Nasty Idea of the Night: Bittorrent "Worm"

It's been awhile, but then again, it's always been awhile, but I digress.

So a nasty idea popped into my head tonight. Imagine attacking a BitTorrent by finding a buffer overflow in the client software and each host compromised checks it's peer list and compromises all those as well? Add extra nasty and have the payload also check for other torrents and send the exploit payload to those as well.

Interesting points:

• Could move incredibly fast.
• Complicated issues with client vulnerabilities vs protocol vulnerabilities. Unlikely to write an attack that works universally. 
• Price the RIAA would pay for such a thing? *What's the keystroke for infinity*
• Tracker vulnerabilities.

Just a random thought. More to come.

Love, as they say, is dangerous.

As mentioned previously (and in a Defcon debriefing post that I have yet to actually publish), I've been looking into malware analysis and reverse engineering lately. There is still so much to learn, but what humble little I have learned has whetted my appetite for something more hands-on.

By the way, I have finally discovered and fallen in love with Eldad Eilam's book, Reversing: Secrets of Reverse Engineering. Its collective 624 pages has a good balance of breadth and depth, and though I haven't finished it from cover-to-cover yet, I am already jumping the gun and recommending it to anyone interested in reversing. As the book has a good amount of assembly code, some background knowledge is advised, unless you're the type who likes to be inundated with information about things you can just barely understand, like doing 0 to 60 in 3 seconds flat.

At any rate, in my quest to look for something to analyze, I discovered that one easily accessible treasure trove of malware and fishy (phishy! sorry, that was punny) sites is my spam folder... which is where I found this one:



"I`m in hurry, but i still love you...?" Aw, I feel the warm fuzzies! Especially when said ecard (which has javascript code running in the background, so I don't recommend you going to this link unless you know what you're doing) looks something like this...



Humor aside, I am somewhat surprised by the sloppy effort of the attempt, especially when simple copy-pasting could have made it somewhat more convincing. This was obviously not a particularly brilliant example of social engineering technique, but it was entertaining nevertheless.

The AdSense You May Not Know

Google's Adsense (yes, the advertising medium that internet users love to hate) has come into the spotlight this past week for some interesting 'interpretations' various advertisers are using. Turns out, the powerhouse advertising medium leads a double (perhaps triple) life. These deviations have been for both the benefit and hindrance of the internet community.

On the lighter side of things, the guys at TorrentFreak devised a way to use AdSense to help limit the spread of malware. They took up advertising space on a site that hosted a malware-infested BitTorrent client, but instead of advertising a product, they posted a warning about the very site the ad was on. These sites would end up have an ad specifically stating that their product puts malware on the users machine. The group over at TorrentFreak estimates that they prevented about 1,000 users from downloading the malware – of course admitting the entire way that the hosting sites were making money off the effort... they were still ads, after all.

On the darker side of things, Roger Thompson over at Exploit Prevention Labs Blog highlights how malware creators are using Google's advertisements for their benefit as well. Definitely click over and take a read at the article, very interesting stuff. The gist of it, however, is what you think you are clicking on may not be the case. Turns out, some ads are masquerading as legitimate sites (e.g. the Better Business Bureau) - so, when you click on them, they first pass you through an exploit of their choice, then forward you on to the site you wanted. The process is completely transparent, leaving the user oblivious to what just happened. Roger made a video of this here. ( --For those of you curious, apparently Google has recently taken down some of the main offenders)

Though it probably shouldn't, it does intrigue me how the same medium can be use for both the benefit and declination of the internet community.

Introduction to Malware Analysis

From JST at Offensive Computing:

I have a folder (just over 300 megabytes/927 files), which contains a lot of malicious software. I uploaded it in case anybody wants to analyze it, or if anybody from anti-virus companies wants to detect it. A lot of it is already detected, but some of it is detected by some anti-viruses but not detected by others. There are all types of executable files, pif/exe/scr etc and also some .jpg/.zip which are really executable files renamed. There are also some HTML files, but a lot of those can just be ignored. Well I uploaded it all anyway.

The password for the rar file is "malware"
http://www.megaupload.com/?d=KE19T9DI

As someone interested in learning malware analysis this is a treasure trove of potential examples. Theory is great, and I love reading a good book, but having a third of a gig of applications to rip apart and find the nastiness really calls out to my "learn by doing" mindset.

I really enjoy the Offensive Computing site. These folks are really dedicated to what they do and have a ton of resources about their chosen specialization. So give their site a read, download their malware, and send me an email to compare notes.