Rebooting a computer (VBS)

The script shown in this post pops up a message to the current logged-in user informing him that a reboot is required.




The user has the option to proceed with the reboot or he can choose to click the "No" button and abort the reboot. Clicking "Yes" will invoke the ShutMeDown procedure which uses the .Reboot method to reboot the computer. Clicking "No" will display the following pop-up:



Not clicking on either the "Yes" or "No" after 60 seconds will abort the script from continuing.



For what possible situations can this script be used? Follow the discussing from the following thread in The Official Scripting Guys Forum on Technet:

http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/65e8699f-fca4-4e08-a181-8b621acbf963

Conficker.vbs - Conficker (Worm_DownAD) Detector

Heard from the grapevine that the Conficker (Worm_DownAD) worm is still in the wild (http://msforums.ph/forums/t/50980.aspx). This worm generates randomly named services which makes it a tad difficult to detect and contain. Here's a short script I created to detect for possible rogue services triggered by this worm. The usual disclaimer applies:

The code should be self-explanatory. =)

Microsoft To Phase-out Live OneCare

Two years after a very hyped launching of Windows Live OneCare, Microsoft just announced today that the product will be phased out next year and a free security solution (codenamed "Morro") will be released to replace it. The yet-to-be-announced product will offer realtime anti-malware protection solution. OneCare, on the other hand, offers this capability on top of backup and management features. This is to be expected given the fact that Morro, according to Microsoft, is designed to use minimal computing resources to make it amenable to low-bandwidth scenarios and less powerful PCs hence the smaller footprint.

Microsoft also announced that sales of the Windows Live OneCare subscription service as well as Windows Live OneCare for Server on SBS 2008 will end on June 30, 2009. OneCare users will have the option to move to Morro (it will be available everywhere OneCare currently is). The fact that Morro is FOC may also entice end-user adoption. However, I doubt it is capable of dislodging the industry leaders off their roosts in the enterprise security field.

Microsoft's entry to the consumer/enterprise security market way back in 2006 was met with mixed reactions. And with this setback, whatever is left of Microsoft's foothold on this arena has taken a major beating.

MILF Website Hacked

The Web site of the Moro Islamic Liberation Front (MILF), http://www.luwaran.com/, was reportedly defaced by unidentified hackers last week. It was restored last Saturday after being offline for a number of days.

Mohagher Iqbal, a senior MILF leader, confirmed Saturday that their Web site was hacked by unknown individuals last October 4. Television giant GMA 7 reported that the MILF website had several photos of pigs, animals considered unclean by Muslims. Links to news articles in the MILF website also led to defaced pages featuring pigs. "I love pigs," "i love pigs :D," "Prite bac Prite" and "digdigdig," the headlines read.

Iqbal said that he has no suspect to pinpoint at the moment, refusing to speculate that the Armed Forces of the Philippines (AFP) may be behind it. Meanwhile, the AFP insisted that they have nothing to do with the problem encountered by the MILF website.

A quick check of the http://www.luwaran.com/ domain shows a lot of updates from August to October 2008. The hosting ISP also changed a number of times. I'm still checking for a mirror of the defaced site to provide more clues as who the culprits are. Hackers normally feel they have one-upped the administrators and oftentimes cocky enough to display their tags and "gr33tz".

Microsoft Fixes 7-Year Old Flaw + MS08-068 Exploit

One of the two patches released by Microsoft for the month of November addresses a vulnerability first reported in 2001 by Josh Buchbinder, better known as Sir Dystic from the Cult of the Dead Cow (cDc). He found a vulnerability in Microsoft operating systems which enables an attacker to gain complete access to a user's computer. He wrote a utility, SMBRelay (and its NETBIOS-bound brother, SMBRelay2), which demonstrates the flaw. Employing man-in-the-middle tactics, the program receives a connection on port 139, connects back to the connecting computer's port 139, and relays the packets between the client and server of the connecting Windows machine, making modifications to these packets when necessary. On top of that, SMBRelay collects the NTLM password hashes and saves it to a file readable by L0pthcrack for cracking.

Apparently, it took Microsoft 7 years to finally address this vulnerability as mentioned here. According to this article, exploit code of this flaw is currently available in the internet. In fact, Metasploit has a PoC/working exploit which runs under the 'sploit framework.

The released patch, although given just a criticality rating of "Important" (whereas, MS08-069 was rated "Critical"), appears more interesting given the fact that this fixes a 7-year old flaw.

Going back to the SMBRelay tool, here are some switches and parameters that the tool uses:

Usage: smbrelay [options]
Options:

/D num - Set debug level, current valid levels: 0 (none), 1, 2 (Default is 0)
/E - Enumerates interfaces and their indexes
/IL num - Set the interface index to use when adding local IP addresses
/IR num - Set the interface index to use when adding relay IP addresses
Defaults to 1. Use /E to display the adapter indexes
/L[+] IP - Set the local IP to listen on for incoming NetBIOS connections
Use + to first add the IP address to the NIC
Defaults to primary host IP
/R[-] IP - Set the starting relay IP address to use
Use - to NOT first add each relay IP address to the NIC
Defaults to 192.1.1.1
/S name - Set the source machine name
Defaults to CDC4EVER

SMBRelay2, on the other hand, has the following switches and parameters:

SMBRelay2 [Options]
Options:
/A LanaNum - Use LanaNum
Defaults to 0
/D DebugLevel - Level of debug messages, valid levels 0 - 3
Defaults to 0
/L LocalName - Listen for primary connection on LocalName
Defaults to SERVER
/R RelayName - Listen for relay connection on RelayName
Defaults to RELAY
/S SourceName - Use SourceName when connecting to target
Defaults to CDC4EVER
/T TargetName - Connect to TargetName for relay
Defaults to connecting back to client

Microsoft Security Bulletin Advance Notification for November 2008

The usual heads-up from Microsoft for this month mentions two vulnerabilities, one critical and one important. The patches which will address these vulnerabilities will be released on 11 November 2008 (12 November for those in Asia-Pac) during the routine "Patch Tuesday" cycle. Both the vulnerabilities affect the Windows OS from Windows 2000 Pro/Server up to Windows Server 2008 including Windows XP/Vista and Windows Server 2003. Furthermore, a Microsoft Office component is affected. For more information on the affected OS and application plus other relevant information pertaining to the release, please visit the following link:

http://www.microsoft.com/technet/security/Bulletin/MS08-nov.mspx

Expect another busy week ahead, what with all the regression testing, deployment tests, and more that the sys admins and application owners/testers will go through prior to the productive release of the patches in an enterprise. No rest. For the wicked admins.

Remotely Removing Users from the Local Administrators Group (VBS)

Scenario: You are an administrator of a domain. You are given a task to remove "rogue" administrators of the computers in your domain. On a few machines, this task would be very trivial; you can just remotely connect to each machine and remove the user from the local administrators group. Complexity comes in when you have to remove different users for each machine. Here is a rundown of what I would do if I were given this task. The usual disclaimer applies.

Step 1: Generate a list of computers accounts of the domain (programatically or by exporting the list from the Active Directory Users and Computers snap-in) and save the output to a text file (computers.ini, in this example). Add the login account of the user you are going to remove for each machine as shown (contents of computers.ini):

Step 2: The main script reads off computers.ini the list to be used as parameters (computer name and user name). Notice that the file is read in one go and the data stored in the array arrComputers. Each object in the array is checked and passed to the RemoveAdmin sub procedure.

Step 3: Script the procedures. Three procedures are used in the script; RemoveAdmin which is a sub procedure, and the sConvert and ping  functions. The RemoveAdmin sub procedure queries the remote machine's local administrators group and if the user account (as defined in computers.ini) is found, it is removed from the group.

The sConvert function will return a string depending on the code parameter passed. If code is set to "1," the value returned is the computer account whereas if it is set to "2," the value returned is the user account (note the Select Case section).

The ping function is self-explanatory. It checks if the machine is online and returns a Boolean value (true if online, false if otherwise).

This script must be ran with an account with administrative rights on the computers listed in computers.ini. If this script is ran from a Windows Vista computer, ensure that elevated privileges are invoked (for example, right-clicking on the command-prompt shortcut and choosing "Run As Administrator").

So I got PW3ND, now what? (MS08-067)

So the day went past with nary a trace of an outbreak. Good, no need to work long hours this round. Bad, no free pizza. Nonetheless, I came prepared. To wage battle. My weapon of choice? The usual arsenal -- my scripts, Sysinternals' tools, and a few resource kit tools comprising my rootkit toolkit.

The scenario played out here does not, in any way, mirror an actual incident. This is just a simulation and the actual malware may behave differently than what is described here.

First, I would look into the autostarting programs using Sysinternals autoruns. Notice the presence of N2.exe and winbaseInst.exe from the image shown:

This confirms that the computer is infected. Next, I fire up pslist to view a list of running processes (alternatively, I could use Process Monitor (procmon) in lieu of pslist). 

Here's a script which was done in a matter of minutes (scripting cosmetics will be applied later, time permitting). The main body of the script calls three procedures StopProcess(), CleanRegistry(), and DeletePayload(). The malware processes have to be stopped before the payloads and malware executables can be deleted.

The StopProcess() procedure will terminate the process passed as parameter. An array (arrstrproc) contains a list of the malware processes to be terminated.

The CleanRegistry() procedure will, in turn, remove the autostarting entries from the RUN key in the registry. Note that the parameter passed is trimmed of its file extension (".exe") before it is checked. If the string is found in the RUN key, the entry is deleted.

The DeletePayload() procedure will then delete all the malware payload and executables. Malicious DLLs, executables or batch files which are stored in the arrpayload array are passed as parameters to the procedure and are deleted.

A reboot is required; the script doesn't take care of this part. Leave something for the support guys like me to do.

MS08-067 Face-off

In about 8 hours time, I will be in the office (Monday was a public holiday where I come from), cautious, bearing in mind that the malware exploiting the MS08-067 vulnerability could break through our defenses, if it hasn't yet. I have prepared a script to stop the malware services/processes, do a check for all the reported payload drop-offs, delete them if found, clean up the registry and what-nots. Whatever the day turns out to be, I will be sharing my codes in this blog. A busy day, it will be.

Sleep comes hard when you know you have war to wage.

MS08-067 Vulnerability : My Random Rundown

Background

The out-of-band patch released by Microsoft a couple of days back addresses a vulnerability caused by the Windows Server service not being able to handle malformed RPC (Remote Procedure Call) requests. The vulnerable component of the Server service is netapi32.dll (Net Win32 API DLL). The out-of-band update addresses the vulnerability by correcting the manner in which the Server service handles RPC requests.

On a computer running Microsoft Windows 2000, Windows XP and Windows Server 2003, an attacker who is able to exploit this hole could take control of a vulnerable system remotely without any authentication (anonymous) to execute arbitrary code. The non-affected versions include, 5.0.2195.7203 for Windows 2000 SP4, on Windows XP SP3 5.1.2600.5694 and on Vista SP1 there are several 6.0.6000.xxxx versions (see KB958644 for details). This particular vulnerability could be used in the crafting of a wormable exploit. If successfully exploited, an attacker could gain system-level privileges (able install programs or view, change, or delete data; or create new accounts with full user rights) and take complete control of the affected system. The relative attack surface on a Windows Vista or Windows Server 2008 machine is considerably weaker as compared to the earlier mentioned vulnerable versions. On these two versions, the vulnerable code path is only accessible to authenticated users, hence, is not liable to be triggered if the attacker is not authenticated.

Workaround

The security bulletin lists the following workarounds:

-Disable the Server and Computer Browser services
-Block TCP ports 139 and 445 at the firewall

However, implementing these may pose adverse effects on certain services (file and print sharing, for example) and applications that are dependent on the Server and Computer Browser services. Blocking TCP ports 139 and 445 at the firewall may also cause applications and services (Net Logon, Group Policy, DFS, to name a few) to not function properly, if at all.

Malware Exploiting the MS08-067 Vulnerability

Here's a list of the reported malware as detected by some of the more popular antivirus programs:

Authentium - W32/Gimmiv.A
CA - Win32/Gimmiv.A 
Dr.Web - DLOADER.PWS.Trojan
F-Secure - Trojan-Spy:W32/Gimmiv.A
McAfee - PWS.y!C91DA1B9 
Microsoft - TrojanSpy:Win32/Gimmiv.A[.dll] 
- exploit: Exploit:Win32/MS08067.gen!A
Panda – Gimmiv.A 
Sophos - Sus/Dropper-A
Symantec - Trojan.Gimmiv.A 
Trend Micro - WORM_GIMMIV.A 

The malware's payload tries to gather the following information:

*User Name
*Computer Name
*Network Adapters / IP Addresses
*Installed com objects
*Installed programs and installed patches
*Recently opened documents
*Outlook Express and MSN Messenger credentials
*Protected Storage credentials

With a reported "call-home" capability, the malware contacts a remote web server with the information extracted. A more detailed description of this capability is described in the Analysis section for the malware in the Microsoft Malware Protection Center. Note that the malware encrypts the data sent back to the remote web server with AES before dropping a batch file that deletes the malware service and deletes itself from the affected system.

Changes to the File System and Registry

The malware modifies the KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr registry key. It also downloads the files basesvc.dll, syicon.dll, winbase.dll and winbaseInst.exe to the System32\wbem folder. These files are deleted after the malware has completed its run and reported back to the remote web server. 

MS08-067 Exploit Out in the wild

Here are some info regarding some MS08-067 working exploits:

=============================================

http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html

TrojanSpy:Win32/Gimmiv.A.dll

Also Known As:

DLOADER.PWS.Trojan (Dr.Web)

Summary

TrojanSpy:Win32/Gimmiv.A.dll is a trojan that gathers system information from the host computer on which it is installed. The trojan runs as a service for a short time and may delete itself after performing its data gathering routine.

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

=============================================

TrojanSpy:Win32/Gimmiv.A

Also Known As:

DLOADER.PWS.Trojan (Dr.Web)

Summary

TrojanSpy:Win32/Gimmiv.A is a trojan that gathers system information from the host computer on which it is installed. The trojan may delete itself after performing its data gathering routine.

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

=============================================

milw0rm Exploit:

http://www.milw0rm.com/exploits/6824

http://milw0rm.com/sploits/2008-ms08-067.zip

=============================================

And here's Alex Sotirov's decompilation of vulnerable function addressed by MS08-067:

http://www.phreedom.org/blog/2008/decompiling-ms08-067/

Out-of-Band Microsoft Patch (MS08-067) Released

I had to rush back from the TechFest HOLs earlier in the afternoon due to the Out-of-Band security update from Microsoft (MS08-067) which needed to be pushed to all of our machines in view of its criticality and the proliferation of exploits in the wild. Here are the contents of the email from CERT:

Original release date: October 23, 2008

Overview

Microsoft has released updates that address a vulnerability in Microsoft Windows 2000, Windows XP, and Windows Vista.  A vulnerability in the way the Microsoft Windows server service handles RPC requests could allow an unauthenticated, remote attacker to execute arbitrary code with SYSTEM privileges.

Description

A remote, unauthenticated attacker could execute arbitrary code or cause a vulnerable system to crash. Since the Server service runs with SYSTEM privileges, an attacker could take complete control of a vulnerable system. 

Microsoft has released Microsoft Security Bulletin MS08-067 to address a buffer overflow vulnerability in the Windows Server service.  The vulnerability is caused by a flaw in the way the Server service handles Remote Procedure Call (RPC) requests.  For systems running Windows 2000, XP, and Server 2003, a remote, unauthenticated attacker could exploit this vulnerability.  For systems running Windows Vista and Server 2008, a remote attacker would most likely need to authenticate. 

Microsoft Security Bulletin MS08-067 rates this vulnerability as "Critical" for Windows 2000, XP, and Server 2003. The bulletin also notes "…limited, targeted attacks attempting to exploit the vulnerability." 

This vulnerability has been assigned CVE-2008-4250. Further information is available in a Security Vulnerability & Research blog entry and US-CERT Vulnerability Note VU#827267.

Impact

A remote, unauthenticated attacker could execute arbitrary code or cause a vulnerable system to crash. Since the Server service runs with SYSTEM privileges, an attacker could take complete control of a vulnerable system.

References

US-CERT Vulnerability Note VU#827267 -  

US-CERT Technical Cyber Security Alert TA08-297A -

Microsoft Security Bulletin MS08-067 -  

Microsoft Security Response Center (MSRC) -

CERN Website Defaced

Remember the Large Hadron Collider? It was earlier thought by some loonies that turning this on will disrupt the space-time-continuum, or whatever scientific thingamajig that was, and will result in a black hole ripping through earth and causing all life to disintegrate past its event horizon. Well it turns out the whole end-of-days cataclysm scenario was a dud.

Now guess what? Some so-called GST (Greek Security Team) hackers defaced CERN's website (CERN operates the LHC). Gizmodo reported that the hackers got in so deep, say reports, that they were "one step away" from cracking into the computer control system of one of the LHC's "detectors."

I've still to see the mirror of the defaced page in Zone-H but I guess score one for the hackers this round. I wonder what vulnerability these boys exploited to compromise the server hosting the website. I'm keeping eye on this.