A worm for MySQL?

Slashdot has an article on what seems to be a worm propagating using MySQL on Windows that is configured with a weak root password. More information can be found here.


Click here for full graph

I wonder how many web servers will get severe problems because of the many attacks on port 3306...

Update: I suspect the worm is written by some dutch person (or belgian) because it connects to an IRC server and goes to a channel named "#rampenstampen" which is typically dutch.

F-Secure not so smart (screenshot)

Here is a screenshot of the page from F-Secure in case they would withdraw it. 

F-Secure not so smart...

I just saw an article on the weblog of F-Secure about MyDoom, where they posted a picture with a part of the source code. I haven't seen the source code yet, so I tried to find it using Google and using terms taken from the picture: shit msvc inlined it to winmain. It gives you these results. I think it's not a very smart move from F-Secure, handing out a vector to find the complete source so easily.

Obfuscating PHP code

In a magazine of 29A i saw SPTH writing some tutorial on randomizing PHP code using routines for manipulating strings. I've done something similar, yet I use the built-in parser for PHP code that is included in the Zend engine. Here's a quick example of obfuscating PHP code using the tokenizer functions from the Zend engine:

<?

$source = join("",@file(__FILE__));

// Pass 1:

// - strip all comments

// - strip needless whitespace

$tokens = token_get_all($source);

foreach ($tokens as $token) {

  if (is_string($token)) {

    $pass1 .= $token;

  } else {

    list ($id,$text) = $token;

    if ($id != T_COMMENT && $id != T_ML_COMMENT) {

      if ($id == T_WHITESPACE) {

        $text = preg_replace("/\s+/"," ",$text);

      }

      $pass1 .= $text;

    }

  }

}



// Pass 2:

// - randomize variables

// - insert random whitespace and comments

$tokens = token_get_all($pass1);

foreach ($tokens as $token) {

  if (is_string($token)) {

    $pass2 .= $token;

  } else {

    list($id, $text) = $token;

    switch($id) {

      case T_WHITESPACE:

        $pass2 .= $text . 

                  str_repeat(" ",rand(0,5)) . 

                  "/*" . 

                  str_repeat(" ",rand(0,5)) . 

                  substr(md5(uniqid("")),0,rand(1,30)) . 

                  str_repeat(" ",rand(0,5)) . 

                  "*/"  .

                  str_repeat(" ",rand(0,5));

        break;

      case T_VARIABLE :

        if (!isset($vars[$text])) {

          $vars[$text] = '$' . 

                         chr(rand(0,1) ? 

                           rand(65,90) : 

                           rand(97,122)) . 

                             substr(md5(uniqid("")),0,rand(5,10));

        }

        $text = $vars[$text];

      default:

        $pass2 .= $text;

    }

  }

}

print $pass2;

?>

References:
PHP Virus Writing Guide
Generic Polymorphism

Ok, I'm here...

Ok, my first post... I wonder how long I can keep up with this, and more important how long you can keep up with me. If don't agree with the things that I post here, better find yourself a more suitable site. Pessimistic as I am I wonder how long it will take before some n00b (=idiot) discovers this weblog and feels compelled to behave so childish to comment on every post with a "FIPO" (=FIrst POst) remark. I will remove the possibility to give comments entirely if this happens too often (treshold set at some unknown - but very low - level).

A little background on me:

I'm an ex-virus writer, been member of various groups like 29A. I'm still interested in viruses, but not actively involved in the scene anymore. Musical interests are mainly Death & Black Metal (I also play in a band myself, I play drums), I like to read books (mostly fantasy, current favorite writer is Neal Stephenson).