "You must be at least 250 years old and own a pink car to enter this site.", directly cut and paste from the weblog). It leaves me with a few questions...

Who is Mika? (His face is not on the banner on top of the page)
Is he gay? (A pink car... and apparently not photoshopped)
And what is he doing on EliteHackers in the first place???

Should I get an evaluation copy of their product and search if they used some hacked version of Sound Forge for alarm sounds or some graphics processing utility?

Anyway... Mika, should you read this, the only way to be able to legally access EliteHackers is when you are an ocean worm, but then I doubt wether you can drive a pink car.

Back from the dead...

2005-04-06T13:13:00.000+02:00

Ok, I'm back from holidays and somehow managed to survive. I've been to the Czech Republic during easter, and where I was (near Brno) it is custom on easter Monday to whip the girls with a "pomlazka", and in return you get an egg and some shot of hard spirit (usually slivovice). Needless to say that I was completely drunk even before noon. I also have been meeting a few of my girlfriends friends and Benny.

My idle time I spent reading "Quicksilver" from Neal Stephenson and I am really impressed about his improvement on writing style since "Snowcrash". He manages to weave fiction and history seamlessly into a huge novel, and I can recommend his books (especially Cryptonomicon and Quicksilver) to anyone that has an interest in how we got into this digital era we now live in. I've put the next parts (The Confusion and System of the World) on my wishlist.

Excerpt from Cryptonomicon
Excerpt from Quicksilver

Almost holiday

2005-03-25T12:02:00.000+01:00

Today is the last day at work before I will go on a holiday to the Czech Republic again. I have met my deadlines, so I've got some time to spend on my weblog. Usually I post here things that are related to security, (anti)virus in specific. Now it's time for a bit informal post so I'll put here some links that I think are interesting and hope you feel the same about it.

Here we go:

The Daily WTF
Sometimes when I look back at old code I wrote, I think I suck at coding, but after a look on this site I feel much better.

Browser Security Test
Nice website that tests for vulnerabilities in your current internet browser. Use this to show your family/friends they should get Mozilla Firefox 1.0.2 to be more secure.

The Rasterbator
Upload your favorite picture here and get it back in rasterized PDF format, so you can have your wall filled with a huge poster of that picture (I didn't mention babes here, did I?)

WinDirStat
A handy little program that shows the usage of your disks in treemap format. Now you finally know where all your free space went to.

Desktop Sidebar
Don't wait for Windows Longhorn (or whatever they are going to call it). You can have the look already using Desktop Sidebar. It's ideal for quick overview of your email, tasks, weather, stock quotes and more.

Southpark Character Creator
How would you (or some friend) look if he was in an episode of South Park? Don't wait any longer, find out now! (Maybe I should transform some Antivirus persons)

TrueCrypt
Make an encrypted volume where you can store your private stuff in. It is also possible to make a hidden encrypted volume in the encrypted volume, in case you are forced to give your password to some authority.

Press Play On Tape
Did you own a Commodore 64? I did, I played games until my wrist hurted like hell. Press Play On Tape is a Commodore 64 revival band, playing well known tunes of the most famous games.

ClientCopia
Ever worked on a helpdesk? Having contact with customers? Were they stupid? Here you can see what horros people experienced dealing with stupid customers (and add your own adventures as well).

AudioScrobbler Browser
Maybe you already knew that you can submit the music you listen to to AudioScrobbler using one of their plugins. It enables you to find people that have the same musical preferences. Using the AudioScrobbler browser you can have a nice graph how artists can be related to eachother. Use it you expand your horizon.

Happy Tree Friends
They are cute, they are cuddly... and they die in the most horrible ways you can (or even can't) imagine. Small flash animations for anyone who got fed up with all the "Powerpuff Girls" like cartoons. Be sure to checkout the Easter Smoochie!

Dragon Optical Illusion
Impress your friends with this very good optical illusion. The dragon will follow your every move, eyeing you suspiciously. Download and print out the sheet, get your glue and scissors and have fun!

Linux ready for the desktop?

2005-03-21T17:37:00.000+01:00

I know, I should stick to security issues here, but this subject is lingering in my head for a few days now and I'd like to voice my opinion on it and maybe get some sensible reactions from you on this...

Linux ready for the desktop?
Lately I've been reading various websites that question wether Linux is ready for the desktop or not.

First, I'd like to say that this statement is already wrong to begin with. Linux is not ready for the desktop, and will never be, as much as the Windows kernel isn't ready for the desktop either. The kernel (and Linux IS the kernel) is what your operating system uses.

The proper question in this case would be:

Is this Linux Distribution ready for the desktop?
Even if you rephrase the question like that I think the question is still incorrect. The problem is in the part that says "the desktop". Whose desktop? Yours? Mine? Aunt Tilly?

If you look back to the days when MS-DOS was still the most prevalent operating system, I'm sure you can recall people that could work with it, even if it was your Aunt Tilly. She knew how to start and work with Word Perfect, Lotus 1-2-3 or even DBase III.

Ok, to be honest, she didn't know exactly what was going on in her computer, she didn't know anything about HIMEM.SYS or EMM386.EXE and what they were supposed to do. But she knew that when she had a new program on a floppy disk the usual thing to do was to type

a:install
and answer some questions as where the files should be copied to (standard location) and wether autoexec.bat should be modified (usually 'yes').

After that she just fired up Norton Commander (or something like that) and started the application. If something went wrong she had a very nice booklet that told her what to do.

Fast forward to the present...

Two groups are debating wether Microsoft Windows XP and/or Some Linux Distribution are ready for the desktop. Here they aim at end-users, like Aunt Tilly. Aunt Tilly got a bit older, grew a little moustache and looks at both.

She tries Windows XP, which looks very polished to her. After a few days of working and browsing the internet she now has 5 extra toolbars in Internet Explorer, all with almost identical extra's (including the spyware). She sees popups on her screen for online casino's, naked babes, warning messages that her computer is infected, but she never heard of the term spyware. She tries to look in the book what is happening to her computer, but it only says to press F1 at some place to get some help on a subject she never asked for in the first place.

Then she posts a message to some forum she found by accident using one of her many extra toolbars. She posts the message and includes her email address, hoping for a swift answer...

And she gets them. A lot of them. Most of them advice her that she should use Cialis, Viagra or any other enhancement so that her erection stays longer, harder and her cumshots will blow off the head of her impressed girlfriend, and (if that girl dies because of it) she always can pick up one of the hundred bored housewifes who just want to have a fuck with her.

Amongst the more sensible replies there are a few that say that she is a fucking n00b and she should have used Mozilla Firefox to prevent all those things that happened to her. Ofcourse the not-so-friendly replies don't give a link to the site, so again with some more reluctance she has to post a message where she can get this wonderful program that should be the salvation of her PC.

Again a lot of answers of which she can throw 95% away. The remaining five percent are very brief, shooting acronyms at her like UTFS. Whenever she navigates to www.utfs.com she finds out the domain is for sale, but no link where to download Firefox. After using one of the search bars she finds out the actual site, downloads the software and installs it. Yet the problems of unwanted popups remain. Even if she doesn't use Firefox and is just trying to figure out Word and where those nice markupcodes have been since Word Perfect 5.1 she gets them.

And then, at some birthday party she talks to a young man that says Linux is the answer. He even is so friendly to give her an URL (which she found out is a cryptic way to say "address of a website") where she could order a free evaluation CD.

And in a few weeks she gets the CD. She is thrilled. But she also has questions. What should she do with her old documents, her highscore for Zuma and fotos she received from her family? In a desperate attempt to make some sort of backup the mails all the important things to herself and proceeds to install Linux. After some anxious moments she got it running and is greeted with a friendly picture of a multicolored group of people holding hands.

A few days later she learned with which program she could browse the internet, how she can send and receive email and even do some wordprocessing. But she can't print on her Lexmark printer and she doesn't know why. The webcam she used in Windows now doesn't work anymore when she wants to have a chat with her family.

Again she searches for answers on the internet, since she doesn't have a manual. She posts some questions. Gets answers...

"N00bs like you should stick to Windows, Linux is not for you!"
"Use The Fucking Search, you idiot!"
"You shouldn't use distro XXX, you should have used YYY which is faster after you compile for three days"
Aunt Tilly gives up, gets her old computer out the attic where it has been gathering dust for a few years, fires up Word Perfect and starts typing her last will as she is feeling very old of a sudden...

After this fictious story I can be very brief in my conclusion about what operating system is ready for the desktop.

Any or none at all.
An operating system is successful or a complete failure depending on documentation and support. In the case of Aunt Tilly the most successful was MS-DOS. She had a book that explained almost everything she needed to know. With Windows the got a small booklet that explained almost nothing. With the Linux distribution it was even less.

Almost every software package, wether it is an operating system or an application comes with help on CD or some community on internet. But most people (at least I do) prefer a good manual next to my computer and work through the chapters and browse the reference in case of a specific need. Or patient people that can help Aunt Tilly, instead of insulting her.

For the aunts that read this weblog entry I can tell that there's hope. There are a lot of books written on any subject I just covered here which you can buy.

Where?

Use The Fucking Search, N00B!

McAfee Multiple Products LHA File Handling Buffer Overflow

2005-03-21T10:04:00.000+01:00

It starting to look like Antivirus software vendors really should audit the 3rd party libraries they use in their software for handling compressed executables and archives.

My friend Benny pointed out that there is yet another vulnerability in handling archives. This time it's McAfee having troubles with LHA archives. Read the advisory here.

Microsoft books teaches on security

2005-02-28T00:22:00.000+01:00

When mindlessly browsing through a shitload of del.icio.us posted links I found a very interesting book, which I hope the people at Microsoft and the Antivirus vendors will read. After all who can teach you better about securing your applications than the security folks at the biggest company in Redmond?

Damn, I feel sarcastic...

Vulnerability in VSAPI ARJ parsing could allow Remote Code execution

2005-02-25T08:20:00.000+01:00

Recently I posted messages about overflow vulnerabilities in Symantecs and F-Secures antivirus products concerning buffer overflows in unpacking files, now it seems yet another antivirus vendor suffers from the same problem. Check the Trend Micro advisory "Vulnerability in VSAPI ARJ parsing could allow Remote Code execution"

F-Secure silently alters mydoom source picture

2005-02-22T12:52:00.000+01:00

Apparently F-Secure reads Benny's or my weblog (see here and here), as they have realised that publishing a picture of the source of mydoom is indeed not a smart thing to do. If you look in their archive you'll see that they now blurred out the important parts of the source which I used to find the source code. Of course they wouldn't announce that they changed it, because making such failure is not good for the credibility of their company. Unfortunately for them I still have the screenshot, so if you really want the source you can still Google for it. But don't be naughty by using it for making YABV (Yet Another Boring Variant) but for educational purposes only (blatant disclaimer).

KLEENEX goes AV!

2005-02-17T13:58:00.000+01:00

For a little bit of fun, see how Kleenex now jumps into the
Antivirus business :-) Go eat your heart out, other AV'ers!

Internet Security Systems - F-Secure AntiVirus Library Heap Overflow

2005-02-11T11:05:00.000+01:00

Internet Security Systems has a report on a vulnerability on F-Secure Antivirus, which is similar to the other report on the UPX vulnerability of Symantec Antivirus. It looks to me that you're safer using NO ANTIVIRUS software than using one. All you need to do is securing your Windows a bit better (get a external firewall, drop Internet Explorer in favor of Mozille FireFox/Thunderbird) and be careful what you download and NEVER RUN THINGS WITH ADMINISTRATOR RIGHTS unless you really have to.

Symantec AntiVirus Library Heap Overflow

2005-02-09T13:58:00.000+01:00

Internet Security Systems has a report about a vulnerability found in almost all antivirus products from Symantec concerning the use of a malformed UPX compressed executable that causes a heap overflow, making it possible to execute code on a remote machine when scanning such file. Newer products are immune, but I think there are still enough users that use an older version of some product.

A worm for MySQL?

2005-01-27T17:38:00.000+01:00

Slashdot has an article on what seems to be a worm propagating using MySQL on Windows that is configured with a weak root password. More information can be found here.

Click here for full graph

I wonder how many web servers will get severe problems because of the many attacks on port 3306...

Update: I suspect the worm is written by some dutch person (or belgian) because it connects to an IRC server and goes to a channel named "#rampenstampen" which is typically dutch.

F-Secure not so smart (screenshot)

2005-01-26T11:55:00.000+01:00

Here is a screenshot of the page from F-Secure in case they would withdraw it.

F-Secure not so smart...

2005-01-26T10:43:00.000+01:00

I just saw an article on the weblog of F-Secure about MyDoom, where they posted a picture with a part of the source code. I haven't seen the source code yet, so I tried to find it using Google and using terms taken from the picture: shit msvc inlined it to winmain. It gives you these results. I think it's not a very smart move from F-Secure, handing out a vector to find the complete source so easily.

Obfuscating PHP code

2005-01-21T09:45:00.000+01:00

In a magazine of 29A i saw SPTH writing some tutorial on randomizing PHP code using routines for manipulating strings. I've done something similar, yet I use the built-in parser for PHP code that is included in the Zend engine. Here's a quick example of obfuscating PHP code using the tokenizer functions from the Zend engine:

<?

$source = join("",@file(__FILE__));

// Pass 1:

// - strip all comments

// - strip needless whitespace

$tokens = token_get_all($source);

foreach ($tokens as $token) {

  if (is_string($token)) {

    $pass1 .= $token;

  } else {

    list ($id,$text) = $token;

    if ($id != T_COMMENT && $id != T_ML_COMMENT) {

      if ($id == T_WHITESPACE) {

        $text = preg_replace("/\s+/"," ",$text);

      }

      $pass1 .= $text;

    }

  }

}



// Pass 2:

// - randomize variables

// - insert random whitespace and comments

$tokens = token_get_all($pass1);

foreach ($tokens as $token) {

  if (is_string($token)) {

    $pass2 .= $token;

  } else {

    list($id, $text) = $token;

    switch($id) {

      case T_WHITESPACE:

        $pass2 .= $text . 

                  str_repeat(" ",rand(0,5)) . 

                  "/*" . 

                  str_repeat(" ",rand(0,5)) . 

                  substr(md5(uniqid("")),0,rand(1,30)) . 

                  str_repeat(" ",rand(0,5)) . 

                  "*/"  .

                  str_repeat(" ",rand(0,5));

        break;

      case T_VARIABLE :

        if (!isset($vars[$text])) {

          $vars[$text] = '$' . 

                         chr(rand(0,1) ? 

                           rand(65,90) : 

                           rand(97,122)) . 

                             substr(md5(uniqid("")),0,rand(5,10));

        }

        $text = $vars[$text];

      default:

        $pass2 .= $text;

    }

  }

}

print $pass2;

?>

References:
PHP Virus Writing Guide
Generic Polymorphism

Ok, I'm here...

2005-01-18T23:34:00.000+01:00

Ok, my first post... I wonder how long I can keep up with this, and more important how long you can keep up with me. If don't agree with the things that I post here, better find yourself a more suitable site. Pessimistic as I am I wonder how long it will take before some n00b (=idiot) discovers this weblog and feels compelled to behave so childish to comment on every post with a "FIPO" (=FIrst POst) remark. I will remove the possibility to give comments entirely if this happens too often (treshold set at some unknown - but very low - level).

A little background on me:

I'm an ex-virus writer, been member of various groups like 29A. I'm still interested in viruses, but not actively involved in the scene anymore. Musical interests are mainly Death & Black Metal (I also play in a band myself, I play drums), I like to read books (mostly fantasy, current favorite writer is Neal Stephenson).